Privacy Policy

1. Introduction

Indiex ("we", "our", "us") operates a platform that tracks and displays metrics for indie software products. Our mission is to create transparency in the indie SaaS ecosystem by providing verified, real-time data about product performance.

This Privacy Policy applies to all users of indiex.co and explains how we collect, use, store, and protect your information.

2. Types of Data We Display

It's important to understand the difference between verified data and estimated data on our platform:

Verified Data (Stripe Connected)

When a founder connects their Stripe account, we display real, verified metrics pulled directly from Stripe's API. These products display a "✓ Verified" badge. The data shown is accurate and updated regularly.

Estimated Data (Non-Verified Products)

For products that haven't connected Stripe, any revenue figures displayed are estimates only. These estimates may be based on:

• Publicly available information (Open Startup pages, public tweets, interviews)
• Industry benchmarks and comparable products
• Information submitted by founders (self-reported, unverified)

Estimated data should not be relied upon for investment or business decisions. We display estimated figures with a "~" prefix to indicate they are approximations. Only products with the "✓ Verified" badge have confirmed, real-time revenue data.

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

• Email address — Required for authentication and notifications
• Name — Optional, for display on your profile
• Twitter/X handle — Optional, to link your social presence
• Avatar/Profile photo — Optional, uploaded by you
• Bio — Optional, a short description about yourself

3.2 Product Information

When you submit or claim a product, we collect:

• Product name and ticker symbol
• Website URL
• Product description and tagline
• Logo image
• Sector/category classification
• Founder Twitter handle (for attribution)

3.3 Stripe Data — What We Access and What We Don't

When you connect your Stripe account for verification, we use Stripe's OAuth flow with read-only permissions. Here's exactly what we can and cannot access:

Your Stripe API connection uses OAuth 2.0 with the minimum required scopes. You can disconnect your Stripe account at any time from your Settings page, and we will immediately stop accessing your data.

3.4 Verification Data

When claiming a product, we may collect:

• Email domain verification — We send a 6-digit code to your company email (e.g., you@yourproduct.com) to verify ownership
• Meta tag verification — We check for a verification tag on your website's HTML

Verification codes expire after 10 minutes and are deleted after successful verification.

3.5 Usage Analytics

We use privacy-focused analytics to understand how people use our platform. Our analytics:

• Does not use cookies for tracking
• Does not collect personal information
• Does not track users across websites
• Is GDPR compliant by design

We collect aggregate data like page views, referral sources, and device types to improve the platform.

4. How We Use Your Information

• Display product profiles — Show your product information and metrics publicly on your product page
• Calculate index rankings — Use MRR, growth rates, and upvotes to rank products in our indices (BOOT-100, AI-INDEX, etc.)
• Verify ownership — Confirm you own a product before granting edit access
• Send notifications — Email you verification codes, important updates, or (with consent) newsletters
• Prevent fraud — Detect and prevent fake accounts or manipulation of rankings
• Improve the platform — Analyze usage patterns to build better features

5. What Information Is Public

By listing a product on Indiex, the following information becomes publicly visible:

• Product name, ticker, description, and logo
• Website URL
• Sector classification
• Revenue metrics (MRR, total revenue) — if you choose to connect Stripe
• Upvote count
• Founder's Twitter handle (if provided)
• Position in index rankings

Your email address is never displayed publicly.

6. Data Retention

• Account data — Retained until you delete your account
• Product data — Retained until you delete the product or request removal
• Revenue metrics — Historical data is retained to show growth charts; real-time data is refreshed periodically from Stripe
• Verification codes — Deleted after 10 minutes or successful verification
• Analytics data — Aggregated and anonymized, retained indefinitely for trend analysis

7. Data Sharing

We do not sell your personal information. Ever.

We may share data in these limited circumstances:

• Service providers — Third parties that help us operate (see Section 9). They only access data necessary for their function and are bound by confidentiality agreements.
• Legal requirements — If required by law, court order, or government request
• Business transfer — If Indiex is acquired or merged, user data may be transferred (you would be notified)

8. Your Rights and Choices

You have the right to:

• Access your data — Request a copy of all data we have about you
• Correct inaccuracies — Update your profile or product information anytime
• Delete your account — Remove your account and all associated data
• Delete your product — Remove a product listing you own
• Disconnect Stripe — Revoke our access to your Stripe data at any time
• Opt out of emails — Unsubscribe from non-essential communications
• Data portability — Export your data in a machine-readable format

To exercise these rights, visit your Settings page or contact us at hello@indiex.co

9. Third-Party Services

We use the following third-party services to operate Indiex:

• Supabase — Database hosting and user authentication (data stored in secure cloud infrastructure)
• Stripe — Revenue verification via OAuth (read-only access to aggregate metrics)

Each service has its own privacy policy. We select services that prioritize security and privacy.

10. Data Security

We implement industry-standard security measures including:

• HTTPS encryption for all data in transit
• Encrypted database storage
• Secure OAuth flows for Stripe integration (we never see or store your Stripe password)
• Regular security audits
• Access controls limiting who can view sensitive data

While we take security seriously, no system is 100% secure. If you discover a security vulnerability, please report it to hello@indiex.co

11. Cookies

We use minimal cookies:

• Authentication cookies — Essential for keeping you logged in
• Session cookies — Required for the platform to function

We do not use advertising cookies or tracking pixels. Our analytics are cookieless.

12. International Users

Indiex operates globally. By using our platform, you consent to your data being transferred to and processed in the United States and other countries where our service providers operate.

For EU users: We process data under legitimate interest for providing our services. You have additional rights under GDPR including the right to lodge a complaint with your local data protection authority.

13. Children's Privacy

Indiex is not intended for users under 18 years old. We do not knowingly collect data from children. If you believe a child has provided us with personal information, please contact us.

14. Changes to This Policy

We may update this policy as our practices evolve. For significant changes, we will:

• Update the "Last updated" date at the top
• Post a notice on our platform
• Email users if changes affect how we handle sensitive data (like Stripe information)

Continued use of Indiex after changes constitutes acceptance of the updated policy.

15. Contact Us

Questions, concerns, or requests about your privacy? We're here to help.

Email: hello@indiex.co

We aim to respond to all privacy-related inquiries within 48 hours.