Privacy Policy
Last Updated: July 12, 2026
1. Introduction
This Privacy Policy describes how indiefol.io ("we", "us", or "our") collects, uses, stores, and protects your personal information when you use our Service.
We are a sole proprietorship registered in Hungary, committed to protecting your privacy in compliance with the General Data Protection Regulation (GDPR), Hungarian data protection laws, and other applicable privacy regulations.
2. Data Controller Information
- Business Type: Sole Proprietorship
- Country: Hungary
- Contact Email: hello@usegrand.app
- Website: https://indiefol.io
3. Information We Collect
3.1 Account Information
When you create an account, we collect:
- Email address — for account identification, authentication, and communication
- Full name — for personalisation and invoicing
- Password — securely hashed using bcrypt (never stored as plain text)
- Account role, status, registration date, chosen username, and public-page settings
3.2 Billing and Payment Information
We collect:
- Billing address (street, city, state, postal code, country)
- Payment and subscription data including amount, currency, billing interval, status, trial period, and transaction IDs processed by Stripe
- Stripe identifiers, including checkout session, customer, subscription, payment intent, price, and invoice IDs
- Billingo partner ID for invoice generation
We do NOT store your credit card details. All payment card information is processed and stored securely by Stripe, our PCI-DSS compliant payment processor.
3.3 Content Data
We store the content you create using the Service. Content on a profile you enable for publication is publicly accessible, including:
- Profile details such as username, bio, avatar, social links, goals, technology stack, theme, and publication status
- App and game listings, descriptions, icons, links, status, platforms, genre, audience figures, and revenue metrics
- Milestones, custom links, follower relationships, and ordering preferences
- Integration credentials and identifiers you provide, plus metrics and last-sync timestamps returned by connected services
- Creation and update timestamps and other operational metadata
3.4 Usage and Technical Data
We automatically collect:
- Authentication tokens stored in secure, HTTP-only cookies
- A randomly generated visitor identifier stored in a one-year, HTTP-only cookie when someone visits a public profile
- Public-profile page views, daily unique visitors, and outbound link clicks, excluding the profile owner's own activity
- Website analytics and performance data, including visited URL and path, referrer, outbound links, engagement and scroll data, viewport size, browser, device, operating system, country, and Core Web Vitals
We do not use this information for targeted advertising, sell it to data brokers, or track your browsing activity after you leave our Service.
3.5 Email Communication Data
Your email address is processed to send:
- Transactional emails, including password resets, welcome and account-created messages, and refund confirmations
- Invoices via Billingo
- Customer support responses
4. How We Use Your Information
4.1 Service Provision
- Account creation and maintenance
- Identity authentication and account security
- Storing, publishing, and syncing your profile, apps, games, milestones, links, and metrics
- Providing discovery, following, leaderboards, themes, and built-in public-profile analytics
- Providing technical support
4.2 Payment Processing
- Processing subscriptions, trials, renewals, and one-time payments through Stripe
- Generating electronic invoices through Billingo for Hungarian tax compliance
- Handling refunds
- Applying discount codes
- Maintaining payment records for accounting and taxes
4.3 Communication
- Password reset emails with time-limited tokens
- Welcome emails
- Refund confirmations
- Invoices and receipts
- Responses to support inquiries
4.4 Security and Fraud Prevention
- Protecting authentication, billing, and administrative functions
- Fraudulent transaction detection and prevention
- Validating payment webhooks and connected-service credentials
- Enforcing password requirements (8+ chars, mixed case, numbers, special characters)
4.5 Legal Compliance
- Complying with GDPR, Hungarian, and EU data protection laws
- Meeting Hungarian tax and invoicing regulations
- Responding to legal requests and court orders
- Enforcing our Terms of Service
5. Legal Basis for Processing (GDPR)
We process your data under the following legal bases:
- Contract Performance: Creating your account, providing your plan, publishing content at your request, syncing enabled integrations, and processing billing
- Legal Obligation: Tax compliance, invoice generation, and fraud prevention mandated by law
- Legitimate Interest: Security, fraud detection, service operation and improvement, product analytics, and aggregate public-profile analytics
- Consent: Explicit user approval for specific processing activities
6. Data Sharing and Third-Party Services
Stripe (Payments and Optional Metrics)
- Data shared: Name, email, billing address, payment and subscription details; when you connect Stripe, credentials and requests needed to retrieve revenue, subscription, charge, and customer counts
- Purpose: Checkout, subscriptions, trials, refunds, fraud screening, and optional product-metric syncing
- Role: Independent controller for payment data and service provider for relevant platform functions, subject to Stripe's terms and privacy documentation
- Privacy Policy: https://stripe.com/privacy
Billingo (Invoice Generation)
- Data shared: Name, email, billing address, payment amount
- Purpose: Electronic invoice generation for Hungarian tax compliance
- Location: Hungary
- Privacy Policy: https://www.billingo.hu/adatkezelesi-tajekoztato
Resend (Email Delivery)
- Data shared: Email address, name, and the content required for each transactional message
- Purpose: Transactional email delivery
- Location: Processing may occur outside the EEA under applicable transfer safeguards
- Privacy Policy: https://resend.com/legal/privacy-policy
MongoDB Atlas and Vercel (Infrastructure)
- Data shared: Account and portfolio content, integration settings, billing records, analytics records, and technical request data needed to host and operate the Service
- Purpose: Database storage, application hosting, content delivery, logging, security, and performance monitoring
- Location: Processing location depends on our infrastructure configuration and each provider's subprocessors
- Privacy Policies: https://www.mongodb.com/legal/privacy-policy and https://vercel.com/legal/privacy-notice
Integrations and Analytics Providers
- Providers: Lemon Squeezy, GitHub, Product Hunt, X/Twitter, Apple App Store, Google Play, Chrome Web Store, npm, PyPI Stats, SaaS Analytics, and Vercel Speed Insights
- Data shared: Profile URLs, product or package identifiers, API credentials where required, sync requests, website URLs and paths, referrers, outbound links, engagement, viewport, device, browser, country, and performance data
- Purpose: User-requested metric syncing, website usage analytics, and performance measurement
- Provider terms: Your use of optional integrations and the providers' handling of data are also subject to their respective terms and privacy policies
We do NOT sell, rent, or trade your personal information to third parties for marketing purposes.
7. Data Retention
7.1 Active Accounts
We retain account and portfolio data while your account remains active or as needed to provide the Service. Cancelling a subscription does not automatically delete your account or public content; you may separately request account deletion.
7.2 Deleted Content
Content you remove may remain temporarily in backups, logs, or operational records before being overwritten or deleted under our normal retention processes.
7.3 Closed Accounts
Following a valid account-deletion request, we delete or anonymise personal data that is no longer required to provide the Service. Some information may remain in backups or be retained for legal, accounting, fraud-prevention, dispute, and security purposes. Aggregated or anonymised analytics may be retained.
7.4 Legal Retention Requirements
- Payment and invoice records: retained for 8 years (Hungarian tax law requirement)
- Fraud prevention records: retained as necessary to prevent future fraudulent activity
8. Cookies and Tracking Technologies
8.1 Authentication Cookie
- Name: auth_token (configurable)
- Purpose: Storing JWT authentication token
- Type: Strictly necessary
- Security: HttpOnly: Yes, Secure: Yes in production, SameSite: Lax
8.2 Browser Storage
Browser sessionStorage stores temporary purchase-flow information and navigation state; purchase intent is treated as valid for five minutes and sessionStorage is normally cleared when the tab closes. localStorage stores your selected display theme. The app reads these values to resume the relevant flow or apply your theme.
8.3 Analytics and Visitor Measurement
Our public-profile analytics use the indiefolio_visitor_id cookie to count daily unique visitors, page views, and outbound link clicks for profile owners. The identifier is random, is not tied to an indiefol.io account, and lasts up to one year. SaaS Analytics measures visits, URLs and query paths, referrers, outbound links, engagement time, scroll depth, viewport width, and configured events. Vercel Speed Insights records anonymous device and Core Web Vitals data for performance monitoring.
8.4 What We DON'T Use
- Advertising or marketing cookies for targeted ads
- Social media tracking pixels for advertising
- Cross-site tracking for ad networks
- Behavioural advertising networks
- Data brokers
9. Data Security
9.1 Encryption
- Data in transit: HTTPS/TLS encryption
- Data at rest: database encryption provided by MongoDB Atlas
- Passwords: hashed with bcrypt (10+ salt rounds, irreversible)
9.2 Access Controls
- Role-based access control (user/admin)
- JWT-based authentication with secure, HTTP-only cookies
- Authorization checks on account, billing, integration, and administrative operations
- Password reset tokens expiring after 1 hour
- Temporary purchase intent state treated as valid for 5 minutes
9.3 Infrastructure Security
- Secure MongoDB Atlas database hosting
- Application hosting and delivery via Vercel
- PCI-DSS compliant Stripe payment processing
- Regular security updates and patches
9.4 Fraud Prevention
- Stripe fraud detection and prevention
- Authentication controls against unauthorized access
- Webhook signature verification
- Account monitoring for suspicious activity
While we implement strong security measures, no system is 100% secure. You are responsible for maintaining the confidentiality of your password and reporting any unauthorized access immediately.
10. Your Rights Under GDPR
Right to Access: Request a copy of all personal data we hold about you.
Right to Rectification: Update your account information at any time through your account settings or by contacting us.
Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention requirements.
Right to Data Portability: Request an export of your personal data by contacting us.
Right to Restrict Processing: Request that we limit how we use your data under certain circumstances.
Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent: Withdraw consent at any time where processing is based on your consent.
Right to Lodge a Complaint: File a complaint with your local data protection authority.
To exercise your rights, please contact us at hello@usegrand.app. We will respond to your request within 30 days as required by GDPR.
11. International Data Transfers
We are based in Hungary (EU), but some of our service providers are located outside the EU. All international transfers comply with GDPR through Standard Contractual Clauses approved by the European Commission, adequacy decisions, and data processing agreements with GDPR compliance guarantees.
- Stripe, Resend, MongoDB, Vercel, and enabled integration providers may process relevant data outside the EEA
- Where required, transfers rely on an adequacy decision, Standard Contractual Clauses, or another lawful transfer mechanism
12. Children's Privacy
Our Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hello@usegrand.app immediately and we will delete that information.
13. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours
- Notify affected users without undue delay if the breach poses a high risk
- Provide information about the nature of the breach and steps taken
- Take immediate steps to contain and remediate the breach
14. Automated Decision-Making
We do NOT use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Automated processes we use are limited to: Stripe's automated fraud screening, security controls, public-page visitor counting, and automatic website usage and performance measurement.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal reasons. When we make changes we will:
- Update the "Last Updated" date at the top of this page
- Notify you of material changes via email or through the Service
- Provide a prominent notice on our website
- Seek renewed consent where required for significant changes
Your continued use of the Service after changes indicates your acceptance of the updated Privacy Policy.
16. Contact Us
If you have any questions about this Privacy Policy or how we handle your data, please contact us:
- Email: hello@usegrand.app
- Website: https://indiefol.io
- Data Controller: indiefol.io (sole proprietorship, Hungary)
We will respond to your inquiry within 30 days as required by GDPR.