Privacy Policy

1. Who We Are

IndieRay (“we,” “us,” “our”) is an AI-powered research and content creation platform operated by [Your Company Name Pvt. Ltd.], a company incorporated under the laws of India with its registered office at [Registered Address]. This Privacy Policy explains how we collect, use, store, disclose, and otherwise process personal data when you access or use IndieRay’s website, applications, and related services (collectively, the “Service”). By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, you should discontinue use of the Service.

2. Information We Collect

We collect the following categories of information in connection with your use of the Service:

2.1 Account Information. When you create an account, our authentication provider (Clerk) collects and transmits to us your name, email address, profile photograph, and phone number (if voluntarily provided). If you authenticate via a third-party OAuth provider such as Google, we receive the basic profile information that provider makes available pursuant to its own terms.

2.2 User-Generated Content. This includes, without limitation, projects, scripts, chat conversations and messages, research queries and results, uploaded documents (including but not limited to PDF, DOCX, and XLSX files), images, audio files, and canvas drawings. All user-generated content is stored on our infrastructure to enable the continued provision of the Service.

2.3 Payment Information. Payments are processed exclusively through Razorpay. We store order identifiers, plan type, payment status, and transaction amounts. We do not store, process, or have access to your credit card number, CVV, UPI PIN, or net banking credentials at any time. Razorpay is PCI-DSS Level 1 compliant.

2.4 Usage and Credit Data. We maintain records of your AI credit consumption, including token counts, feature-level attribution, and timestamps. This data is associated with your account identifier.

2.5 Contact Form Submissions. If you submit an inquiry through our contact page, we collect your name, email address, self-identified role (e.g., writer, agency, enterprise), and message body. Such submissions are stored in our database for the purpose of responding to your inquiry and are not used for marketing purposes.

2.6 Collaboration Data. When you share a project with another user, we store the email address of the recipient and the permission level you have designated (e.g., view, edit).

2.7 Analytics and Performance Data. We use Vercel Analytics and Vercel Speed Insights to collect anonymized, aggregate data regarding page views and web performance metrics (Web Vitals). These tools do not collect personally identifiable information, do not track IP addresses, and do not engage in behavioural profiling. We do not deploy Google Analytics, Facebook Pixel, or any advertising or retargeting technologies.

3. Artificial Intelligence and Content Processing

When you use AI-powered features of the Service — including but not limited to the chat assistant, script generation, research functionality, document analysis, and canvas — the content you provide is transmitted to Google’s Gemini API (“Gemini”) for processing. This transmission is necessary for the AI features to function. The following terms apply to such processing:

• Your prompts, uploaded documents, research queries, and associated context are transmitted to Google’s servers to generate AI responses.
• Google’s API usage policies govern the processing of data transmitted via Gemini. Under their current paid API terms, data submitted through the API is not used to train Google’s foundation models.
• We do not sell, license, sublicense, or otherwise make available your content to any third party for the purpose of AI model training.
• Users should exercise discretion when submitting confidential, proprietary, or sensitive information through AI features. IndieRay does not assume liability for the processing of such data by third-party AI providers beyond the terms of our contractual arrangements with them.

4. Third-Party Service Providers

We engage the following third-party service providers (each a “Sub-processor”) in connection with the operation of the Service. Each Sub-processor receives only the minimum data necessary to perform its designated function:

• Clerk — authentication, identity management, session management, and secure credential storage.
• Supabase — managed PostgreSQL database hosting for user content, project data, account profiles, and application state.
• Google Gemini — AI inference and content generation as described in Section 3 above.
• Razorpay — payment processing, including credit/debit card, UPI, and net banking transactions. PCI-DSS Level 1 certified.
• Vercel — application hosting, content delivery, anonymized analytics, and web performance monitoring.
• Apify — web content retrieval from publicly accessible URLs provided by users during research operations.

Each Sub-processor operates under its own privacy policy and terms of service. We encourage you to review the privacy practices of each provider. We are not responsible for the data handling practices of third-party Sub-processors beyond what is stipulated in our contractual agreements with them.

5. Cookies and Similar Technologies

Our use of cookies is limited to the following:

• Authentication Cookies. Essential cookies set by our authentication infrastructure to maintain your session state across requests. These cookies are strictly necessary for the functioning of the Service and cannot be disabled.
• UI Preference Cookies. A single cookie used to persist your sidebar display preference (open or collapsed). This cookie serves no tracking purpose.

We do not deploy advertising cookies, retargeting pixels, browser fingerprinting techniques, or any form of cross-site tracking technology. No third-party advertising networks have access to data collected through the Service.

6. Data Security

We implement reasonable technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Encryption of all data in transit using HTTPS/TLS protocols.
• Delegated authentication through Clerk, which manages password hashing (bcrypt), session token issuance and rotation, and optional multi-factor authentication.
• Row-level security (RLS) policies enforced at the database layer, ensuring that API requests can only access data belonging to the authenticated user.
• PCI-DSS Level 1 compliant payment processing through Razorpay, with no card data transmitted to or stored on our servers.
• Cryptographic verification of inbound webhook payloads (via HMAC-SHA256 signature validation) prior to processing.

Notwithstanding the foregoing, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, and we disclaim liability for any breach resulting from circumstances beyond our reasonable control. If you discover a security vulnerability, please report it immediately to hello@indieray.com.

7. Data Retention

We retain personal data for as long as is necessary to fulfil the purposes described in this Privacy Policy or as required by applicable law. Specific retention periods are as follows:

• Account and Content Data. Retained for the duration of your active account. Upon account deletion, personal data and user-generated content will be purged within thirty (30) calendar days, except where retention is mandated by applicable law (e.g., financial record-keeping obligations).
• Payment and Transaction Records. Retained for a minimum period of eight (8) years in compliance with the Indian Income Tax Act, 1961, the Companies Act, 2013, and applicable GST regulations.
• Contact Form Submissions. Retained for a period not exceeding two (2) years from the date of submission.
• Analytics Data. Aggregated and anonymized by Vercel at the point of collection. We do not independently retain any personally identifiable analytics data.

You may request early deletion of your data by contacting us at the address specified in Section 12, subject to applicable legal retention requirements.

8. Your Rights

Depending on your jurisdiction of residence, you may be entitled to certain rights with respect to your personal data:

8.1 Universal Rights. Regardless of your location, you may (a) request access to the personal data we hold about you, (b) request rectification of inaccurate data, (c) request deletion of your personal data and account, and (d) request a portable copy of your data in a machine-readable format.

8.2 European Union / European Economic Area (GDPR). If you are located in the EU or EEA, you additionally have the right to: (a) restrict or object to the processing of your personal data on grounds relating to your particular situation; (b) withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out prior to withdrawal; and (c) lodge a complaint with your competent supervisory authority. Our lawful bases for processing are: (i) performance of a contract (Article 6(1)(b) GDPR) — to provide the Service you have signed up for; and (ii) legitimate interests (Article 6(1)(f) GDPR) — for analytics, security, and fraud prevention, balanced against your fundamental rights.

8.3 California (CCPA / CPRA). If you are a California resident, you have the right to: (a) know the categories and specific pieces of personal information collected about you and the purposes for which such information is used; (b) request deletion of your personal information; (c) opt out of the sale or sharing of your personal information — we hereby confirm that we do not sell, and have never sold, the personal information of our users; and (d) be free from discrimination for exercising any of the foregoing rights.

8.4 India (Digital Personal Data Protection Act, 2023). Under the DPDP Act, you have the right to: (a) obtain confirmation as to whether your personal data is being processed and access a summary thereof; (b) request correction of inaccurate or misleading data and erasure of data that is no longer necessary for the purpose for which it was collected; (c) nominate an individual to exercise your rights in the event of your death or incapacity; and (d) file a grievance with the Data Protection Board of India in the event of non-redressal of your complaint by us.

To exercise any of the foregoing rights, please submit a written request to hello@indieray.com. We will endeavour to respond within thirty (30) calendar days of receipt. We reserve the right to verify your identity prior to processing any request in order to prevent unauthorized access to personal data.

9. Children’s Privacy

The Service is not directed at, and is not intended to be used by, individuals under the age of thirteen (13). We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected personal data from a child under 13, we will take prompt steps to delete such data from our systems. If you are a parent or legal guardian and believe your child has provided personal data to us, please contact us at the address set forth in Section 12. Users between the ages of 13 and 18 are advised to use the Service with the knowledge and consent of a parent or guardian.

10. International Data Transfers

IndieRay is operated from India. However, certain Sub-processors engaged by us — including Clerk, Supabase, Vercel, and Google — maintain infrastructure in the United States and other jurisdictions. As a result, your personal data may be transferred to, stored in, and processed in countries other than your country of residence, including countries that may not provide the same level of data protection as your home jurisdiction. Where such transfers occur, we ensure that our Sub-processors maintain appropriate technical and organisational safeguards and are bound by contractual obligations consistent with applicable data protection legislation. For users located in the EU/EEA, cross-border transfers are carried out pursuant to Standard Contractual Clauses (SCCs) adopted by the European Commission, or equivalent transfer mechanisms as required under the GDPR.

11. Amendments to This Policy

We reserve the right to modify this Privacy Policy at any time. In the event of material changes — including but not limited to changes in the categories of data collected, the introduction of new Sub-processors, or modifications to the purposes of processing — we will update the “Last updated” date at the top of this page. Where material changes substantively affect your rights or obligations, we will use reasonable efforts to notify you via email or through the Service prior to the changes taking effect. Your continued use of the Service following the posting of any revised Privacy Policy constitutes your acceptance of the terms thereof. We encourage you to review this page periodically.

12. Contact Information

For any questions, concerns, or requests relating to this Privacy Policy or our data processing practices, please contact us at:

[Your Company Name Pvt. Ltd.]

[Registered Address], India

Email: hello@indieray.com

Web: indieray.com/contact

We will endeavour to acknowledge and respond to all privacy-related inquiries within thirty (30) calendar days of receipt.