Privacy Policy

1. Personal Information We Collect

1.1 Information You Provide

• Account & Profile Data. When you create an account, our authentication provider (Clerk) collects and transmits to us your name, email address, profile photograph, and phone number (if voluntarily provided). If you authenticate via a third-party OAuth provider such as Google, we receive the basic profile information that provider makes available.
• Payment Data. Payments are processed exclusively through Razorpay (PCI-DSS Level 1 certified). We store order identifiers, plan type, payment status, and transaction amounts. We do not store, process, or have access to your credit card number, CVV, UPI PIN, or net banking credentials at any time.
• Communication Data. Support messages, feedback, and contact form submissions (name, email, role, and message body). These are used solely to respond to your inquiry and are not used for marketing.
• User Inputs. Scripts, prompts, reference materials, uploaded documents (PDF, DOCX, XLSX), images, audio files, canvas drawings, chat conversations, and research queries that you submit for AI processing. All user-generated content is stored on our infrastructure to enable the continued provision of the Services.
• Survey & Research Responses. If you voluntarily participate in surveys or research, we collect the information you provide.

1.2 Automatically Collected Information

• Device & Technical Data. IP address, device type, operating system, browser type and version, and screen resolution.
• Usage Data. Pages visited, session duration, features used, AI credit consumption (token counts and feature-level attribution), and timestamps.
• Cookie & Tracking Data. See Section 4 below for details on our limited use of cookies.

1.3 Information from Third-Party Sources

• Social Login Providers. Google OAuth profile data (name, email, profile picture) when you choose to sign in with Google.
• Payment Processor. Razorpay transmits transaction status and order metadata to us.
• Analytics Providers. Vercel Analytics and Vercel Speed Insights provide anonymized, aggregate page view and web performance data. These tools do not collect personally identifiable information and do not engage in behavioural profiling.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Delivering the Services. Providing, maintaining, and improving the Platform, including processing your AI requests and returning outputs.
• Personalisation. Customising your experience based on your preferences, usage patterns, and project history.
• AI & ML Improvement. Anonymised usage patterns (feature usage frequency, general interaction patterns) may be used to improve the Platform and our AI pipelines. Your private scripts, prompts, and uploaded documents are NOT used for model training without your explicit, informed consent.
• Communications. Sending you service-related notifications (account alerts, billing confirmations, security notices, feature updates).
• Marketing. With your consent, sending promotional communications. You can opt out at any time via the unsubscribe link in any marketing email.
• Enforcing Terms of Service. Detecting, investigating, and preventing violations of our Terms of Service.
• Fraud Detection & Security. Protecting the Platform and our users from unauthorised access, abuse, and fraud.
• Legal Compliance. Fulfilling our obligations under applicable laws and regulations.
• Aggregated Analytics. Creating de-identified and aggregated data sets that cannot reasonably be used to identify you.

3. How We Share Your Information

We share your information only in the following circumstances:

• Service Providers. We engage third-party providers to help operate the Platform. Each receives only the minimum data necessary:
  • Clerk — authentication, identity management, and session management.
  • Supabase — managed PostgreSQL database hosting for user content and application state.
  • Vercel — application hosting, content delivery, and anonymized analytics.
  • Razorpay — payment processing (PCI-DSS Level 1 certified).
  • Google Cloud Platform — file storage (images, media assets).
  • ScrapeCreators — web content retrieval from publicly accessible URLs during research.
• AI Model Providers. When you use AI features, your prompts and inputs are transmitted to third-party LLM providers (currently Google Gemini and Anthropic Claude) for inference. Under current paid API terms, these providers do not use your data to train their foundation models.
• Legal Obligations. We may disclose your information if required to do so by law, court order, subpoena, or regulatory request.
• Business Transfers. In the event of a merger, acquisition, reorganisation, or sale of assets, your data may be transferred to the successor entity. We will notify you before your data becomes subject to a different privacy policy.
• With Your Consent. Any sharing not covered by the scenarios above requires your explicit consent.

4. Cookies and Similar Technologies

Our use of cookies is limited to what is strictly necessary:

• Authentication Cookies. Essential cookies set by Clerk to maintain your session state across requests. These are strictly necessary for the Platform to function and cannot be disabled.
• UI Preference Cookies. A single cookie used to persist your sidebar display preference (open or collapsed). This serves no tracking purpose.

We do not deploy advertising cookies, retargeting pixels, browser fingerprinting, or any form of cross-site tracking technology. No third-party advertising networks have access to data collected through the Services.

5. Data Retention

We retain personal data for as long as necessary to fulfil the purposes described in this Privacy Policy or as required by applicable law:

• Account & Content Data. Retained for the duration of your active account. Upon account deletion, personal data and user-generated content will be purged within thirty (30) calendar days, except where retention is mandated by applicable law.
• AI Inputs & Outputs. Retained for the duration of your active account to enable project continuity. Upon account deletion, these are purged along with your other content data.
• Payment & Transaction Records. Retained for a minimum period of eight (8) years in compliance with the Indian Income Tax Act, 1961, the Companies Act, 2013, and applicable GST regulations.
• Contact Form Submissions. Retained for a period not exceeding two (2) years from the date of submission.
• Aggregated & Anonymised Data. May be retained indefinitely as it cannot be used to identify you.

You may request early deletion of your data by contacting us at support@indierise.app, subject to applicable legal retention requirements.

6. Your Rights & Choices

Regardless of your location, you have the following rights with respect to your personal data:

• Access. Request a copy of the personal data we hold about you.
• Correction. Request rectification of inaccurate or incomplete personal data.
• Deletion. Request deletion of your account and personal data, subject to legal retention requirements.
• Portability. Receive your personal data in a structured, commonly used, machine-readable format.
• Opt-out of Marketing. Unsubscribe from marketing communications at any time via the unsubscribe link in our emails.
• Opt-out of AI Training. Request that your data not be used for any AI improvement purposes by writing to support@indierise.app.

6.1 EU / EEA Residents (GDPR). If you are located in the EU or EEA, you additionally have the right to: restrict or object to processing on grounds relating to your particular situation; withdraw consent at any time where processing is based on consent (without affecting prior lawful processing); and lodge a complaint with your competent supervisory authority. Our lawful bases are: performance of a contract (Article 6(1)(b)) and legitimate interests (Article 6(1)(f)) for analytics, security, and fraud prevention.

6.2 California Residents (CCPA / CPRA). You have the right to know the categories and specific pieces of personal information collected and the purposes of collection; request deletion; opt out of the sale or sharing of personal information (we confirm that we do not sell your data); and be free from discrimination for exercising these rights.

6.3 Indian Residents (DPDP Act, 2023). Under the Digital Personal Data Protection Act, you have the right to: obtain confirmation of whether your personal data is being processed and access a summary; request correction or erasure of data no longer necessary; nominate an individual to exercise your rights in the event of death or incapacity; and file a grievance with the Data Protection Board of India.

To exercise any of these rights, email support@indierise.app. We will respond within thirty (30) calendar days. We may verify your identity before processing any request.

7. Security

We implement reasonable technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, including:

• Encryption of all data in transit using HTTPS/TLS protocols.
• Delegated authentication through Clerk, which manages password hashing (bcrypt), session token issuance and rotation, and optional multi-factor authentication.
• Row-level security (RLS) policies enforced at the database layer, ensuring API requests can only access data belonging to the authenticated user.
• PCI-DSS Level 1 compliant payment processing through Razorpay, with no card data transmitted to or stored on our servers.
• Cryptographic verification of inbound webhook payloads (HMAC-SHA256 signature validation) prior to processing.

No method of electronic transmission or storage is completely secure. We cannot guarantee absolute security. In the event of a data breach, we will notify affected users as required by applicable law. If you discover a security vulnerability, please report it immediately to legal@indierise.app.

8. Children

The Services are not directed at, and are not intended to be used by, individuals under the age of eighteen (18). We do not knowingly collect personal data from anyone under 18. If we learn that we have inadvertently collected personal data from a person under 18, we will take prompt steps to delete such data from our systems. If you are a parent or legal guardian and believe your child has provided personal data to us, please contact us at support@indierise.app.

9. Third-Party Links & Services

The Services may contain links to third-party websites, tools, or services that are not owned or controlled by IndieRise. We are not responsible for the privacy practices, content, or security of any third-party services. We encourage you to review the privacy policies of any third-party services you access through the Platform.

10. International Data Transfers

IndieRise is operated from India. However, certain service providers engaged by us — including Clerk, Supabase, Vercel, Google, and Anthropic — maintain infrastructure in the United States and other jurisdictions. As a result, your personal data may be transferred to, stored in, and processed in countries other than your country of residence, including countries that may not provide the same level of data protection as your home jurisdiction. Where such transfers occur, we ensure that our providers maintain appropriate technical and organisational safeguards and are bound by contractual obligations consistent with applicable data protection legislation. For users in the EU/EEA, cross-border transfers are carried out pursuant to Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms as required under the GDPR. By using the Services, you consent to the transfer of your data as described in this Policy.

11. Changes to This Policy

We may update this Privacy Policy at any time. When we make material changes — including changes in the categories of data collected, the introduction of new service providers, or modifications to the purposes of processing — we will update the “Last Updated” date at the top of this page and use reasonable efforts to notify you via email or through the Platform. Your continued use of the Services following the posting of any revised Privacy Policy constitutes your acceptance of the changes. We encourage you to review this page periodically.

12. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or our data processing practices, please contact us:

We will endeavour to acknowledge and respond to all privacy-related inquiries within thirty (30) calendar days of receipt.