1. Introduction
This Privacy Policy explains how Indie Valley ("Indie Valley", "we", "us", or "our") collects, uses, shares, and protects personal information when you access or use the Indie Valley website, application, and related services (the "Service"), available at https://indie-valley.com and through our backend API at api.indie-valley.com.
Indie Valley is operated by Aleksei Stepankov, Individual Entrepreneur (a sole proprietor acting in that capacity under applicable law). Where this Policy refers to "Indie Valley", "we", "us", or "our", it refers to this operator.
Indie Valley is a public, social, content-publishing platform where founders and builders publish their projects as living "shows" — combining a "verified" live revenue line ("Pulse") sourced read-only from a creator's own payment processor, longer updates ("Episodes"), and short updates ("Posts"). Viewers discover projects through a public feed and discovery pages, follow creators, react with "Gems", comment, and may subscribe through an "Indie Pass" to unlock premium subscriber-only features and content (subscriber-only Episodes).
We aim to be clear about what data we collect, why we collect it, and what rights you have. By using the Service, you agree to this Privacy Policy. If you do not agree, you must stop using the Service.
1.1. Relationship With Paddle
All purchases, payments, invoices, and related billing are handled by Paddle, our authorized reseller and Merchant of Record.
- Paddle is the seller of record for Indie Pass subscriptions and related purchases and acts as an independent data controller for all billing-related information it collects and processes.
- This Privacy Policy applies to data processed by Indie Valley, not to data that Paddle processes as an independent controller.
- Your purchases are also governed by the Paddle Buyer Terms and Paddle's own privacy practices.
Indie Valley does not process payments, hold buyer funds, or act as a payment facilitator, money transmitter, or merchant of record; those functions are performed solely by Paddle. For information about how Paddle handles your billing data, please refer to Paddle's Privacy Policy, available on Paddle's website.
1.2. Scope
This Privacy Policy applies to:
- the Indie Valley website and application;
- your account, profile, and the content you publish;
- your interactions with our support channels (including the Crisp chat widget);
- analytics, monitoring, and operational systems we use to provide the Service.
It does not apply to:
- Paddle's payment processing systems and billing data, which Paddle controls independently;
- third-party websites or services you access through links on the Service;
- the systems of the third-party payment processors that creators connect to verify their own revenue (see Section 4), which those processors and creators control.
1.3. Definitions
- "Personal Data" — information that identifies or can reasonably identify an individual.
- "Account" — the registered profile you use to access the Service.
- "Creator" — a user who publishes one or more projects on Indie Valley.
- "Public Content" — profiles, projects, Episodes, Posts, comments, Gems, read-state where surfaced publicly, and sourced metrics that are visible to anyone, as described in Section 3.
- "Subscriber-only Episodes" — Episodes whose full text is available only to eligible Indie Pass subscribers (each Episode shows a public teaser; the full text is unlocked by a Greenlight), together with the related premium subscriber features. Posts are public and are not subscriber-only.
- "Indie Pass" — the monthly auto-renewing subscription to Indie Valley described in our Terms of Service and on the /indie-pass pricing page, offered as the Indie Pass (Standard) and with optional tiers (the AI Trend Analytics add-on and the Spotlight tier).
- "Greenlight" — an access feature of the Indie Pass by which you unlock a project's Episodes. Pressing "Greenlight" on a project unlocks that project's Episodes and is one of the inputs that helps determine how Indie Valley allocates its own Creator Rewards. A Greenlight is not currency, store credit, a voucher, stored value, a wallet, or a redeemable balance; it has no cash value, is non-transferable, and is not a payment to any creator.
- "Spotlight" — a premium tier of the Indie Pass that surfaces a subscribing creator's own Indie Valley project page on a showcase area of the Service, linking only to that project's own page on Indie Valley. It is a presentation feature of the creator's own subscription.
- "Pulse" — sourced revenue and related metrics pulled read-only from a creator's own connected payment processor.
- "Processing" — any operation performed on Personal Data (collection, storage, use, disclosure, deletion, etc.).
1.4. Eligibility and Age Requirement
The Service is intended for individuals 18 years of age or older. We do not knowingly collect personal data from anyone under 18. If you believe a person under 18 has provided personal data, please contact us at [email protected] so we can delete it. See Section 13.
2. Data We Collect
We collect only the data necessary to operate, secure, and improve Indie Valley. This includes information you provide directly, data we collect automatically when you use the Service, and information processed by essential third-party providers on our behalf or as independent controllers.
We do not intentionally collect special categories of sensitive personal data (such as government IDs, health, biometric, or financial-account data), and we never collect or store your payment card details. Note that images you choose to upload (such as avatars and cover images) are photographs that could incidentally reveal information you consider sensitive; you control what you upload and publish (see Section 3).
2.1. Information You Provide
2.1.1. Account and Authentication Information
Indie Valley uses passwordless authentication — we do not store passwords. When you register or sign in, we collect:
- your email address (required);
- the one-time 6-digit magic-link code we email to you to verify your sign-in (codes are short-lived and used only for authentication);
- if you choose to use Google sign-in (OAuth), the account identifier and basic profile information Google returns to authenticate you;
- account creation and sign-in timestamps.
Where you use Google sign-in or connect an X/Twitter account (see Section 2.1.2), we receive and store only the identifier and basic profile fields needed to authenticate you or enrich your profile, together with the OAuth tokens required to maintain the connection. We request the minimum scopes necessary and do not use these connections to post on your behalf without your action.
Registration requires an email address and your acceptance of our Terms of Service and this Privacy Policy. You may separately and optionally consent to non-essential mailing communications.
2.1.2. Profile Information
Your profile may include information you choose to provide, such as:
- display name and public profile handle/code;
- bio or "story", role, company, and country;
- avatar image and cover image;
- social links (X/Twitter handle, LinkedIn URL, GitHub URL, website URL);
- if you choose to connect an X/Twitter account (OAuth), the account information returned to enrich your profile;
- timezone, interface language, and your granular notification preferences.
Some profile fields are public by default (see Section 3).
2.1.3. Project and Connection Data (Creators)
If you publish a project, we collect the information you provide about it, including:
- project name, description, and category;
- logo and cover images;
- founded date and country;
- tech stack, marketing channels, pricing, and target audience;
- "why building" narrative and team members;
- the configuration you set up to connect a payment processor for revenue verification ("Pulse") and the sourced revenue data we pull read-only (see Section 4).
If you list other individuals as team members or otherwise include another person's personal data in your project, you confirm that you have a lawful basis (such as their consent) to do so. Individuals who are listed by a creator may request removal of their information by contacting us at [email protected].
2.1.4. Public Content You Publish
We process the content you choose to publish or generate on the Service, including Episodes, Posts, comments, Gems, and uploaded images. The public nature of this content is described in Section 3.
2.1.5. Communications and Support
If you contact us (for example, by email or through the Crisp chat widget), we process:
- your email address and any identifying details you provide;
- the messages and support inquiries you send;
- limited metadata required to operate support tools (e.g., browser type, approximate region).
2.2. Information Collected Automatically
2.2.1. Technical and Device Information
We automatically collect:
- IP address (for security, fraud detection, and routing);
- browser type and version;
- device type and operating system;
- referrer URLs;
- timezone and locale;
- basic system information required to render the interface.
2.2.2. Usage and Analytics Data
Through Google Analytics and Amplitude — both loaded through Google Tag Manager — we collect information about how the Service is used, such as:
- page views and navigation flow;
- clicks and interaction patterns;
- feature usage;
- session and traffic data.
Session replays. As part of Amplitude, we also capture session replays — pseudonymized reconstructions of a visit (the pages you view and your clicks, scrolls, and navigation) that help us see how the product is actually used, find friction points, and diagnose issues. Replays are configured to mask form input, so the content you type is not recorded. They are linked only to a pseudonymous identifier (never your name or email), run only after you consent, are never used for advertising, and can be switched off at any time by withdrawing consent (see Section 11).
Transparency note and consent. Where you are signed in, our analytics configuration may associate a pseudonymous user_id (your account identifier) with analytics events as a user property. We do not send your email address, name, or other direct identifiers to Google Analytics, Amplitude, or Google Tag Manager. Because that user_id is linked to your account, we treat analytics as non-essential and consent-based: Google Tag Manager loads with Google Consent Mode set to denied by default — including the advertising signals (ad_storage, ad_user_data, ad_personalization), which remain denied at all times — and we activate Google Analytics and Amplitude (and any user_id) only after you have given consent through our cookie-preference mechanism (see Section 11); you can withdraw that consent at any time. We have disabled Google Analytics Advertising Features and Google "data sharing" settings and run no advertising or remarketing tags, so this analytics data is not used for advertising and does not constitute a "sale" or "sharing" of personal information for cross-context behavioral advertising. Transfers to Google and Amplitude are covered by their respective data processing terms, including the EU-US Data Privacy Framework and/or Standard Contractual Clauses (see Section 12).
2.2.3. Error and Performance Monitoring
We use Sentry, hosted on our own infrastructure, for error and performance monitoring. We treat Sentry as a strictly necessary, first-party tool used to keep the Service secure, stable, and reliable, and we rely on our legitimate interests (and, where applicable, the necessity of providing the Service) for this processing rather than on optional analytics consent. Sentry may process technical context tied to errors and performance events, such as error traces, request metadata, browser/device information, IP addresses, and limited identifiers needed to diagnose issues. Sentry processing occurs within the regions described in Section 12.
2.2.4. Log Data
For security and diagnostics, we maintain server logs containing:
- timestamps;
- API request metadata;
- rate-limit events;
- error traces;
- system performance data.
2.2.5. Live Presence ("Who's exploring now")
To power the live map on our /discover page — a real-time view of how many people are exploring Indie Valley and roughly where they are visiting from — we process, only after you consent to analytics (see Section 11):
- an approximate or precise geographic location derived from your IP address (we use the location signals provided by Cloudflare; we do not store your raw IP address for this feature);
- your browser and operating system (derived from the User-Agent);
- the page you are currently viewing and the referring source;
- a random, per-browser pseudonymous identifier stored on your device, which is not linked to your account, name, or email and exists only to recognize your own repeat visits within the map.
We display this information only in pseudonymized form (a generated nickname and avatar — never your real identity). The feature provides social proof to visitors and traffic transparency to creators on their own listings. It is non-essential and consent-based: if you decline cookies, we do not run it, do not store the identifier on your device, and do not place you on the map — you can still view the map. This presence data is transient, retained only for minutes and, for the activity timeline, up to approximately 24 hours (see Section 9).
The map itself is rendered with Mapbox map tiles. Loading them sends Mapbox the technical request data (such as your IP address and browser) needed to serve the tiles; this happens whenever the map is displayed (the map is content you can view), but no presence ping or identifier is sent to us without your consent.
2.3. Data Processed by Third-Party Providers
2.3.1. Paddle (Merchant of Record)
We do not collect or store payment card data. Paddle processes all billing information independently as a data controller, including payment method details, billing address or country, tax information (e.g., VAT/GST ID), and transaction history. See Sections 1.1 and 8.1.
2.3.2. Connected Revenue Providers (Creator Pulse)
When a creator connects a payment processor to verify revenue, we receive read-only metrics from that processor. See Section 4 and the list in Section 8.2.
2.3.3. Infrastructure, Analytics, Monitoring, and Support Providers
We rely on the providers described in Sections 7 and 8, including our cloud hosting provider, Cloudflare (CDN, R2 object storage, security/DNS, and the approximate location signals used by the live presence map), Google Tag Manager, Google Analytics, Amplitude, Mapbox (map tiles for the live presence map), self-hosted Sentry, the Crisp support widget, our email delivery provider, and the OAuth identity providers (Google and X/Twitter) you may choose to use.
2.4. Information We Do Not Collect
We do not collect or store:
- passwords (authentication is passwordless);
- payment card details (these go directly to Paddle);
- special categories of sensitive personal data as a deliberate data field (health, biometric, religion, etc.);
- information knowingly submitted by individuals under 18.
3. The Public Nature of Content
Indie Valley is a public, social platform. This section describes what constitutes Public Content (as defined in Section 1.3). By design, much of what you create on Indie Valley is visible to anyone on the internet, whether or not they have an account. Please consider this carefully before publishing anything.
3.1. What Is Public by Default
The following are public and may be indexed by search engines, displayed on discovery pages and the feed, and viewed by anyone:
- your profile (display name, handle/code, bio/story, role, company, country, avatar and cover images, and the social links you add);
- projects you publish, including their descriptions, categories, images, founded date and country, tech stack, marketing channels, pricing, target audience, "why building" narrative, and team members you list;
- Posts, and the public teaser of every Episode (its title, synopsis, cover, and Pulse marker);
- comments you write and the Gems you give;
- sourced metrics ("Pulse") that a creator has chosen to display publicly (see Section 4);
- your presence on public leaderboards (for example, "Top Voices"), where applicable.
3.2. What Is Restricted
- The full text of Episodes is locked to eligible Indie Pass subscribers (each Episode shows a public teaser); Posts are public.
- Certain deeper Pulse metrics (e.g., paying-user counts) are surfaced only to eligible subscribers, where a creator enables them (see Section 4).
3.3. What Stays Private
The following are not made public by Indie Valley:
- your email address and magic-link codes;
- your session and authentication data;
- your notification preferences and interface settings;
- your billing data (held by Paddle);
- private support communications;
- the underlying read-only credentials/configuration used to connect a revenue processor.
Content you publish may be copied, screenshotted, or re-shared by others once it is public; we cannot control such third-party use. Deleting content removes it from active systems, but cached or re-shared copies outside our control may persist.
4. Creator Revenue Connections ("Pulse")
Creators may connect their own payment processor to Indie Valley to verify revenue. This connection is read-only.
4.1. What We Pull
When a creator authorizes a connection, we pull, on a periodic basis (refreshed approximately hourly), read-only metrics such as revenue, MRR, and paying-user counts. The sourced figures a creator chooses to display are shown publicly as "Pulse".
Supported processors for revenue verification are: Stripe, Paddle, Lemon Squeezy, Polar, Dodo Payments, RevenueCat, Superwall, and Creem.
4.2. What We Do Not Do
- We do not obtain the ability to move, charge, refund, or otherwise manage funds in a connected account — access is read-only.
- We do not pull the personal data of a creator's end customers for display; Pulse consists of aggregate revenue and subscriber metrics.
- "Sourced" means a metric is pulled directly from the connected processor's API at the time of retrieval. It is not an audit, certification, or guarantee of the accuracy or completeness of any figure.
4.3. Disconnecting
A creator can disconnect a revenue integration at any time from their project settings. After disconnection, we stop pulling new metrics from that processor.
5. How We Use Your Data
We use the data we collect strictly to operate, secure, personalize, and improve Indie Valley. We do not sell your personal data, and we do not use it for third-party advertising or to train external AI models.
5.1. To Provide and Operate the Service
We process your data to:
- create, authenticate, and manage your account (including issuing and verifying magic-link codes and processing Google/X OAuth sign-in);
- publish and display your profile, projects, Episodes, Posts, comments, and Gems;
- pull and display sourced Pulse metrics for connected projects;
- enable following, the feed, discovery, leaderboards, and notifications;
- manage Indie Pass subscriptions, Greenlights, and subscriber-only Episode access (billing is handled by Paddle);
- store and serve images you upload;
- deliver customer support.
5.2. To Operate the Indie Pass Subscription and Creator Partner Program
We use account and subscription data to provide the premium subscriber features included in Indie Pass — the full text of subscriber-only Episodes, the feedback channel to creators, deeper Pulse metrics, "Cliffhanger" voting, the weekly Friday newsletter, and, for subscribers with the AI Trend Analytics add-on, the monthly AI "Premium Digest" of aggregated trends, playbooks, benchmarks, and case studies built from sourced founder data.
Indie Valley books Indie Pass subscription revenue as its own and, out of that revenue, funds a discretionary Creator Rewards budget at a level it sets in its discretion; the Indie Pass is a bona-fide subscription to Indie Valley's software and content, not a pass-through of your payment to any creator. Your Indie Pass Greenlights determine which creators' Episodes you unlock and are one of the inputs that help determine how Indie Valley allocates its own Creator Rewards to creators, under Indie Valley's Creator Partner Program. A Greenlight is an access feature of your subscription; it configures which subscriber-only Episodes you unlock, but it is not currency, store credit, stored value, a redeemable balance, or a payment to any creator, has no cash value, is non-transferable, and does not transfer your payment to any creator. Whether, when, and how much Indie Valley rewards a creator is determined by Indie Valley under the Creator Partner Program (including the discretionary budget, allocation approach, anti-fraud holdbacks, and eligibility rules) and is independent of any individual subscriber payment. Any creator payouts are made by Indie Valley out of its own revenue under a separate Creator Partner Agreement; Paddle does not process payments from you to creators.
5.3. To Maintain Security and Prevent Abuse
We use technical, log, and account data to:
- detect suspicious, fraudulent, or abusive activity;
- prevent fake or manipulated metrics, manipulation of Gems/engagement, scraping or automated access, multiple-account abuse, and impersonation;
- protect accounts from unauthorized access;
- enforce limits such as the rule that you cannot Greenlight your own project;
- monitor platform stability and integrity;
- comply with Paddle's anti-fraud and risk requirements.
5.4. To Communicate With You
We may send you:
- transactional and authentication messages (e.g., magic-link codes, account and security notices);
- activity notifications you have enabled (e.g., new episode, comment, feedback, new subscriber, milestone);
- the weekly Friday newsletter and, for subscribers with the AI Trend Analytics add-on, the monthly AI Premium Digest, where applicable;
- important product or policy updates.
You can manage granular per-type notification preferences in your account and opt out of non-essential email.
5.5. To Improve the Service
We use usage and analytics data, generally in aggregated or de-identified form, to understand how Indie Valley is used, improve onboarding and user experience, build and refine features, and identify errors and performance issues.
5.6. To Build Aggregated Insights
We use sourced founder data and platform activity in aggregated form to produce trends, benchmarks, playbooks, and case studies (including the Premium Digest). These insights are designed to reflect categories and patterns across the Valley rather than to identify any individual buyer.
5.7. To Comply With Legal Obligations
We may process data to meet applicable tax, regulatory, and accounting obligations, respond to lawful requests from authorities, and enforce our Terms of Service. We disclose only what is necessary.
6. Legal Bases for Processing (GDPR)
If you are located in the EU, EEA, UK, or Switzerland, we process your personal data under one or more of the following legal bases:
6.1. Performance of a Contract
We process your data where necessary to create and maintain your account, authenticate access, publish your content, provide Indie Pass subscription features, and deliver support. Billing is performed by Paddle under your contract with Paddle as Merchant of Record.
6.2. Legitimate Interests
We process certain data to pursue our legitimate interests, including securing the Service and preventing fraud and abuse, maintaining error and performance monitoring (Sentry), monitoring reliability, understanding aggregated usage, operating public discovery and leaderboards consistent with the social nature of the platform, and communicating essential product information. We balance these interests against your rights and minimize data where possible.
6.3. Consent
We rely on your consent where you enable non-essential (e.g., Google Analytics) cookies and tracking, where you connect optional services such as Google or X OAuth, where you subscribe to non-essential communications, and where you choose to make information public. You may withdraw consent at any time without affecting prior lawful processing.
6.4. Compliance With Legal Obligations
We process and retain certain data to comply with tax, accounting, and regulatory requirements and to respond to lawful requests.
6.5. Protection of Rights and Safety
In limited cases, we may process or disclose data where necessary to protect the rights, safety, or security of users or the public, or to prevent or address suspected misconduct.
7. How We Store and Protect Your Data
7.1. Storage Locations and Infrastructure
Your data is stored and processed on secure cloud infrastructure operated for Indie Valley, together with:
- our cloud hosting provider — application servers and databases (our current sub-processor list, including the named hosting provider and processing regions, is available on request via [email protected]);
- Cloudflare — CDN, R2 object storage (for images you upload), and security/DNS;
- self-hosted Sentry — error and performance monitoring.
Processing may occur in the United States and the European Union. See Section 12.
7.2. Image Uploads
Images you upload (project logos, project covers, Episode covers, profile avatars, and post media) are sent via presigned PUT requests directly to Cloudflare R2 object storage and served through a CDN. We store the resulting media and associated metadata to display your content.
7.3. Security Measures
We implement technical and organizational safeguards, including:
- encryption in transit (HTTPS/TLS);
- session tokens stored in an httpOnly cookie, with credentials sent securely;
- restricted internal access to production systems;
- authentication and authorization controls;
- network protection and security monitoring;
- regular updates and patches.
We review and update our security practices on an ongoing basis. No method of transmission or storage is completely secure; we cannot guarantee absolute security.
7.4. Incident Response and Breach Notification
If we become aware of a personal data breach, we will assess it without undue delay and respond in accordance with applicable law. Where the GDPR or UK GDPR applies, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless it is unlikely to result in a risk to individuals' rights and freedoms. Where a breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay. We will also comply with applicable U.S. state breach-notification laws (e.g., California) and other regional requirements, and will describe the nature of the incident and the steps taken to mitigate it.
8. Who We Share Data With and Sub-processors
We do not sell your personal data. We share data only with trusted providers when necessary to operate the Service, deliver core functionality, or meet legal obligations. Providers acting on our behalf are bound by contractual confidentiality and security obligations. A current list of our sub-processors is available on request via [email protected], and we will inform users of material changes to our sub-processors in accordance with Section 14.
8.1. Paddle (Merchant of Record)
Paddle processes all purchases as the seller of record and an independent data controller for billing data, including payment method details, billing address or country, tax information, and transaction history. We do not access or store your payment card data. We may access high-level transaction metadata (not card data) to verify purchases, assist with subscription support, and investigate fraud or disputes. Indie Valley does not process payments, hold funds, or act as a payment facilitator, money transmitter, or merchant of record; those functions are performed solely by Paddle. The limited transaction metadata we receive from Paddle is processed by us as a separate, independent controller only for account management, support, and fraud prevention. See Paddle's Privacy Policy.
8.2. Connected Revenue Providers
For creators who verify revenue, we receive read-only metrics from the processor the creator connects: Stripe, Paddle, Lemon Squeezy, Polar, Dodo Payments, RevenueCat, Superwall, and Creem. These processors operate under their own terms and privacy policies.
8.3. Identity Providers (OAuth)
If you choose to sign in with Google or connect an X/Twitter account, those providers act as recipients of authentication requests and return account identifiers and basic profile information to us. These providers process your data under their own privacy policies, and you control whether to use or disconnect these connections.
8.4. Hosting, Storage, and Network
- Our cloud hosting provider — application servers and databases (named in our sub-processor list, available on request).
- Cloudflare — CDN, R2 object storage, security and routing (may process IP addresses, technical metadata, and stored media).
8.5. Analytics
- Google Tag Manager — tag-management layer that loads and governs our analytics tags under Google Consent Mode (denied by default; activated only after consent).
- Google Analytics — usage analytics. As noted in Section 2.2.2, our configuration associates a pseudonymous user_id with analytics as a user property (we do not send your email address); Google Analytics is loaded only after consent, with Advertising Features and data-sharing disabled.
- Amplitude — product analytics used to understand feature usage and improve the Service, including session replays (pseudonymized session reconstructions with form input masked — see Section 2.2.2). As with Google Analytics, Amplitude is activated only after consent and receives only a pseudonymous user_id (never your email address or other direct identifiers); we do not use it for advertising.
8.6. Error and Performance Monitoring
- Sentry (self-hosted) — error and performance monitoring; processes technical context tied to errors and performance events, as described in Section 2.2.3.
8.7. Support Tools
- Crisp — our support-chat widget. It loads for all visitors so help is always available, and sets its own functional cookies needed to operate the chat (not analytics cookies, and loaded regardless of your analytics-consent choice). Crisp may receive the email associated with your account when you are signed in (or any email you provide), the chat messages you send, and basic technical metadata, used solely to assist you.
8.8. Email Delivery
We use a third-party email delivery service (named in our sub-processor list, available on request via [email protected]) to send transactional, magic-link, notification, newsletter, and digest emails. The provider may process your email address and message content for the purpose of delivering these emails.
8.9. Future Creator Payout Providers
Creator rewards accrue in an internal ledger. At launch, payouts are not yet enabled — earnings accrue. When payouts are enabled, Indie Valley intends to send them via Wise, with U.S. tax-form handling (e.g., W-9 / W-8BEN, and 1099-NEC / 1099-MISC for eligible U.S. recipients) via Track1099. Payouts, once enabled, are processed on a monthly cadence in USD subject to a minimum payout threshold, and tax forms (W-9 / W-8BEN) are collected via Track1099 only from creators who complete payout setup. These services are relevant only to creators who set up payouts and are governed by a separate Creator Partner Agreement; they do not process payments between buyers and creators. Paddle does not process creator payouts; creator rewards are paid by Indie Valley out of its own revenue and are separate from Paddle's role as Merchant of Record.
8.10. Legal, Compliance, and Safety
We may disclose data where required to comply with laws or legal process, respond to valid government requests, protect the rights, safety, or security of users or the Service, enforce our Terms of Service, or prevent fraud or abuse. We disclose only the minimum necessary.
8.11. Business Transfers
If Indie Valley is ever involved in a merger, acquisition, or asset transfer, your personal data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.
9. Data Retention
We retain personal data only for as long as necessary to provide the Service, comply with legal obligations, maintain security, and support legitimate business needs. Where we cannot state an exact period, we describe the criteria we use to determine it.
9.1. Account and Profile Information
We retain your account and profile information for as long as your account remains active. If you delete your account, personal account data is removed from active systems within a reasonable period (typically within 30 days), and backups are overwritten on our standard backup cycle (typically within 90 days).
9.2. Public Content
Profiles, projects, Episodes, Posts, comments, and Gems remain available while published. When you delete a piece of content or your account, we remove it from active systems; cached or re-shared copies outside our control may persist (see Section 3).
9.3. Sourced Metrics (Pulse)
We retain pulled revenue metrics while a connection is active and for up to 12 months after disconnection for historical display, security, and integrity, after which they are deleted or aggregated. After disconnection we stop pulling new metrics.
9.4. Technical, Log, and Monitoring Data
Server and security logs (e.g., IP addresses, request metadata) are typically retained for 30 to 90 days. Error and performance monitoring data in Sentry is typically retained for up to 90 days. Security-incident logs may be retained for up to 12 months (and longer where needed to investigate malicious activity or to meet legal requirements). The criteria we apply are the time needed to troubleshoot, secure the Service, and meet legal limitation periods.
9.5. Analytics Data
Google Analytics data is retained according to our configured Google Analytics data-retention setting (currently up to 14 months) and, where possible, in aggregated or de-identified form.
9.6. Support Messages
Support messages (including via Crisp) are retained for up to 24 months after your last contact and used solely for support; you may request their earlier removal.
9.7. Billing Records (Handled by Paddle)
We do not store payment method information. Payment records, invoices, and tax data are processed and retained by Paddle according to its legal obligations (often 7–10 years depending on tax jurisdiction). We cannot delete or modify Paddle's billing records.
9.8. Accrued Creator Earnings
Where a creator never sets up payouts, Creator Rewards earnings accrue as an accounting record in our internal ledger (not stored value or funds held on the creator's behalf). After 12 months of inactivity following the date payouts become generally available, unclaimed earnings may be forfeited to the platform, as described in our Terms of Service and the Creator Partner Agreement; earnings may also be forfeited where a project is banned for fake or fraudulent metrics or serious violations. Related ledger records may be retained for accounting and audit purposes for the period required by applicable law.
9.9. Exceptions to Deletion
We may retain certain data where necessary to comply with legal or regulatory obligations, resolve disputes, enforce our Terms of Service, prevent fraud or misuse, or maintain backups that are automatically overwritten on a scheduled basis. Any retained data is minimized and securely stored.
10. Your Rights
Depending on your location, you may have rights regarding your personal data under laws such as the GDPR, UK GDPR, and the California Consumer Privacy Act as amended by the CPRA (the "CCPA"), and other regional frameworks. You may exercise these rights by contacting us at [email protected]. To protect your data, we may need to verify your identity before fulfilling a request (for example, by confirming control of the email address associated with your account); we will not use information collected for verification for any other purpose.
10.1. Right to Access / Know
You may request confirmation of whether we process your personal data, a copy of that data, and information about how and why it is processed, including the categories of personal information collected, the sources, the purposes, and the categories of third parties to whom it is disclosed.
10.2. Right to Rectification / Correction
You may request correction of inaccurate or incomplete data. Many profile and account details can be edited directly in your settings.
10.3. Right to Erasure / Deletion
You may request deletion of your personal data and account. We will remove personal data from active systems, subject to minimal information we may retain where legally required (e.g., fraud prevention, tax compliance). We cannot delete billing records retained by Paddle as an independent controller.
10.4. Right to Restrict or Object to Processing
You may ask us to stop or limit processing of your personal data, including processing based on legitimate interests. We will comply unless there are overriding legal or operational grounds (e.g., security, fraud prevention).
10.5. Right to Data Portability
Where technically feasible, you may request a machine-readable copy of your account and profile information and the content associated with your account.
10.6. Right to Withdraw Consent
Where we rely on consent (e.g., analytics cookies, optional OAuth connections, non-essential communications), you may withdraw it at any time without affecting prior lawful processing.
10.7. Automated Decision-Making and Profiling
We do not make decisions producing legal or similarly significant effects about you based solely on automated processing without human involvement. Our feed ranking (including "For You" recommendations) and public leaderboards (such as "Top Voices") are forms of personalization and ranking, not decisions with legal or significant effects. Where our automated systems flag potential fraud or abuse, a meaningful action affecting your account (such as suspension or termination) involves human review, and you may contest such a decision and request human reconsideration by contacting [email protected].
10.8. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the rights set out in this section.
(a) Categories of personal information we collect. In the past 12 months, we have collected the following statutory categories:
- Identifiers — e.g., email address, display name, profile handle, account identifiers, IP address, OAuth identifiers.
- Internet or other electronic network activity — e.g., usage, navigation, feature interactions, and analytics events.
- Commercial information — e.g., Indie Pass subscription and Greenlight records and transaction metadata received from Paddle (we do not collect payment card data).
- Geolocation data — coarse/approximate location derived from IP address (not precise geolocation).
- Audio, electronic, visual information — images you upload, such as avatars, cover images, and post media.
- Professional or employment-related information — e.g., role, company, and project details you choose to provide.
- Inferences — limited inferences drawn for personalization (e.g., feed ranking).
(b) Sources. We collect this information directly from you, automatically from your use of the Service, and from third parties such as your chosen OAuth identity providers and Paddle (transaction metadata).
(c) Business and commercial purposes. We use these categories to provide and operate the Service, manage subscriptions and subscriber-only Episode access, secure the Service and prevent fraud, communicate with you, improve the Service, build aggregated insights, and comply with law, as described in Section 5.
(d) Disclosures. We disclose personal information to the service providers and recipients listed in Section 8 (e.g., hosting, Cloudflare, Google Analytics, Sentry, Crisp, email delivery, OAuth identity providers, and Paddle as an independent controller) for the business purposes described above.
(e) Sensitive Personal Information. We do not collect Sensitive Personal Information for the purpose of inferring characteristics, and we do not use or disclose it for purposes that would trigger the right to limit. Because we do not use Sensitive Personal Information for such purposes, no "Limit the Use of My Sensitive Personal Information" mechanism is required.
(f) No sale or sharing. We do not sell your personal information and do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA. Because we do not sell or share personal information, we do not provide a "Do Not Sell or Share My Personal Information" link; you can manage analytics through our cookie-preference mechanism (Section 11).
(g) No financial incentives. We do not offer financial incentives or price/service differences in exchange for the collection, sale, or retention of personal information.
(h) Your rights. You have the right to know, access, correct, and delete your personal information, the right to opt out of sale/sharing (not applicable, as we do none), the right to limit Sensitive Personal Information (not applicable, as described above), and the right to non-discrimination for exercising your rights.
(i) Authorized agents. You may use an authorized agent to submit a request on your behalf by contacting [email protected]; we may require written authorization and may verify your identity directly.
10.9. Right to Lodge a Complaint
You may lodge a complaint with your local data protection authority (for example, your national DPA in the EU/EEA, the Information Commissioner's Office in the UK, or the California Attorney General). We encourage you to contact us first so we can address your concern.
10.10. Response Time
We aim to respond to rights requests within 30 days, or within the timeframe required by your jurisdiction. If a request is complex, we will notify you of any extension and the reason for it.
11. Cookies and Tracking Technologies
This section explains how Indie Valley uses cookies and similar technologies and the choices you have.
11.1. What Are Cookies and Similar Technologies?
Cookies are small text files stored on your device. We also use similar technologies such as browser local storage and session storage. These help us operate the Service, maintain security, remember preferences, and understand usage.
11.2. Categories We Use
(a) Essential (Strictly Necessary)
Required for the Service to function. These include:
- session_token — an httpOnly cookie holding your authentication session;
- token_expires_in — a non-sensitive cookie tracking session expiry;
- a language cookie for your interface language;
- the cookieConsent cookie and related cookie-preference storage that record your consent choices.
Essential cookies cannot be disabled, because the Service cannot operate without them.
(b) Analytics and Performance (Consent-Based)
Where you have given consent, we use Google Analytics and Amplitude (loaded via Google Tag Manager under Google Consent Mode), including Amplitude session replays, to understand usage and improve the platform (see Section 2.2.2 about the user_id and session replays). These are loaded only after consent and are not set if you decline. Our live presence map also falls in this category: when you consent, it stores a random, per-browser pseudonymous identifier in local storage (not linked to your account) and shows you on the /discover map, as described in Section 2.2.5; if you decline, this identifier is not stored and you are not placed on the map. Our self-hosted Sentry error and performance monitoring is treated as a strictly necessary, first-party security and reliability tool and is described in Section 2.2.3 rather than as consent-gated analytics.
(c) Functional
We use local storage to remember conveniences such as your theme, sidebar state, recent searches, newsletter dismissals, and a server-sent-events identifier used to deliver real-time updates. If disabled, certain convenience features may not work as intended. Separately, our Crisp support-chat widget loads for all visitors and sets its own functional cookies necessary to operate the chat; these are not analytics cookies and are set regardless of your analytics-consent choice (see Section 8.7).
11.3. Your Choices
You can manage non-essential cookies and similar technologies through our cookie-preference mechanism (the cookieConsent control) and through your browser settings to block or delete cookies, or via browser-level opt-out tools where supported. Blocking essential cookies may prevent the Service from working.
11.4. No Advertising or Cross-Site Behavioral Tracking
Indie Valley does not use advertising cookies, marketing pixels, retargeting systems, or third-party cross-site behavioral advertising. We use Google Analytics and Amplitude solely for first-party product analytics, with Google Analytics Advertising Features and Google data-sharing disabled. While analytics can associate a user_id with your activity within our own analytics (see Section 2.2.2), we do not use this for cross-site behavioral advertising and do not sell or share it for that purpose.
11.5. "Do Not Track"
Some browsers send a "Do Not Track" signal. While we do not engage in cross-site advertising tracking, third-party analytics tools may not consistently respond to such signals; you can control analytics through our cookie-preference mechanism.
12. International Data Transfers
Because Indie Valley operates globally and relies on third-party infrastructure, your personal data may be transferred to and processed in countries other than your own, including the United States and the European Union. These locations may have different data-protection standards than your jurisdiction.
12.1. Where Data Is Processed and Safeguards by Recipient
The table below summarizes the main recipients, their general processing locations, and the safeguard relied upon for transfers from the EU/EEA or UK.
| Recipient | Role | General location | Transfer safeguard |
|---|---|---|---|
| Our cloud hosting provider | Application servers, databases | US / EU | Standard Contractual Clauses (SCCs) + UK IDTA; DPA |
| Cloudflare | CDN, R2 object storage, security/DNS | Global network | EU-US Data Privacy Framework and/or SCCs + UK IDTA; DPA |
| Google (Analytics, Tag Manager; Sign-In) | Analytics, tag management; OAuth identity | US / global | EU-US Data Privacy Framework and/or SCCs + UK IDTA; DPA |
| Amplitude | Product analytics, session replay | US / global | SCCs / provider's own terms; DPA |
| Mapbox | Map tiles for the live presence map | US / global | SCCs / provider's own terms |
| X/Twitter | OAuth identity | US / global | SCCs / provider's own terms |
| Sentry (self-hosted) | Error/performance monitoring | US / EU (our infrastructure) | Processed within our stated regions; internal measures |
| Crisp | Support chat | EU | EU-based provider; DPA |
| Email delivery provider | Transactional/notification email | US / EU | SCCs + UK IDTA; DPA |
| Paddle | Billing (independent controller) | Global | Determined by Paddle as independent controller |
| Wise; Track1099 (future, creators only) | Payouts; tax forms | US / global | SCCs / provider's own terms (when enabled) |
For transfers from the EU/EEA or UK to countries without an adequacy decision, we rely on one or more of: Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Addendum (IDTA), certification under the EU-US Data Privacy Framework where a provider is certified, Data Processing Agreements with sub-processors, and technical and organizational measures such as encryption, access controls, and data minimization. Where required, we conduct transfer impact assessments.
12.2. Paddle Transfers
Paddle, as an independent controller, processes billing data in its own infrastructure, which may involve transfers across jurisdictions; we do not control Paddle's transfers. See Paddle's Privacy Policy.
13. Children
The Service is intended only for individuals 18 years of age or older and may not be used by anyone under 18. We do not knowingly collect or process personal data from minors. If we become aware that we have collected personal data from a person under 18, we will delete it as soon as reasonably practicable and may suspend or terminate the associated account. If you believe a minor has provided personal data to us, contact us at [email protected].
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our Service, legal requirements, or data practices, including changes to our sub-processors. If we make material changes, we will notify you by email to the address associated with your account or by a notice within the Service. Unless otherwise stated, updates become effective when the revised Policy is posted on this page. Your continued use of the Service after the updated Policy becomes effective constitutes acceptance of the changes. If you do not agree, you should stop using the Service and may request account deletion at any time.
15. Contact
If you have questions about this Privacy Policy or how your personal data is processed, you may contact us at:
Aleksei Stepankov, Individual Entrepreneur Operating as Indie Valley Email: [email protected] Website: https://indie-valley.com
This email is our designated privacy contact, and you may send all data-subject and privacy requests there.
Indie Valley is established outside the EU and the UK. To the extent Article 27 of the EU GDPR and/or the UK GDPR requires the appointment of an EU and/or UK representative for our processing of EU/UK data subjects' personal data, we have appointed or will appoint such a representative prior to processing activities that trigger the requirement, and we will publish the representative's contact details on this page and make them available on request at [email protected].
For billing or payment-related inquiries (including invoices, taxes, payment records, and refunds processed after approval), please contact Paddle, our Merchant of Record, using the link included in your payment receipt or via Paddle's buyer support resources.
If you are located in the EU, UK, or another region with data-protection regulations, you may also contact your local data protection authority. We encourage you to contact us first so we can address your request promptly.