Privacy Policy

01 — What data we collect and why

Account data (via Google OAuth)

When you sign in with Google, we receive your name, email address, and profile picture. We use this to create and identify your account. Legal basis: contract (necessary to provide the service).

Activity data

We store the votes you cast and comments you submit. This data is associated with your account and is necessary to provide core platform functionality. Legal basis: contract.

Email address (notifications)

If you have voted on a feature and a maker marks it as Shipped, we send you a one-time email notification via Brevo. You can stop receiving these by deleting your account. Legal basis: legitimate interest (notifying you of updates to things you explicitly voted for).

Analytics

We use Vercel Analytics to understand how visitors use IndieRoadmaps (pages visited, referrers, general location by country). Vercel Analytics is cookieless, does not track individuals, and does not use fingerprinting. No personal data is collected. Privacy policy

Technical data

Standard server and access logs (IP address, browser type, referring URL) may be retained briefly by our hosting provider, Vercel, for security and performance purposes. We do not use this data to identify individual users.

02 — Cookies

We use the following cookies:

• Authentication cookies: a session cookie set by Supabase to keep you signed in. This is strictly necessary and cannot be opted out of while using the platform.

You can manage cookies through your browser settings.

03 — How we share your data

We do not sell your personal data. We share data only with the third-party services necessary to operate IndieRoadmaps:

• Google — authentication (OAuth). Privacy policy
• Supabase — database and file storage, hosted in the EU. Privacy policy
• Vercel — website hosting, edge network, and cookieless analytics. Privacy policy
• Brevo — transactional email delivery. Privacy policy

All processors are either EU-based or operate under GDPR-compliant data transfer mechanisms (standard contractual clauses).

04 — Data retention

We retain your account data and activity (votes, comments) for as long as your account is active. If you delete your account, your personal data and all associated content is permanently deleted within 30 days. Anonymised or aggregated analytics data may be retained indefinitely as it cannot be linked back to you.

05 — Your rights under GDPR

As an EU resident, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — request deletion of your personal data (“right to be forgotten”).
• Restriction — ask us to restrict processing of your data in certain circumstances.
• Portability — receive your data in a structured, machine-readable format.
• Object — object to processing based on legitimate interest.
• Withdraw consent — where processing is based on consent (e.g. analytics), you may withdraw at any time without affecting prior processing.

To exercise any of these rights, email hey@indieroadmaps.com. We will respond within 30 days.

06 — Children's privacy

IndieRoadmaps is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us at hey@indieroadmaps.com and we will delete it promptly.

07 — Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top will reflect any changes. For material changes, we will notify users by email where possible.

08 — Contact

For any privacy questions or to exercise your GDPR rights: hey@indieroadmaps.com

Last updated: March 2026