GDPR Compliance
For Users in the European Union
Your Rights Under GDPR
If you're located in the European Union, you have specific rights under the General Data Protection Regulation (GDPR). This page explains those rights and how to exercise them.
Legal Basis for Processing Your Data
We process your personal data based on:
Contract Performance:
- Managing your account and subscription
- Providing search results and services you requested
Legitimate Interest:
- Improving our service and user experience
- Preventing fraud and ensuring security
- Analytics to understand service usage
Consent:
- Marketing emails (only if you opt in)
- Non-essential cookies
Legal Obligation:
- Complying with tax and accounting requirements
- Responding to lawful requests from authorities
Your GDPR Rights
1. Right to Access
You can request a copy of all personal data we hold about you. We'll provide this within 30 days in a structured, commonly used format.
2. Right to Rectification
You can correct inaccurate or incomplete data at any time through your account settings, or by contacting us.
3. Right to Erasure ("Right to be Forgotten")
You can request deletion of your personal data when:
- It's no longer necessary for the purposes we collected it
- You withdraw consent (where consent was the legal basis)
- You object to processing and there are no overriding legitimate grounds
- The data was unlawfully processed
Exceptions: We may retain data if required by law or to establish legal claims.
4. Right to Restrict Processing
You can request we limit how we use your data in certain situations:
- You contest the accuracy of the data
- Processing is unlawful but you don't want erasure
- We no longer need the data but you need it for legal claims
- You've objected to processing pending verification
5. Right to Data Portability
You can receive your data in a machine-readable format (JSON/CSV) and transfer it to another service.
6. Right to Object
You can object to processing based on legitimate interests or for direct marketing purposes. We'll stop unless we have compelling legitimate grounds.
7. Right to Withdraw Consent
Where we process data based on consent, you can withdraw it anytime. This doesn't affect the lawfulness of processing before withdrawal.
8. Right to Lodge a Complaint
You can file a complaint with your local Data Protection Authority if you believe we've violated GDPR.
Data We Collect (GDPR-Specific Detail)
Personal Data:
- Identity Data: Name, email address
- Technical Data: IP address, browser type, device information
- Usage Data: Search queries, pages visited, feature usage
- Financial Data: Payment information (processed by Lemon Squeezy, not stored by us)
Special Categories of Data:
We do NOT collect sensitive personal data (racial/ethnic origin, political opinions, religious beliefs, health data, biometric data, etc.)
International Data Transfers
Indiecia is operated from Indonesia, which is outside the EU. When you use our service, your data is transferred to Indonesia.
Safeguards we use:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Encryption in transit and at rest
- Regular security assessments
- Data processing agreements with all service providers
Third-party processors located outside EU:
- Linode (hosting) - USA
- Lemon Squeezy (payments) - USA
- Firebase (authentication) - USA (Google infrastructure)
All these providers comply with GDPR requirements and use appropriate safeguards.
Data Retention Periods
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Account information | While account is active | Contract |
| Search history | While account is active | Contract |
| Payment records | 7 years after last transaction | Legal obligation (tax law) |
| Analytics data | 26 months | Legitimate interest |
| Marketing consent | Until withdrawn | Consent |
| Deleted account data | 30 days (then permanently deleted) | N/A |
| Backup data | Up to 90 days | Legitimate interest |
Cookies & Tracking
Strictly Necessary Cookies:
- Session management
- Authentication
- Security features
These are essential for the service and don't require consent under GDPR.
Analytics Cookies:
We ask for your consent before setting analytics cookies. You can:
- Accept or reject through our cookie banner
- Change preferences anytime in account settings
- Use browser settings to block cookies
We respect Do Not Track (DNT) signals.
Automated Decision-Making
We do NOT use:
- Automated decision-making that significantly affects you
- Profiling that produces legal or similarly significant effects
- AI systems that make decisions about your account or access
All account decisions (e.g., suspensions) involve human review.
How to Exercise Your Rights
Email us: maker@useindiecia.com
Include in your request:
- Your name and email address
- Which right you want to exercise
- Any relevant details
Our response time:
- We'll acknowledge your request within 72 hours
- We'll fulfill the request within 30 days
- If it takes longer, we'll explain why
Verification: We may ask for identification to verify your identity before processing requests.
No charge: Exercising your rights is free. We may charge a reasonable fee for repetitive or manifestly unfounded requests.
Data Protection Officer
For GDPR-related inquiries, contact:
- Email: maker@useindiecia.com
- Subject line: "GDPR Request - [Your Request Type]"
Children's Privacy (GDPR-Specific)
Under GDPR, users must be at least 16 years old (or the age specified by their EU member state, which may be lower but not below 13). We don't knowingly process data of children without parental consent.
Data Breach Notification
If a data breach occurs that poses a risk to your rights and freedoms:
- We'll notify the relevant Data Protection Authority within 72 hours
- We'll notify you directly without undue delay
- We'll explain what happened, what data was affected, and what we're doing about it
Updates to This Page
We'll notify you of material changes to our GDPR practices:
- Email notification to EU users
- Prominent notice on the website
- 30 days notice before changes take effect (where possible)
Supervisory Authority
If you're not satisfied with how we handle your data, you can contact your local Data Protection Authority:
Find your local authority: https://edpb.europa.eu/about-edpb/board/members_en
Questions?
GDPR-specific questions: maker@useindiecia.com
We take GDPR compliance seriously and are committed to protecting your privacy rights.
Last Updated: January 25, 2026
Effective: January 25, 2026