Get started
← Back to home

Privacy Policy

Last updated: February 24, 2026

IndieBob handles two types of data: yours (as an IndieBob user) and your visitors' (collected through the SDK you install in your apps). This policy covers both.

1. Data we collect from you (IndieBob users)

Account information

When you sign in with Google, we receive your name, email address, and profile picture. We don't receive or store your Google password. We use this information to create your account and display your identity in the dashboard.

Project data

Information you enter about your projects: name, domain, description, settings, and connected integrations (like Stripe account IDs). This data is necessary to operate the service.

Content you create

Blog posts, social media drafts, email copy, images, and campaign configurations you create in IndieBob. This is your content — we store it to provide the service.

Usage data

We log which features you use and basic request metadata (timestamps, page views within the dashboard) to improve the service and diagnose issues. We don't track your activity on other websites.

2. Data the SDK collects (your visitors)

When you install @indiebob/tracker in your application, it collects the following data from your visitors:

Collected automatically

  • Page views — URL path, page title, referrer
  • UTM parameters — source, medium, campaign, term, content (from URL query strings)
  • Device dimensions — screen width and height (for device type classification)
  • Locale and timezone — from the browser's language and timezone settings
  • Anonymous ID — a randomly generated identifier stored in the visitor's localStorage (not a cookie)
  • Session ID — stored in sessionStorage, rotates after 30 minutes of inactivity
  • Country — determined server-side from IP geolocation headers. The IP address itself is not stored.

Collected when the developer calls specific methods

  • Custom events — event name and properties (defined by the developer)
  • User identity — user ID and traits passed via identify()
  • Revenue events — amount, currency, plan name, transaction type

What the SDK does NOT collect

  • No cookies (the SDK uses localStorage and sessionStorage)
  • No browser fingerprinting
  • No DOM scraping or session recording
  • No cross-site tracking (data is scoped to a single project)
  • No personal data unless explicitly passed by the developer
  • No third-party pixels or advertising trackers

3. How we use the data

  • Analytics dashboards — display traffic, sources, pages, devices, and geographic data
  • Attribution — connect traffic sources to signups and conversions
  • Health scoring — calculate project health based on growth, engagement, and retention metrics
  • Content performance — measure which blog posts and campaigns drive results
  • AI insights — Bob (our AI advisor) analyzes aggregated metrics to generate recommendations. No raw personal data is sent to AI providers.
  • Email delivery — send emails you compose to your subscriber lists
  • Service improvement — fix bugs, improve features, understand usage patterns

We do not sell data. We do not share data with advertisers. We do not use your data to build profiles for any purpose outside of operating IndieBob for you.

4. Third-party services

IndieBob uses the following third-party services to operate:

Google (authentication)

Used for sign-in only. We receive your name, email, and profile picture. We do not access your contacts, calendar, drive, or any other Google data.

Stripe (payment processing)

Handles all payment processing. We never see or store your credit card numbers. Stripe is PCI-DSS Level 1 certified. When you connect your own Stripe account for revenue tracking, we receive webhook events (invoice amounts, subscription status) but not your customers' card details.

Resend (email delivery)

Delivers emails you send through IndieBob (broadcasts, sequences, transactional). Subscriber email addresses and email content are transmitted to Resend for delivery.

DigitalOcean (infrastructure)

Hosts the application, database, and file storage. All data is stored in the US (NYC region) on DigitalOcean's infrastructure with encryption at rest.

Cloudflare (CDN and network)

Provides content delivery, DDoS protection, and IP geolocation. Cloudflare processes HTTP requests in transit and provides the country-level geolocation header we use for visitor analytics. We do not use Cloudflare's analytics or tracking features.

Anthropic (AI, optional)

Powers some AI features (growth insights, strategic analysis). Only aggregated project metrics are sent — never raw visitor data, email addresses, or personal information. AI queries are not stored by Anthropic after processing.

5. Data storage and security

Your data is stored in a PostgreSQL database hosted on DigitalOcean Managed Databases in the US (NYC region). The database uses encrypted connections, automated daily backups, and is accessible only from our application servers (no public internet access).

Generated images and file assets are stored on DigitalOcean Spaces (S3-compatible object storage) with CDN delivery.

Sessions are managed with encrypted, httpOnly, secure cookies. We don't store session tokens in the database — they're sealed into the cookie itself.

6. Data roles

Under data protection regulations (GDPR, CCPA, etc.):

  • For your IndieBob account data — IndieBob is the data controller. We decide what data to collect and how to use it.
  • For visitor data collected via the SDK — you (the developer) are the data controller. IndieBob is the data processor, acting on your instructions. You decide what to track and are responsible for compliance with applicable laws.

If you need a formal Data Processing Agreement (DPA) for compliance purposes, contact us at [email protected].

7. Your rights

You have the right to:

  • Access — request a copy of the data we hold about you
  • Correct — update inaccurate information in your account
  • Delete — request deletion of your account and associated data
  • Export — download your analytics data, content, and subscriber lists
  • Object — object to specific processing activities
  • Restrict — request that we limit how we process your data

To exercise any of these rights, email [email protected]. We'll respond within 30 days.

8. SDK opt-out and privacy signals

The IndieBob SDK respects the following privacy signals:

  • Programmatic opt-out — calling bob.optOut() immediately stops all data collection and clears stored identifiers
  • Do Not Track (DNT) — the SDK checks the browser's DNT header setting
  • Global Privacy Control (GPC) — the SDK respects the GPC signal, which is legally binding under CCPA

When a visitor opts out, the SDK stops sending events, clears the anonymous ID, session ID, and any stored UTM data from browser storage.

9. Data retention

Data typeRetention
Account informationUntil you delete your account
SDK events (Free plan)90 days
SDK events (Paid plans)1 year
Aggregated metrics snapshotsIndefinite (non-personal, statistical data)
Content (blog posts, images)Until you delete them
Email subscriber dataUntil you delete subscribers or your account
Data after account deletionPurged within 30 days

10. Cookies

The IndieBob website uses a session cookie to keep you logged in. This is a functional cookie required for authentication — it contains an encrypted session token and no tracking data.

The SDK (@indiebob/tracker) does not use cookies. It uses localStorage for the anonymous visitor ID and sessionStorage for the session ID. These are not cookies and are not sent to our servers with every request — they're only read by the SDK's JavaScript code.

11. Children

IndieBob is not designed for, marketed to, or intended for use by anyone under 16 years of age. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we'll delete it.

12. International data transfers

IndieBob's servers are located in the United States. If you use IndieBob from outside the US, your data will be transferred to and processed in the US. We rely on the adequacy of our third-party providers' data protection practices and, where applicable, Standard Contractual Clauses for international transfers.

13. Changes to this policy

We may update this privacy policy from time to time. When we make significant changes, we'll notify you by email and update the "last updated" date at the top of this page. We encourage you to review this policy periodically.

14. Contact

Questions about this privacy policy or how we handle your data? Email us at [email protected].

If you're in the EU and believe we haven't adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.