indieco

Privacy Policy

Last updated: May 28, 2026

Who operates indieco

indieco is operated by Oron Mozes. References to "we," "us," and "our" in this policy refer to that operator. For questions about this policy or your data, see the contact page.

Scope

This policy describes how indieco (operated at indieco.dev) collects, uses, and protects your information when you use the platform. It applies to the website, the API, and any related services we run.

What we collect

When you sign in with Google

  • Your name and email address.
  • Your Google profile picture URL (we don't store the image itself).
  • A unique Google account ID so we can recognize you on future sign-ins.

We use Google's OAuth flow; your Google password is never seen or stored by indieco. Google's own privacy policy governs the data Google holds on their side.

When you set up your profile

  • A username (you choose; permanent once set).
  • A bio.
  • Skills, domains, and goals (tag selections used for matching).
  • Optional social links (X, GitHub, LinkedIn URLs you choose to share publicly).
  • Optional past projects (title, URL, description).

Everything in this section is publicly visible on your profile at /u/<your-username>. Do not add information to your profile that you do not want to be public.

When you create or join a venture

  • Venture title, pitch, description, and stage.
  • Skills the venture needs and domains it sits in.
  • External links you add (repo, deployed site, chat, docs).
  • Your membership status (founder, owner, member, invited, requested, declined, left, removed).
  • Ownership transitions, retained as audit history.

When you connect LinkedIn (optional)

We connect LinkedIn only after you authorize the connection through LinkedIn's OAuth flow. If you choose to use the "Share on LinkedIn" feature, we store:

  • Your LinkedIn access and refresh tokens, encrypted at rest using strong industry-standard encryption.
  • Your LinkedIn account identifier and the token's expiration timestamp.

We use these tokens only when you explicitly click "Post to LinkedIn." We never post on your behalf without an explicit click. You can revoke our LinkedIn access at any time from your /me page; when you do, the stored tokens are removed from our database.

Automatically, while using the site

  • Your IP address (used for rate limiting and abuse prevention).
  • Browser type and request paths, retained in short-lived server logs.
  • Anonymous usage analytics (page views and click events), subject to our analytics provider's privacy policy.

How we use it

  • To provide the service — display profiles, surface ventures, manage memberships.
  • To facilitate matching — connect people based on skills, domains, and stated goals.
  • For security — rate-limit abuse, detect anomalies, prevent spam.
  • To send transactional emails (account-related only; we don't send marketing).
  • To improve the platform via anonymous usage analytics.

We don't sell your data. We don't share it with advertisers. We don't monetize your information.

Legal bases for processing (EU/UK users)

If you're in the European Economic Area or the United Kingdom, GDPR requires us to identify a lawful basis for each way we process your personal data. Our bases are:

  • Account, profile, login, and venture data — performance of a contract (delivering the service you signed up for).
  • Security, rate limiting, and abuse prevention — legitimate interests in operating a safe platform.
  • Transactional emails — performance of a contract / legitimate interests.
  • Non-essential analytics cookies — consent.
  • LinkedIn posting integration — consent.

Where your data lives

Your data is held with reputable third-party service providers acting as our subprocessors. At a high level, these are:

  • Cloudflare — hosting, database, session storage, edge caching, and DDoS protection.
  • Google — sign-in (Google OAuth) and anonymous usage analytics.
  • LinkedIn — only after you connect your LinkedIn account, for posting on your behalf.

We don't publish the specific products or internal architecture for security reasons. If you have a regulatory requirement to know more, reach out via the contact page.

International transfers

Our subprocessors operate globally, so your information may be processed in countries outside your own. Where required by law, we rely on appropriate safeguards such as standard contractual clauses or equivalent mechanisms.

Cookies and similar technologies

We set the following cookies:

  • Session cookie — essential for keeping you signed in. Set with strict security attributes; expires after 30 days of inactivity. Without it you can't be signed in.
  • Analytics cookies — set by our analytics provider for anonymous usage statistics. These are non-essential.

Where required, we ask for consent before using non-essential analytics cookies. You can change or withdraw your consent at any time through your browser's cookie settings or by using browser-level controls or extensions that block analytics scripts.

We don't use third-party advertising cookies.

Your rights

  • Access — view your profile data at /me.
  • Update — edit your profile via /onboarding.
  • Delete your account — use the delete option on your /me page. If you currently own any active ventures, you'll be asked to transfer ownership first so the venture isn't orphaned.
  • Disconnect LinkedIn — revoke our LinkedIn access from /me. The stored tokens are removed when you do.
  • Export your data — contact us via the contact page page and we'll send you a copy of the data we hold for your account.

EU/UK (GDPR)

If you're in the EU or UK, you also have the right to data portability and the right to lodge a complaint with your local data protection authority. You may also object to processing based on legitimate interests, and withdraw consent (where consent is the legal basis) at any time. Contact us through the contact page to exercise these rights.

California (CCPA/CPRA)

If the CCPA or CPRA applies to us and you are a California resident, you may have rights including the right to know what personal information is collected, the right to delete, the right to correct, the right to opt out of any "sale" or "sharing" of personal information (we don't sell or share for cross-context behavioral advertising), the right to limit the use of sensitive personal information, and the right to non-discrimination for exercising any of these rights.

Data retention

  • Active accounts — we retain your data as long as your account exists.
  • Deleted accounts — we delete your account data from our active database immediately, except for limited records we may need to keep for security, legal, abuse-prevention, or backup purposes. Backups and provider logs may take longer to expire.
  • Server logs — short-lived (on the order of weeks).
  • Analytics — per our analytics provider's retention policies.

Security

We use reasonable technical and organizational measures to protect your information, including TLS in transit, encryption at rest for sensitive tokens, restricted access to production systems, and routine review of dependencies. No system is perfectly secure; if you become aware of a security issue, please report it to us via the contact page.

Children's privacy

indieco is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, contact us through the contact page and we will delete it.

Changes to this policy

If we make material changes to what we collect or how we use it, we'll update the "Last updated" date at the top of this page and, where appropriate, surface a notice on the site for signed-in users. The current version is always available at this URL.

Contact

For questions about your data, this policy, or to exercise any of the rights above, reach us through the contact page.