Privacy Policy

Last updated: February 2026

Data We Collect

We collect the following information:

• Account information: your email address and display name when you create an account.
• Session cookie: a session identifier stored in your browser to keep you logged in. Anonymous visitors also receive a session cookie so that features like tool reactions work without an account.
• IP address: used for rate limiting and abuse prevention. We do not build profiles from IP addresses.
• Usage data: page views, search queries, outbound clicks to tool websites, and tool reactions ("I use this" / "Bookmarked"). This data is stored in our database and used to power activity feeds, search rankings, and aggregate statistics shown on the site.
• MCP server queries: when an AI agent searches our catalog via the MCP server, we log the search query and increment view counts. No personal data from the agent's user is collected.

How We Use Your Data

Your data is used to: provide and maintain your account, send transactional emails (e.g. email verification, tool approval notifications), improve search results and tool rankings, display aggregate activity on the site (e.g. "X searches this week"), and prevent abuse or fraud.

Third-Party Services

We use the following third-party services:

• Fly.io — hosting. Your requests are processed on Fly.io infrastructure.
• Gmail SMTP — transactional emails are sent from our Gmail account.
• Stripe — if and when we introduce paid features, payments will be processed by Stripe. We do not currently collect or store any payment information.

We do not sell your personal data. We do not use any third-party analytics, advertising, or tracking services.

Cookies

IndieStack uses a single session cookie (session_id) for authentication and anonymous feature access (e.g. reactions). We do not use tracking cookies, advertising cookies, or any third-party cookie-based analytics. No cookie consent banner is needed because we only use strictly necessary cookies.

Data Retention

Account data is retained for as long as your account is active. If you delete your account, your personal data will be removed within 30 days. Anonymised analytics data (page views, search logs, aggregated usage statistics) may be retained indefinitely. Session data for anonymous visitors is periodically cleaned up.

Your Rights (GDPR)

If you are in the UK or EU, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct any inaccurate data.
• Erasure — ask us to delete your personal data ("right to be forgotten").
• Portability — request your data in a machine-readable format.
• Object — object to processing of your data in certain circumstances.

Contact

For any privacy-related questions or to exercise your rights, contact us at pajebay1@gmail.com.