Our Core Data Principles
We operate on a minimal-data philosophy. Like optimizing draw calls for a mobile build, we only collect what’s strictly necessary for the system to function. Each piece of data has a defined purpose, an endpoint, and a lifecycle.
Intentionality
We collect your email only for account creation and updates. Your IP address is processed solely for security (fraud prevention) and is anonymized after 24 hours.
Transparency
If a third-party tool is integrated (e.g., a analytics service), its privacy policy is linked at the point of interaction. No hidden trackers.
User Control
You own your data. Every email includes a clear unsubscribe link. You can request a full data export or deletion at any time.
The Data Lifecycle
Input
Sign-up / Contact Form
Processing
Secure Database / Queue
Output
Service / Response / Deletion
What we don't do: We do not sell your data. We do not use your email for behavioral advertising networks. We do not create shadow profiles or track you across unrelated sites. Our server logs are purged of identifiable IP addresses weekly.
Third Parties: We use Google Workspace for email. Their data processing agreement applies. We use a cloud hosting provider (e.g., Hetzner) for server infrastructure. Their terms cover server-level data handling.
Decision Lens: When Does Data Become a Liability?
Optimizes For
- Reduced legal/compliance overhead (GDPR, CCPA)
- Lower storage and processing costs
- Clearer trust with professional developers
Sacrifices
- Deep behavioral analytics for feature refinement
- Ability to auto-personalize UI without user setup
- Rich marketing retargeting capabilities
Common Privacy Pitfalls in Indie Dev Tools
We’ve audited enough indie studio workflows to see patterns. These are the common failure modes when user data is treated as an afterthought, not a core system component.
1. The Over-Collection Trap
The Mistake: Asking for a phone number, company name, or birth date "just in case" for a simple plugin download.
How to Avoid: Be ruthlessly specific. Every form field must justify its existence with a concrete system need (e.g., "Phone number is optional for SMS updates on downtime").
2. The "Set and Forget" Log
The Mistake: Logging everything (mouse clicks, scroll depth, focus events) for "future analysis" without a retention policy.
How to Avoid: Implement a strict logging strategy. Anonymize user IDs, separate error logs from user interaction logs, and set automated purges (e.g., 30 days for non-critical logs).
3. The Third-Party Sprawl
The Mistake: Adding a new SaaS tool for each function (support chat, analytics, email marketing) without auditing their data agreements.
How to Avoid: Maintain a data flow map. For each tool, document: What data is shared? Where is it stored? What is their retention policy? Can we disable PII collection?
4. The Obfuscated Policy
The Mistake: Using a generic, 20-page template that contradicts your actual practices.
How to Avoid: Write from your system's code. If your API never touches a user's billing address, don't list it. Be honest about limitations and use plain language.
Your Data Rights & How to Exercise Them
We believe in data sovereignty. If you are a user of our services and wish to access, correct, or delete the personal data we hold about you, you can make a request directly. We will respond within 30 days, as required by applicable law.
Request an Export
Receive a machine-readable copy (JSON or CSV) of all data associated with your account and communications.
Request Deletion
Permanently remove your account and associated personal data from our active systems (excluding required tax/accounting records).