How we collect, use, share, and protect your personal data
Last Updated: November 29, 2025
This Privacy Policy explains how Digitala Idéfabriken Malmö AB ("IndieSearch.ai," "we," "us," or "our") collects, uses, shares, and protects personal data when you use our AI-powered SaaS validation platform.
Data Controller: Digitala Idéfabriken Malmö AB Malmö, Sweden
Privacy Contact: hello@indiesearch.ai
We collect the following categories of personal data:
Account Information •Name, email address, password (hashed), company name •Collected directly from you at registration
Payment Information •Transaction records, billing details •Collected via Lemon Squeezy (we receive only confirmation of payment, not full payment credentials)
Service Usage Data •Validation queries, landing page content, survey responses, A/B test data •Collected directly from your use of the Service
Technical Data •IP address, device type, browser information, access logs •Collected automatically
AI Interaction Data •Prompts, queries, and context submitted to AI features •Collected directly from you when using AI features
Analytics Data •Usage patterns, feature engagement, session information •Collected via Mixpanel and similar analytics tools
Landing Page Visitor Data •Email addresses, names, IP addresses, responses collected by your landing pages •Collected from third parties (your landing page visitors)—you are the controller for this data
We process your personal data for the following purposes and legal bases under GDPR Article 6:
Providing and operating the Service Legal Basis: Contract performance (Art. 6(1)(b))
Processing payments Legal Basis: Contract performance + Legal obligation (Art. 6(1)(b), (c))
Customer support Legal Basis: Contract performance (Art. 6(1)(b))
AI-powered validation and insights Legal Basis: Contract performance (Art. 6(1)(b))
Service analytics and improvement Legal Basis: Legitimate interests (Art. 6(1)(f))
Security and fraud prevention Legal Basis: Legitimate interests (Art. 6(1)(f))
Legal compliance and record-keeping Legal Basis: Legal obligation (Art. 6(1)(c))
Marketing communications (with consent) Legal Basis: Consent (Art. 6(1)(a))
Legitimate Interests: Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights. You may object to processing based on legitimate interests by contacting us.
IndieSearch.ai uses artificial intelligence, including Anthropic's Claude, to power our validation features. When you use AI features:
Data Transmitted to AI Providers: •Your validation queries and prompts •Business idea descriptions and context you provide •We anonymize data where feasible before transmission
Data NOT Transmitted: •Your name or email address •Payment information •Landing page visitor personal data
AI Provider Practices (Anthropic): •API data is not used for model training •Data retention: Up to 7 days for abuse monitoring •Anthropic acts as our data processor under a Data Processing Agreement •Standard Contractual Clauses govern EU-US data transfers
Future AI Providers: We may integrate additional AI providers. This policy will be updated to reflect any material changes to AI data processing.
We share personal data with the following categories of recipients:
Anthropic (AI Provider) Purpose: AI-powered features Safeguards: DPA, SCCs, anonymization
Lemon Squeezy (Merchant of Record) Purpose: Payment processing Safeguards: DPA, PCI-DSS compliance
Mixpanel (Analytics) Purpose: Service analytics Safeguards: DPA, EU Data Residency available
Cloud Infrastructure Providers Purpose: Data hosting Safeguards: DPA, SCCs where applicable
Professional Advisors Purpose: Legal, tax, audit services Safeguards: Confidentiality obligations
Law Enforcement Purpose: Where legally required Safeguards: Only pursuant to valid legal process
We do not sell your personal data. We do not share personal data for third-party advertising.
As a Swedish company, your data is primarily processed within the EU/EEA. However, some processors (including Anthropic) are based in the United States.
Transfer Mechanisms:
•EU-US Data Privacy Framework: Where recipients are DPF-certified •Standard Contractual Clauses (SCCs): EU Commission-approved clauses for non-DPF recipients •Transfer Impact Assessments: Conducted for transfers to jurisdictions without adequacy decisions
You may request information about specific safeguards for international transfers by contacting hello@indiesearch.ai.
When you create landing pages collecting visitor data, you are the data controller and we act as your data processor.
Your Responsibilities: •Provide a GDPR-compliant privacy policy on your landing pages •Obtain valid consent for data collection •Implement cookie consent where required •Respond to data subject rights requests from your visitors •Ensure lawful purposes for collection
Our Responsibilities (as Processor): •Process visitor data only on your documented instructions •Maintain appropriate security measures •Assist with data subject requests •Delete or return data on termination
Data Processing Agreement: Our DPA governs our processor relationship and complies with GDPR Article 28 requirements.
Account Information Retention: Duration of account + 30 days Criteria: Service provision
Transaction Records Retention: 7 years Criteria: Swedish tax/legal requirements
Service Usage Data Retention: 2 years from collection Criteria: Service improvement
AI Interaction Data Retention: 1 year Criteria: Service provision + improvement
Analytics Data Retention: 2 years Criteria: Trend analysis
Landing Page Visitor Data Retention: Until you delete or account closure + 30 days Criteria: Your instructions
Support Communications Retention: 3 years Criteria: Quality assurance
After retention periods expire, data is securely deleted or anonymized.
You have the following rights regarding your personal data:
Access: Request a copy of your personal data
Rectification: Correct inaccurate or incomplete data
Erasure: Request deletion ("right to be forgotten")
Restriction: Limit how we process your data
Portability: Receive your data in machine-readable format
Object: Object to processing based on legitimate interests
Withdraw Consent: Withdraw consent at any time (without affecting prior lawful processing)
Automated Decision-Making: Not be subject to solely automated decisions with legal effects (we do not make such decisions)
How to Exercise Rights: Submit requests to hello@indiesearch.ai. We respond within 30 days, with possible extension to 60 days for complex requests (with notification).
Verification: We may request identity verification for security.
Right to Complain: You may lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se or your local supervisory authority.
We implement technical and organizational measures to protect personal data:
•Encryption in transit (TLS 1.2+) and at rest •Access controls and authentication requirements •Regular security assessments •Employee training and confidentiality obligations •Incident response procedures
No system is 100% secure. We will notify you and relevant authorities of data breaches as required by GDPR Article 33/34.
IndieSearch.ai is not intended for individuals under 18. We do not knowingly collect personal data from children. If we learn we have collected data from a child, we will delete it promptly.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA/CPRA):
•Right to know what personal information is collected and disclosed •Right to delete personal information •Right to opt-out of sales (we do not sell personal information) •Right to non-discrimination for exercising rights
Contact hello@indiesearch.ai to exercise California rights.
We may update this Privacy Policy periodically. We will notify you of material changes via email or in-app notification at least 30 days before they take effect. The "Last Updated" date reflects the current version.
Contact: hello@indiesearch.ai
Postal Address: Digitala Idéfabriken Malmö AB Malmö, Sweden