Privacy Policy

Last updated: June 27, 2026

Michał Wiatr, operating as IndepAI ("IndepAI", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our financial planning platform at indepai.app (the "Service"). It is designed to cover GDPR, UK GDPR, ePrivacy cookie-consent rules, and U.S. state privacy laws where they apply.

1. Data We Collect

Account Information

When you create an account or join the waitlist, we collect your email address, display name, referral or campaign source, consent records, and authentication credentials (managed securely via Supabase Auth). If you sign in with Google, we receive your name, email address, and profile picture from Google. If you sign in with another third-party provider, we receive your name and email from that provider.

Financial Data

To provide FI Score calculations, portfolio tracking, geo-arbitrage comparisons, AI coaching, and tax or residency risk flags, you may voluntarily provide financial data such as income, expenses, savings, investments, portfolio holdings, import files or read-only broker connection metadata, dividend records, city preferences, citizenship or travel-planning inputs, and tax-related assumptions. We do not ask for full bank-card numbers and do not need trading permissions. This data is stored with encryption at rest and in transit, is never sold, and is shared only with processors needed to provide the Service.

Usage Data

We automatically collect usage data including pages visited, features used, device type, browser type, IP address, referral source, UTM attribution, security logs, and error diagnostics. Browser analytics tools such as PostHog and Umami are loaded through our consent-management stack where consent is required. Server-side events needed for security, purchase confirmation, account operations, or waitlist confirmation may be processed as service telemetry. We avoid sending raw email addresses, names, free-form financial notes, or portfolio secrets to analytics tools.

Cookies & Local Storage

We use essential cookies and local storage for authentication, session management, language preference, fraud prevention, and first-touch attribution. Analytics cookies and similar trackers are used for product improvement only where permitted by consent or applicable law. See our Cookie Policy for details.

2. Google API Data

Data Received from Google

When you sign in with Google, we receive the following data from your Google account via Google OAuth2: your profile name, email address, and profile picture URL. We request only the standard scopes (openid, email, profile) necessary to create and manage your account.

How We Use Google Data

The data received from Google is used exclusively to: create and identify your IndepAI account; display your name and profile picture within the Service; communicate with you at your email address. Google user data is not used for any other purpose.

No Selling or Sharing of Google Data

We do not sell, rent, or share your Google user data with any third parties for advertising, marketing, or any other purpose. Google user data is not used for AI or machine learning model training.

Storage of Google Data

Google user data is stored in our Supabase database hosted in the EU region, with encryption at rest and in transit.

Retention and Deletion of Google Data

Google user data is retained for as long as your IndepAI account is active. Upon account deletion, all Google user data is permanently deleted within 30 days.

Revoking Google Access

You can revoke IndepAI's access to your Google data at any time by: visiting your Google Account permissions page at https://myaccount.google.com/permissions and removing IndepAI; or by deleting your IndepAI account, which will remove all associated Google data within 30 days.

https://myaccount.google.com/permissions

3. How We Use Your Data

We use your data to: provide and maintain the Service; calculate your FI Score, portfolio metrics, city comparisons, and financial projections; generate AI coaching or planning outputs when you enable the relevant consent; process payments via Stripe; send transactional emails and opted-in marketing; handle support, referral, and account-security workflows; prevent abuse and fraud; improve the Service through privacy-limited analytics; comply with legal obligations; and respond to data-rights requests.

Legal Basis for Processing (GDPR Article 6)

We process your personal data only where we have a lawful basis under Article 6 GDPR: (a) Contract, to create and operate your account and provide the services you request (e.g. FI-Score, portfolio tracking); (b) Consent, for analytics, marketing communications, and optional AI features, which you may withdraw at any time; (c) Legitimate interests, to secure our service, prevent fraud, and improve features, balanced against your rights; and (d) Legal obligation, where retention or disclosure is required by law. Special categories of data are not knowingly processed.

4. Data Sharing

We do not sell your personal data. We do not sell, rent, or share your Google user data with third parties for advertising or marketing purposes. We share data only with service providers needed to run the Service, including Supabase for database hosting and authentication, Stripe for payment processing, OpenRouter or model providers for optional AI features, PostHog and Umami for analytics where enabled, Resend for email delivery, hosting and infrastructure providers, error-monitoring tools, and professional advisers where legally necessary. We require appropriate processor terms or data-processing agreements where applicable. AI providers receive only the data needed to answer the request, and optional AI tools that access financial or location data are controlled by consent settings.

AI Processing and Model Providers

AI Coach and related planning features are optional. We process your financial or location context with AI providers only when you enable the relevant AI consent or ask for an AI-powered feature that requires it. Before sending a request, we minimise the context to the fields needed for that answer, avoid sending raw account identifiers, broker secrets, portfolio import files, or free-form notes unless they are necessary for the user-requested response, and keep AI access controlled by your settings. Stored AI conversations remain exportable and deletable with your account data. Model-provider retention and training use are governed by their processor terms or DPA; we review those terms before relying on a provider for production AI processing.

5. Data Retention

We retain your account data for as long as your account is active. Financial, portfolio, trip-planning, import, and AI-coach data is retained until you delete it, close your account, or ask us to erase it, subject to legal exceptions. Waitlist and marketing-consent records are retained until you unsubscribe or ask for deletion, with minimal suppression records kept where needed to honor opt-outs. Usage analytics are generally retained for up to 24 months. Security logs and audit records are retained only as long as needed for security, fraud prevention, legal compliance, or dispute handling. After account deletion, we remove or anonymize personal data within 30 days except where retention is required by law.

6. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR) and UK GDPR where applicable, you have the right to: access your personal data; rectify inaccurate data; erase your data ("right to be forgotten"); restrict processing; receive a portable export; object to processing based on legitimate interests; withdraw consent at any time; and complain to a supervisory authority. You can export account data from product settings where available. To exercise any right or request help with deletion, contact privacy@indepai.app. We aim to respond within one month unless the law allows an extension.

U.S. State Privacy Rights (California and Others)

If you are a resident of California or another U.S. state with comprehensive privacy legislation (such as Virginia, Colorado, Connecticut, Utah, Texas, Oregon, or Delaware), you may have rights to know what personal information we collect, access it, correct it, delete it, receive a portable copy, opt out of sale or sharing, opt out of targeted advertising, and appeal a rights decision. IndepAI does not sell your personal information and does not share it for cross-context behavioral advertising. We do not knowingly process the personal information of consumers under 16 years of age without authorization. To exercise any of these rights, or to appeal a decision, contact us at privacy@indepai.app. We will not discriminate against you for exercising your privacy rights.

7. Security

We implement security measures appropriate to financial-planning data, including encryption in transit, encryption at rest by infrastructure providers, Row Level Security (RLS) and access controls, secure authentication via Supabase Auth, least-privilege service roles, rate limiting, audit logging for sensitive operations, and separation of server-only secrets from public client code. No system is perfectly secure, but we design the Service to reduce unauthorized access and accidental disclosure.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to you, we will also inform you directly without undue delay, as required by Article 34 GDPR. You can report a suspected security issue or data breach to us at security@indepai.app.

8. International Transfers

Your product data is primarily stored in the EU where our configured infrastructure supports it. Some providers may process data outside the EEA, including payments, email delivery, AI model routing, support, logging, or security services. Where GDPR transfer rules apply, we rely on adequacy decisions, Standard Contractual Clauses, processor terms, or other recognized safeguards.

9. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.

10. Google API Services Limited Use Disclosure

IndepAI's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements.

https://developers.google.com/terms/api-services-user-data-policy

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will update the effective date above and notify you of material changes by email, in-product notice, or another appropriate method. If a change requires new consent, we will ask for it before relying on that consent.

Data Controller & Privacy Contact

The data controller responsible for your personal data is Michał Wiatr, operating as IndepAI, Krakow, Poland. You can contact our privacy contact with any privacy questions or to exercise your rights at dpo@indepai.app. If you are in the EEA and believe we have not addressed your concerns, you have the right to lodge a complaint with your local supervisory authority.

12. Contact Us

For privacy-related inquiries, contact us at privacy@indepai.app or write to: Michał Wiatr, operating as IndepAI, Krakow, Poland.