Home

Privacy Policy

Last updated: May 12, 2026

This Privacy Policy describes how Indigo Milestones (“Indigo Milestones,” “we,” “our,” or “us”) collects, uses, and shares information about you when you use our service at indigo-milestones.com and any related applications (collectively, the “Service”). By using the Service, you agree to the practices described here.

Indigo Milestones is an indie project. We collect the minimum information needed to provide the Service, we don’t sell your data, and we don’t train AI models on your content.

Information We Collect

Account information. When you sign in with Google, GitHub, or a magic link, we receive your name, email address, and profile picture from the provider. We don’t request access to anything beyond what’s needed to identify your account.

Content you create. Paths, milestones, steps, dependencies, comments, attachments, and any other content you create in the Service. This is stored so we can show it back to you across sessions and devices.

Public content. Paths and profile pages you explicitly mark as public are visible to anyone with the link.

Usage information. Standard server logs (IP address, user agent, timestamp, requested URL) are processed by our hosting provider to operate the Service and protect against abuse. These logs are retained for a limited period.

Cookies. We use a small number of cookies for authentication (session tokens) and user preferences (theme, settings). We don’t use third-party advertising or tracking cookies.

How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Authenticate you and protect your account
  • Communicate with you about account, security, and service updates
  • Comply with legal obligations
  • Detect, investigate, and prevent fraud or abuse

We do not use your content to train AI models.

Legal Bases for Processing (EEA & UK)

If you are in the European Economic Area or the United Kingdom, we process personal data under one or more of the following legal bases:

  • Performance of a contract — to provide the Service you’ve signed up for
  • Legitimate interests — to operate, secure, and improve the Service
  • Consent — where required (e.g., optional features)
  • Legal obligation — when required by applicable law

How We Share Information

We share information only as needed to operate the Service:

  • Hosting and infrastructure. Cloudflare (Workers, D1, R2) hosts the Service and stores its data on our behalf, under its own privacy commitments.
  • Authentication providers. Google and GitHub OAuth handle sign-in. If you use magic-link sign-in, an email delivery provider may transmit the link to you.
  • Payment processing. When paid subscriptions become available, payments will be processed by a third-party provider (e.g., Stripe). We don’t store credit card details ourselves.
  • Legal compliance. We may disclose information when required by law, court order, or to protect rights, property, or safety.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

Data Retention

We keep your account data for as long as your account exists. If you delete your account, we delete your personal data within 30 days, except where retention is required for legal, accounting, or security purposes. Server logs are typically retained for 30 to 90 days.

Your Rights and Choices

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your account and associated data
  • Export a portable copy of your data
  • Object to or restrict certain processing
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with a data-protection authority

To exercise any of these rights, contact us at the address below. We’ll respond within the timeframes required by applicable law.

Security

We protect your data using industry-standard technical and organizational measures, including encryption in transit (HTTPS/TLS) and at rest. No system is perfectly secure; if you believe your account has been compromised, please contact us immediately.

International Transfers

The Service is operated using infrastructure that may process data in multiple countries. If you access the Service from outside the country where our hosting provider’s servers are located, your data may be transferred internationally and processed in those other countries. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for international transfers.

Children’s Privacy

The Service is not directed to children under 13 (or under 16 in the EEA and UK). We don’t knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

Third-Party Links

The Service may link to third-party websites or services. We’re not responsible for their privacy practices. Please review their policies before sharing information with them.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we’ll revise the “Last updated” date at the top. For material changes, we’ll notify you by email or through an in-app notice before the change takes effect.

Contact Us

For privacy questions or to exercise your rights, contact us at hello@indigo-milestones.com.