Data Processing
Last updated: March 12, 2026
How Data Is Processed in the Independo Ecosystem
At Independo, we design our products to support people, not to intrude on them.
This page gives a practical overview of how data is processed across the Independo ecosystem, including Independo Calendar, Independo Journal, and the Independo Documentation Portal. It is meant to complement our Privacy Policy, Terms and Conditions and Terms and Conditions for business customers by explaining, in plain language, how data is handled in everyday use.
Our goal is to be transparent about what happens to user data, why certain processing is necessary, and what we do to limit access, reduce unnecessary exposure, and support privacy-conscious use.
What the Independo ecosystem includes
The Independo ecosystem includes different products that can be used on their own or together.
Depending on the context, users may use one product only, or combine several products in a shared setup. In some cases, a product is used privately by an individual. In other cases, it is used together with a family, support network, or organization. The exact product experience may evolve over time, but the general data-handling principles described on this page are intended to remain stable.
The kinds of data we may process
Depending on the product, account setup, and how the software is used, we may process:
- account and login information
- profile and organization-related information
- calendar and planning data
- journal or diary-style entries
- documentation and support-related records
- uploaded files, images, audio, and other attachments
- technical and operational logs
- analytics and product usage information
- payment and subscription-related information
- email and communication-related information
Some customer content may be particularly sensitive in nature, depending on how our products are used. For that reason, we aim to design access control, data separation, and operational safeguards with care.
How data is processed in practice
Data users enter directly
A large part of the data in the Independo ecosystem is provided directly by users or organizations using our products. This can include content entered into calendars, notes, journals, structured records, uploaded files, account settings, and other product data.
We think it is important to distinguish between the content people create in Independo and the technical data needed to sign in securely.
The content users create in Independo - such as calendar entries, journal entries, documentation content, images, audio, attachments, and similar product content - is processed in our core application environment in Europe. We try to keep data collection tied to actual product use and do not aim to collect more information than is needed to provide, secure, improve, and support the service.
Data shared across products and contexts
Where products are used together, data may move between different parts of the Independo ecosystem so the products can work as one coherent service. For example when you change the preferred color of a day in the Independo Calendar, this information is also used by the Independo Journal to show the same color for that day. This only happens when you are logged in with the same user account in the Independo Journal.
This does not mean that everything is automatically visible everywhere. Data visibility depends on the product context, the role of the user, the organization or tenant context, and the specific sharing or access model in place.
Data shared with organizations
Some parts of the Independo ecosystem are designed to support collaboration between individuals and organizations.
Where this is the case, access is intended to be contextual and role-based. In practice, this means that a user being signed in is not enough by itself to grant access to all data. Access may depend on the user’s role, organization, group context, and their relationship to a specific record.
Data used to operate the service
Like most modern software platforms, we also process technical data that is needed to run the service safely and reliably. This can include authentication data, security logs, error reports, operational telemetry, synchronization data, email delivery data, and payment-related processing where relevant.
This technical processing is separate from the core content users create in Independo. In particular, we use specialized providers for technical functions such as authentication, synchronization, monitoring, communication, and payments. Where payments or subscriptions are involved, we do not store full payment information such as credit card numbers ourselves. Instead, payment data is processed by specialized payment providers that are designed to handle billing and payment workflows securely. Also see below for more details.
Some parts of the service are also designed to work in low-connectivity environments. In those cases, certain data may be stored locally on a device and synchronized later.
How access is controlled
We do not treat all signed-in users the same.
Our systems are designed to use layered access controls. This includes authentication, role-based access control, policy-based backend authorization, and record-level visibility checks where needed. Data is also logically separated by user, organization, and in some contexts by group.
This means access is intended to be limited to the people and contexts that actually need it. These controls are not only visual restrictions in the interface. They are also enforced in backend logic and by the database itself.
Where data is hosted
Our core application infrastructure is hosted in Europe. For the main application environment, we use Exoscale infrastructure in Frankfurt, Germany (DE-FRA-1). This is the main environment in which the core content created in Independo - such as calendar content, journal content, documentation content, images, audio, and attachments - is processed as part of the normal operation of our products.
Exoscale identifies DE-FRA-1 as a Frankfurt region and lists Equinix as the data center operator for that region. Exoscale also publishes compliance materials including ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2 Type 2, and BSI C5 Type 2 documentation for its platform. All the details about Exoscale’s compliance and certifications can be found on their website.
At the same time, not every supporting service we use is EU-only. We therefore think it is important to clearly distinguish between:
- core product content, which is processed in our European core environment, and
- technical sign-in, communication, analytics, or payment-related processing, which may in some cases involve specialized subprocessors in other regions.
The most important example of this distinction is authentication. We use Firebase Authentication for secure sign-in. Google - who operates this service - states that Firebase Authentication is operated only from US data centers. This means that login-related identity and authentication data may be processed in the United States as part of the sign-in process. This is separate from the core content users create inside Independo.
Security and privacy measures
We aim to protect data through a combination of product design, infrastructure choices, and operational controls.
This includes, among other things:
- encrypted transport in production using HTTPS/TLS
- encrypted storage at rest for core data, including databases and files, using industry standards like LUKS and AES-256
- authenticated access to protected backend resources
- role- and context-based access restrictions
- logical separation between tenants and organizational contexts
- controlled file and media access rather than universal public exposure
- logging and monitoring for security, reliability, and troubleshooting
- offline-capable behavior where needed, including local device storage for certain data
- auditability and traceability features in areas where reliable documentation matters
We also rely on infrastructure and service providers that publish security, privacy, and compliance information relevant to their part of the stack. For example, Exoscale publishes compliance and C5 materials for its cloud platform, Firebase publishes security and privacy documentation for its services, Mailchimp publishes security and server location information, and several other providers publish trust-center or privacy resources as well.
Analytics, diagnostics, and product improvement
We use technical telemetry, diagnostics, and product analytics to help us understand reliability, usage patterns, app versions, and overall product performance.
We use this kind of data for legitimate operational and product-improvement purposes, not for invasive profiling. In the current implementation, analytics is opt-out across our products, and users can disable this type of tracking in product settings. We distinguish between optional analytics and strictly necessary technical processing that is required to operate, secure, and troubleshoot the service.
Payments and subscriptions
Where payments or subscriptions are involved, relevant payment-related data is processed through specialized providers. This can include payment confirmation, subscription status, billing events, or in-app purchase validation, depending on the channel through which a product is purchased.
We do not use our own systems to replace the role of payment providers. Instead, payment-specific data is processed through payment and purchase infrastructure designed for that purpose, including Stripe and Iaptic. Stripe explains that it processes transaction and payment-related personal data as part of providing payment services to business users, and Iaptic explains that it processes purchase entitlement and receipt-validation data for in-app purchase workflows.
Emails and communication
We may use email and communication providers to send service-related emails, account messages, and other operational communications.
This is separate from core product data, but still part of how the overall ecosystem functions. Where email providers are used, they may process recipient information and related delivery metadata to help us send messages reliably.
International data transfers
We aim to keep our core hosting and core application infrastructure in Europe wherever possible.
At the same time, some technical services we rely on may involve processing outside the EEA. The most important distinction here is between core product content and sign-in-related identity and authentication data.
The content users create in Independo - such as calendar entries, journal entries, documentation content, images, audio, attachments, and similar product content - is processed in our core European environment.
For secure login, we use Firebase Authentication. Google states that Firebase Authentication is operated only from US data centers. This means that login-related data used in the sign-in process, such as authentication credentials, account identifiers, user agent information, IP addresses, and authentication tokens, may be processed in the United States. This is separate from the core content users create inside Independo.
Some other subprocessors and platform providers we rely on may also process personal data outside the EEA, including in the United States. This is particularly relevant for services such as Mailchimp, which states that its owned and operated servers are located in the United States. Google and Mailchimp also publish additional information on their privacy and international transfer safeguards, including GDPR-related materials and transfer mechanisms such as the Firebase privacy and security documentation, Mailchimp Data Processing Addendum, and Mailchimp European data transfers information.
Where such international processing takes place, we work to ensure that it is covered by appropriate contractual and legal safeguards provided by the relevant providers. This means we take international transfers into account in our vendor selection, privacy documentation, and internal review processes, and we rely on the transfer mechanisms and data protection commitments made available by those providers to support GDPR-compliant processing.
Subprocessors and key service providers
Below is a high-level summary of important subprocessors and service providers used in the Independo ecosystem.
| Processor (Legal entity) | Why we use it | Reported certifications / assurance info | Main processing location(s) |
|---|---|---|---|
| Exoscale (Akenes SA) | Core cloud infrastructure, including compute, Kubernetes, managed database, and object storage services for our main application environment | Exoscale publishes ISO/IEC 27001 and states that documentation is available for ISO/IEC 27017, ISO/IEC 27018, SOC 2 Type 2, and BSI C5 Type 2 | Frankfurt, Germany (DE-FRA-1) for our core setup |
| PowerSync (Journey Mobile, Inc.) | Synchronization between client apps and backend data, including offline-capable sync workflows | PowerSync publishes security documentation, TLS encryption details, HIPAA-related material, and AWS Private Endpoint guidance; we are not listing a separate public certification here unless independently confirmed | EU-hosted instance in AWS eu-west-1 for our setup |
| Firebase Authentication (Google LLC) | User authentication and login flows; this service processes sign-in-related identity and authentication data rather than core user-created product content | Google publishes Firebase security and privacy documentation and certification information for Firebase services | United States |
| Firebase Analytics (Google LLC) | Product analytics and product-improvement insights | Google publishes Firebase security and privacy documentation; Google Analytics is described as a separate service that can be used with Firebase | Google global infrastructure |
| Firebase Crashlytics (Google LLC) | Crash reporting and reliability diagnostics | Google publishes Firebase security and privacy documentation and lists Crashlytics among Firebase services with published security information | Google global infrastructure |
| SigNoz (SigNoz Inc.) | Application performance monitoring and observability | SigNoz publishes a trust center and states SOC 2 Type II compliance | EU SigNoz Cloud instance for our setup |
| ImageKit (ImageKit Private Limited / ImageKit Inc.) | Media handling, optimization, transformation, and delivery | ImageKit states ISO 27001 compliance, SOC 2 Type II compliance, and DPF certification | Multi-region processing across AWS regions |
| Mailchimp (The Rocket Science Group LLC d/b/a Mailchimp) | Sending emails and communication workflows | Mailchimp states that it has SOC 2 reports and ISO 27001 certifications; it also publishes GDPR/DPF/SCC information | United States |
| Stripe (Stripe, Inc. and affiliated Stripe entities depending on region and service configuration) | Payment processing and billing-related workflows | Stripe publishes privacy, DPA, Privacy Center, and DPF materials; we are not listing a separate certification here unless independently confirmed for the exact service entity | Varies by Stripe service and regional setup |
| Iaptic (Iaptic SAS) | In-app purchase validation and subscription entitlement processing | No separate public certification is listed here from the source reviewed; Iaptic publishes GDPR-related information and EU data-location information | European Union, with servers in Germany and Finland according to the reviewed source |
Notes on the table
- The exact contracting entity may vary in some cases depending on service configuration, region, or product setup.
- Certifications and assurance information above are based on provider-published materials and should be treated as a high-level summary rather than a substitute for each provider’s trust documentation.
- Processing locations can vary by feature, region choice, or provider architecture.
- The Firebase Authentication row refers to sign-in-related identity and authentication processing. It does not mean that the core content users create in Independo is stored or processed there as part of the normal operation of our products.
How this page relates to our Privacy Policy
This page is meant to explain our general data-handling approach in a more practical and readable way.
It does not replace our Privacy Policy, Terms and Conditions, or any customer-specific contractual documents. Those remain the relevant legal documents where applicable.
Questions
If you have questions about how data is handled in the Independo ecosystem, please contact us using the contact details provided in our Privacy Policy.
