← Back to homePrivacy Policy
Last updated: 18 February 2026
This Privacy Policy explains how Indicadora ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our website at indicadora.com (the "Service"), including our Market Search and QC Assistant features.
1. Data Controller
Indicadora is the data controller for personal data processed through the Service. For enquiries, contact privacy@indicadora.com.
2. What Data We Collect
2.1 Data You Provide
- Email address — provided at registration for authentication.
- Password — hashed and salted (bcrypt via Supabase Auth); we never store plaintext passwords.
- Search queries — submitted via the Market Search and Discovery features.
- Uploaded images — photographs you upload to the QC Assistant for quality analysis. These may include trainer/sneaker product photos from multiple angles.
2.2 Data We Collect Automatically
- Usage data — searches performed, QC checks completed, credits used, plan type, timestamps, pages visited.
- Device & browser info — user agent string, screen resolution (via standard HTTP headers). We do not use fingerprinting.
- IP address — logged by our hosting providers (Vercel, Supabase) for security, abuse prevention, and rate limiting. We do not store IP addresses in our application database.
2.3 Data We Do NOT Collect
- Payment card details (handled entirely by Stripe).
- Precise GPS or geolocation data.
- Health, biometric, or genetic data.
- Social media account information.
- Contacts or other on-device data beyond images you explicitly upload.
3. How We Use Your Data
| Purpose | Lawful Basis (GDPR) |
|---|
| Account authentication | Contract performance |
| Delivering Market Search results & analytics | Contract performance |
| Processing QC Assistant image uploads and generating quality reports | Contract performance |
| Credit billing and quota management | Contract performance |
| Rate-limiting & abuse prevention | Legitimate interest |
| Improving search relevance & QC accuracy | Legitimate interest |
| Security monitoring & fraud prevention | Legitimate interest |
| Anonymised AI model training using QC data | Consent (opt-in via Terms) |
| Marketing emails (future) | Consent (opt-in) |
4. AI Processing & Image Data
4.1 How We Process Your Images
When you upload images to the QC Assistant, they are:
- Stored securely in encrypted cloud storage (Supabase Storage, backed by AWS S3 with AES-256 encryption at rest).
- Transmitted via encrypted connections (TLS 1.2+) to OpenAI's GPT-4o API for AI-powered visual analysis.
- Analysed to identify defects, quality issues, and produce annotated reports with severity scores.
- Accessible only to you through your authenticated account.
4.2 Third-Party AI Processing
Images are processed by OpenAI via their enterprise API under a zero-data-retention agreement. This means:
- OpenAI does not store your images beyond the duration of the API request.
- OpenAI does not use your images to train their own models.
- Processing is subject to OpenAI's Enterprise Privacy Policy.
4.3 AI Training & Model Improvement (Training Data)
We collect and use anonymised data from your QC analyses to improve our AI models. This is disclosed in our Terms and complies with GDPR, UK GDPR, and ePrivacy requirements. We do not use raw images for training; only de-identified metadata and patterns. We use:
- What we use: Defect patterns, quality scores, annotation coordinates, model-specific flaw frequencies — all stripped of personally identifiable information.
- What we do NOT use: Your raw images are not used for training. We do not share or sell images to any third party for training purposes.
- Withdrawing consent: You may withdraw consent for future training use by emailing privacy@indicadora.com. Data already incorporated into model weights in anonymised form cannot be individually extracted or removed.
5. Marketplace & Third-Party Data
For Market Search, we collect publicly available listing information from marketplace APIs, search interest data, and community discussion data. This data is factual, publicly accessible, and is used to generate aggregate market intelligence. We do not collect personal data of third-party sellers beyond what is publicly visible in their listings.
If you are a marketplace seller and wish to request removal of your listing data, please contact privacy@indicadora.com.
6. Who We Share Data With
We do not sell your personal data. We share data only with:
- Supabase (database, auth, file storage) — processes your account data, search queries, and uploaded images. Their Privacy Policy
- Vercel (hosting & CDN) — serves the website; may process IP addresses in server logs. Their Privacy Policy
- OpenAI (AI processing) — processes images and text for QC analysis and search intelligence via zero-data-retention API. Their Enterprise Privacy
- Stripe (payment processing) — processes payment transactions. Their Privacy Policy
We may also disclose data if required by law, court order, or to protect the rights, property, or safety of Indicadora, our users, or the public.
7. Data Retention
- Account data — retained while your account is active. Deleted within 30 days of account deletion.
- Search logs — retained for up to 12 months, then anonymised or deleted.
- QC uploaded images — retained for up to 90 days after analysis to allow report review, then automatically deleted.
- QC analysis results — quality reports and annotations retained for as long as your account is active. Deleted within 30 days of account deletion.
- Anonymised training data — aggregated, de-identified quality metrics (defect patterns, scores) may be retained indefinitely as they contain no personal data.
- Marketplace analytics — aggregated, non-personal analytics may be retained indefinitely.
8. Your Rights (GDPR / UK GDPR)
If you are in the EEA or UK, you have the right to:
- Access — request a copy of your personal data, including uploaded images and QC reports.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion of your personal data, images, and QC reports ("right to be forgotten").
- Restriction — limit how we process your data.
- Portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interest.
- Withdraw consent — withdraw consent for AI training data use or marketing at any time.
To exercise any right, email privacy@indicadora.com. We respond within 30 days. If unsatisfied, you may lodge a complaint with the UK Information Commissioner's Office (ICO) or your local supervisory authority.
9. International Data Transfers
Our primary infrastructure is hosted in the EU (AWS eu-west via Supabase). AI image analysis is processed via OpenAI API endpoints, which may operate in the United States. Some data may also be processed by Vercel's edge network in various jurisdictions. Where transfers occur outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs), relevant adequacy decisions, or equivalent safeguards.
10. Security Measures
- TLS 1.2+ encryption for all data in transit, including image uploads.
- AES-256 encryption for data at rest (database and file storage).
- Row Level Security (RLS) at the database level — users can only access their own data and images.
- Least-privilege API key separation (anon vs. service role).
- Passwords hashed with bcrypt (via Supabase Auth).
- Rate limiting on all API endpoints to prevent abuse.
- Input validation and sanitisation on all user-submitted data.
- Access-controlled storage buckets for uploaded images (not publicly accessible).
- Regular security patching and dependency auditing.
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours (per GDPR Article 33) and affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
11. Cookies
We use strictly necessary cookies only — specifically, authentication session tokens managed by Supabase Auth. These are required for the Service to function and cannot be disabled.
We do not use advertising, tracking, or analytics cookies. If we introduce optional cookies in the future, we will implement a cookie consent mechanism in compliance with the Privacy and Electronic Communications Regulations (PECR) and ePrivacy Directive.
12. Children's Privacy
The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Service. The "Last updated" date at the top of this page indicates the most recent revision.
14. Contact Us
For any privacy-related questions or to exercise your data rights: