Privacy Policy
Last updated: 2 mars 2026
1. Data controller
The data controller for personal data is Filzy, accessible at
For any questions about your personal data: privacy@filzy.app.
2. Your files never leave your browser
Filzy processes your files entirely in your browser. No file is ever sent, stored, or routed through our servers.
In practical terms, this means:
- We are neither the data controller nor the data processor for the content of your files
- No file data breach is possible since we never possess your files
- Your files exist only in your browser's memory during processing
- No retention policy is needed for your files
You can verify this guarantee by inspecting the Network tab in your browser's developer tools.
3. Data collected
We only collect data necessary for the operation of the Service:
Account data
- Email address (OTP sign-up)
- Name, email and profile photo (Google OAuth sign-up, depending on data shared by Google)
Technical data
- IP address
- Browser type and version
- Operating system
- Pages visited and timestamps
Tool usage data
When you use a tool (compression, conversion, EXIF removal, etc.), we collect anonymized usage statistics to improve the Service:
- Tool used (e.g. 'compress-jpg', 'merge-pdf')
- Number of files processed in the batch
- File size before and after processing (in bytes)
- Processing duration
- File addition method (drag-and-drop, click, paste)
- Account ID if you are logged in
No file content, no file name, and no metadata (EXIF, PDF text, etc.) are transmitted. Only byte sizes and counters are sent.
Data not collected
We do not collect any data related to the content of your files (images, PDF documents, EXIF metadata). These files never pass through our servers.
4. Legal bases
| Data | Legal basis |
|---|---|
| Account data (email OTP) | Performance of contract (Art. 6.1.b GDPR) |
| Google OAuth data | Consent (Art. 6.1.a GDPR) |
| Technical data | Legitimate interest – security and Service improvement (Art. 6.1.f GDPR) |
| Tool usage data | Legitimate interest – Service improvement (Art. 6.1.f GDPR) |
| Non-essential cookies | Consent (Art. 6.1.a GDPR) |
5. Processing purposes
- Creating and managing your user account
- Authentication and access security
- Providing and improving the Service
- Tool usage statistics (without file content) to prioritize improvements
- Prevention of abuse and fraud
- Compliance with our legal obligations
6. Sub-processors and sharing
We never sell your data. We use the following sub-processors:
| Sub-processor | Role | Data |
|---|---|---|
| Cloudflare | Hosting, CDN, security | Technical data (IP, requests) |
| OAuth authentication | Email, name, profile photo | |
| Resend | Transactional email delivery | Email address |
Google data is never shared with advertising platforms or data brokers.
7. International transfers
Some of our sub-processors (Cloudflare, Google, Resend) are based in the United States. These transfers are governed by:
- Standard Contractual Clauses (SCCs) of the European Commission
- The EU-US Data Privacy Framework, where applicable
- Compliance certifications of each provider (ISO 27701, EU Cloud Code of Conduct for Cloudflare)
8. Retention period
| Data | Duration |
|---|---|
| Account data | Account lifetime + 6 months after deletion |
| Authentication logs | 12 months |
| Technical data | 12 months |
| Tool usage data | 12 months |
| Your files | Never stored – 0 seconds |
9. Your rights
Under the GDPR, you have the following rights:
- Access: obtain a copy of your personal data
- Rectification: correct inaccurate or incomplete data
- Erasure: request the deletion of your data
- Restriction: restrict the processing of your data
- Portability: receive your data in a structured format
- Objection: object to the processing of your data
- Withdrawal of consent: withdraw your consent at any time
To exercise these rights, contact us at privacy@filzy.app. We will respond within a maximum of one month.
You also have the right to lodge a complaint with the CNIL:
Commission Nationale de l'Informatique et des Libertés (CNIL)3 Place de Fontenoy, TSA 80715
75334 Paris Cedex 07
www.cnil.fr
10. Security
We implement appropriate technical and organizational measures:
- Encryption of communications via HTTPS/TLS
- Protection against DDoS attacks and injections (Cloudflare WAF)
- Access control and secure authentication
- CAPTCHA validation (Cloudflare Turnstile) to prevent abuse
The most important security measure remains our architecture: your files never leave your device.
12. Minors
The Service is not intended for persons under 15 years of age, in accordance with French regulations on digital consent. If we learn that data has been collected from a minor under 15 without parental consent, we will take the necessary steps to delete that data.
13. Changes
We may update this privacy policy. Any changes will be posted on this page with an updated date. For significant changes, we will notify you by email if you have an account.
14. Contact
For any questions about this policy or your personal data: