Security & Data Handling
Last updated: July 5, 2026
Filly AI handles documents and client details, so here is exactly what we collect, where it goes, who processes it, and how you can erase it. No vague promises — specifics you can hold us to.
What we store
- Your account email (used for magic-link sign-in).
- Client profile details you enter (names, addresses, IDs, etc.).
- Documents you upload and the filled documents we generate.
- Billing metadata (handled by Stripe — we never see or store card numbers).
How your data is isolated
Every record is scoped to your account at the database layer using row-level security. No other user can read your forms, documents, or client data — this is enforced by the database, not just application code. All data is encrypted in transit (TLS) and at rest. API keys and privileged access run only on the server and never reach the browser. Sign-in is passwordless (magic link), so there is no password for us to store or for an attacker to steal.
AI processing
When you upload a document, its contents are sent to Anthropic's Claude API to extract the fillable fields. Anthropic does not train its models on data submitted through its API. We do not use your documents to train any model, and we never sell or share your data.
Sub-processors
We rely on a small set of vetted providers, each only for its stated purpose:
- Supabase — database, file storage, and authentication.
- Vercel — application hosting.
- Anthropic — AI field extraction (no training on API data).
- Stripe — payment processing.
- Resend — transactional and sign-in emails.
- Mixpanel — product analytics (consent-gated, EU data residency, IP not collected).
- Sentry — error monitoring (diagnostics only, no document contents).
Compliance
Filly AI is built and operated in the EU and designed around the GDPR: data minimization, encryption, database-level isolation, erasure on request, and a signed Data Processing Agreement available to business customers. Product analytics are consent-gated and use EU data residency.
We are not yet SOC 2 or HIPAA certified — we won't display badges we haven't earned. Both are on our roadmap as we grow. If your organization needs a signed DPA, a completed security questionnaire, or a Business Associate Agreement before adopting Filly, email support@getfilly.app and we'll work with you.
Retention & automatic deletion
We keep your original uploaded document only so we can fill onto it. Stored document files (uploads and generated documents) are automatically deleted after 12 months of inactivity. You can also permanently delete your account and erase everything — uploaded documents, forms, fills, and client profiles — instantly at any time from Settings → Account → Delete account. Deletion is immediate and irreversible, and cancels any active subscription. This satisfies your right to erasure under the GDPR.
E-signatures
When a document is signed via a share link, we record the signature, timestamp, IP address, browser, and explicit consent, to provide a basic audit trail.
Your rights
You can access, export, correct, or delete your data. To exercise any of these, use the in-app deletion control or email support@getfilly.app.
Reporting a vulnerability
Found a security issue? Please email support@getfilly.app and we'll respond promptly. Please do not publicly disclose it before we've had a chance to fix it.
Who operates Filly AI
Filly AI is operated by Cyrus Group Kft., a company registered in Hungary (EU). Data-protection and privacy requests: support@getfilly.app.