Security & Data Handling

Last updated: July 5, 2026

Filly AI handles documents and client details, so here is exactly what we collect, where it goes, who processes it, and how you can erase it. No vague promises — specifics you can hold us to.

What we store

  • Your account email (used for magic-link sign-in).
  • Client profile details you enter (names, addresses, IDs, etc.).
  • Documents you upload and the filled documents we generate.
  • Billing metadata (handled by Stripe — we never see or store card numbers).

How your data is isolated

Every record is scoped to your account at the database layer using row-level security. No other user can read your forms, documents, or client data — this is enforced by the database, not just application code. All data is encrypted in transit (TLS) and at rest. API keys and privileged access run only on the server and never reach the browser. Sign-in is passwordless (magic link), so there is no password for us to store or for an attacker to steal.

AI processing

When you upload a document, its contents are sent to Anthropic's Claude API to extract the fillable fields. Anthropic does not train its models on data submitted through its API. We do not use your documents to train any model, and we never sell or share your data.

Sub-processors

We rely on a small set of vetted providers, each only for its stated purpose:

  • Supabase — database, file storage, and authentication.
  • Vercel — application hosting.
  • Anthropic — AI field extraction (no training on API data).
  • Stripe — payment processing.
  • Resend — transactional and sign-in emails.
  • Mixpanel — product analytics (consent-gated, EU data residency, IP not collected).
  • Sentry — error monitoring (diagnostics only, no document contents).

Compliance

Filly AI is built and operated in the EU and designed around the GDPR: data minimization, encryption, database-level isolation, erasure on request, and a signed Data Processing Agreement available to business customers. Product analytics are consent-gated and use EU data residency.

We are not yet SOC 2 or HIPAA certified — we won't display badges we haven't earned. Both are on our roadmap as we grow. If your organization needs a signed DPA, a completed security questionnaire, or a Business Associate Agreement before adopting Filly, email support@getfilly.app and we'll work with you.

Retention & automatic deletion

We keep your original uploaded document only so we can fill onto it. Stored document files (uploads and generated documents) are automatically deleted after 12 months of inactivity. You can also permanently delete your account and erase everything — uploaded documents, forms, fills, and client profiles — instantly at any time from Settings → Account → Delete account. Deletion is immediate and irreversible, and cancels any active subscription. This satisfies your right to erasure under the GDPR.

E-signatures

When a document is signed via a share link, we record the signature, timestamp, IP address, browser, and explicit consent, to provide a basic audit trail.

Your rights

You can access, export, correct, or delete your data. To exercise any of these, use the in-app deletion control or email support@getfilly.app.

Reporting a vulnerability

Found a security issue? Please email support@getfilly.app and we'll respond promptly. Please do not publicly disclose it before we've had a chance to fix it.

Who operates Filly AI

Filly AI is operated by Cyrus Group Kft., a company registered in Hungary (EU). Data-protection and privacy requests: support@getfilly.app.

We use optional analytics and advertising-measurement cookies to understand product usage and see which ads bring people to Filly. You can accept them, or continue with essential-only. Privacy policy.