HomePricingFeaturesBlogKnowledge Base
Log in

Privacy Policy

Last updated: March 11, 2026

Fylio ("we," "us," or "our") is operated by SAS Collabas. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Fylio browser extension and related services (collectively, the "Service").

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

1. Data Controller

SAS Collabas
Société par actions simplifiée au capital de 1 000,00 €
24 Résidence Le Trimaran, 11370 Leucate, France
SIREN : 948 658 190 | RCS Narbonne
TVA : FR14948658190

Contact: support@fylio.pro

For any privacy-related inquiries, data access requests, or complaints, please contact us at the email above.

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

  • Email address — for authentication and account communications
  • Display name and profile photo (if you sign in with Google) — for account personalization
  • Email verification status — to ensure account security

2.2 Subscription and Payment Data

When you subscribe to a paid plan, we collect:

  • Stripe Customer ID and Subscription ID — to manage your subscription
  • Plan tier (Free, Light, or Pro) — to determine your service level
  • Billing cycle dates — to manage subscription renewals
  • Usage counters (batch and turbo credits used, add-on credits purchased) — for quota enforcement

We do not store your credit card number, CVV, or full billing address. All payment processing is handled by Stripe, which is PCI DSS Level 1 certified.

2.3 Service Data

When you use the Service, we collect:

  • Batch metadata — stock site (Adobe Stock, Shutterstock, or Getty Images), asset count, processing status, contributor account identifier, and timestamps
  • Generated metadata — AI-generated titles, descriptions, keywords, and categories for your stock photos
  • Description version history — previous versions of generated descriptions (for the regeneration feature)
  • Custom prompts — prompts you save for reuse across sessions

2.4 Image Data

When you submit photos for metadata generation:

  • Image thumbnails are extracted from stock contributor pages and resized to 512px
  • These images are sent to OpenAI's API for AI-based metadata generation
  • We do not permanently store your images on our servers. Images are transmitted to OpenAI and discarded after processing.

2.5 Log Data

For debugging and security, we automatically collect:

  • Action logs — what features you used (e.g., batch started, metadata generated)
  • Error logs — technical error details for troubleshooting
  • Anonymized IP address — your IP address with the last octet removed (e.g., 192.168.1.xxx becomes 192.168.1.0)
  • User agent string — your browser type and version
  • Timestamps — when actions occurred

2.6 Local Extension Data

The Fylio browser extension stores the following data locally on your device using Chrome's storage APIs (not HTTP cookies):

  • Extension settings — your autofill preferences, keyword options, and editorial settings
  • Batch progress — temporary state for in-progress batch operations
  • Authentication tokens — Firebase session tokens for staying signed in

This data remains on your device and is cleared when you uninstall the extension or sign out.

3. How We Use Your Data

PurposeLegal Basis (GDPR Art. 6)
Providing the Service (metadata generation, autofill)Contract performance
Managing your account and subscriptionContract performance
Processing payments via StripeContract performance
Debugging errors and monitoring service healthLegitimate interest
Preventing abuse and ensuring securityLegitimate interest
Sending transactional emails (e.g., email verification)Contract performance

We do not use your data for advertising, profiling, or automated decision-making that produces legal effects.

4. Third-Party Data Processors

We share your data with the following third-party processors, each of which has committed to data protection standards:

ProcessorPurposeData SharedLocation
OpenAIAI metadata generationImage thumbnails, text prompts, asset identifiersUnited States
StripePayment processingEmail address, billing informationUnited States
Google Cloud (Firebase)Hosting, authentication, databaseAll account and service dataUnited States (us-central1)
Google OAuthSign-in authenticationEmail address, profile informationUnited States

OpenAI Data Processing

  • We send your stock photo thumbnails and text prompts to OpenAI's Batch API for metadata generation.
  • No personal information (email, name, payment details) is sent to OpenAI — only images and asset identifiers.
  • OpenAI retains API input/output data for up to 30 days for abuse monitoring, then deletes it.
  • OpenAI does not use API data to train their models.

Stripe Data Processing

  • Stripe handles all payment card processing. We never see or store your full card details.
  • Stripe is PCI DSS Level 1 certified, the highest level of payment security certification.

5. Data Retention

Data TypeRetention Period
Account data (email, profile)Until you delete your account
Subscription and usage dataUntil you delete your account
Generated metadata (items)30 days after creation, then automatically deleted
Batch records30 days after completion, then automatically deleted
Log events90 days, then automatically deleted
Custom promptsUntil you delete them or delete your account
Local extension dataUntil you sign out or uninstall the extension

You may request deletion of all your data at any time (see Section 7).

6. International Data Transfers

Your data is stored and processed in the United States (Google Cloud us-central1 region). If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data is transferred to the US under the following safeguards:

  • Google Cloud: Subject to Google's Data Processing Terms, which include EU Standard Contractual Clauses (SCCs) approved by the European Commission.
  • OpenAI: Subject to OpenAI's Data Processing Agreement, which includes SCCs.
  • Stripe: Certified under applicable data transfer frameworks and uses SCCs.

7. Your Rights

GDPR Rights (EEA, UK, Switzerland residents)

You have the right to:

  • Access your personal data — request a copy of all data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure ("right to be forgotten") — request deletion of all your data
  • Data portability — receive your data in a structured, machine-readable format (JSON)
  • Restriction — request that we limit processing of your data
  • Object — object to processing based on legitimate interest
  • Withdraw consent — where processing is based on consent, withdraw it at any time

CCPA Rights (California residents)

You have the right to:

  • Know what personal information we collect and how it is used
  • Delete your personal information
  • Non-discrimination — we will not discriminate against you for exercising your rights

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

How to Exercise Your Rights

  • Data export: Use the "Export My Data" option in the Fylio extension account menu to download a JSON file of all your data.
  • Account deletion: Use the "Delete My Account" option in the Fylio extension account menu. This permanently deletes all your data from our systems, cancels any active subscription, and removes your authentication account.
  • Other requests: Contact us at support@fylio.pro. We will respond within 30 days (or 45 days for complex CCPA requests).

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • All data transmitted between the extension, our servers, and third-party services uses TLS/HTTPS encryption
  • Authentication requires email verification before any API access is granted
  • Firebase ID tokens are validated server-side on every request
  • Stripe webhook signatures are verified to prevent tampering
  • IP addresses are anonymized before storage
  • Access to production systems is restricted to authorized personnel

9. Cookies and Tracking

The Fylio browser extension does not use HTTP cookies. Instead, it uses:

  • Chrome Storage API (chrome.storage.sync and chrome.storage.local) for settings and temporary state
  • IndexedDB (managed by Firebase) for authentication session persistence

We do not use any third-party tracking cookies, analytics pixels, or advertising trackers.

10. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at support@fylio.pro.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:

  • Posting the updated policy with a new "Last updated" date
  • Sending a notification through the extension (for material changes)

Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us:

SAS Collabas
Email: support@fylio.pro

If you are located in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority. For users in France, the competent authority is:

Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
https://www.cnil.fr