Filvy — Privacy Policy
1. Who we are
Filvy is operated by a sole trader (OSVČ) under Czech law:
Data controller: Matěj Blinka
Registered place of business: Jarní 3456/11, 750 02 Přerov I-Město, Czech Republic
Company ID (IČO): 07777141
Trade register: Živnostenský rejstřík, trade licence since 7 January 2019, indefinite duration. Scope: software services, IT consulting, data processing, hosting and web portals.
Contact for privacy matters:
privacy@filvy.app
This policy covers the Filvy iOS application
(App Store bundle com.filvy.app) and the supporting
cloud backend hosted on Supabase.
2. Data we collect
We only collect the data below. We do not collect precise location, contacts, browsing history, audio recordings, or advertising identifiers (IDFA).
| Category | Examples | Linked to you | Tracking |
|---|---|---|---|
| Email address | Login via magic-link | Yes | No |
| Name | Display name, binder name | Yes | No |
| Other financial info | Amounts / account numbers extracted from invoices and contracts you upload | Yes | No |
| Health data | Medical documents (prescriptions, reports) you upload | Yes | No |
| Sensitive info | National ID, ID card numbers found in documents you upload | Yes | No |
| Photos or videos | Document scans and images | Yes | No |
| Other user content | Notes, tags, custom metadata | Yes | No |
| User ID | Your Supabase auth.users.id (UUID) | Yes | No |
| Device ID | Pseudonymous identifier for subscription management (RevenueCat) | Yes | No |
| Product interaction | Counts of documents opened, search queries (aggregated) | Yes | No |
| Crash data | Native iOS crash reports via Apple | Yes | No |
| Performance data | App startup time, OCR latency | Yes | No |
3. Why we collect it (purposes)
- App functionality — all categories above: to authenticate you, store and search your documents, send push notifications about expiring documents, manage your subscription.
- Analytics — User ID, Device ID, Product Interaction: aggregated server-side metrics to understand feature usage. We do not use third-party analytics SDKs.
- Product personalization — Product Interaction: to improve search ranking based on which documents you open most.
4. Legal basis (EU / GDPR)
- Performance of a contract (Art. 6(1)(b) GDPR) — account, document storage, subscription.
- Legitimate interests (Art. 6(1)(f) GDPR) — analytics, fraud prevention, backups.
- Consent (Art. 6(1)(a) GDPR) — push notifications.
- Explicit consent for special categories (Art. 9(2)(a) GDPR) — health data and sensitive IDs. By uploading such documents you consent to their processing solely for the purpose of storing and indexing them for your own retrieval.
5. Processors and third-party services
We use the following processors. None of them is used for advertising or cross-app tracking. All non-EU processors listed below operate under Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, Data Processing Agreements (DPAs).
| Processor | Purpose | Data | Location |
|---|---|---|---|
| Supabase | Authentication, Postgres database, encrypted file storage, edge functions | All document data, emails, user IDs, session tokens | Central EU (Frankfurt) |
| Railway | Hosting our AI pipeline service (OCR, extraction, embeddings, search) | Ephemeral document images and OCR text chunks during processing (not persisted on Railway) | Western EU (Amsterdam, europe-west4) |
| Google (Gemini API) | Vision-based OCR and structured metadata extraction from document images | Raw document images (scans, photos, PDF pages), short prompt context | US / global Google infrastructure (per Google Cloud API regions) |
| OpenAI | Text extraction (gpt-4o-mini), semantic embeddings (text-embedding-3-small), RAG answers to in-app questions | OCR text chunks from your documents, your search queries | US (with zero-retention API policy in effect) |
| RevenueCat | Subscription entitlement management across devices | Device ID, subscription state | US (SOC 2 certified) |
| Apple | Payments (StoreKit), crash reports, TestFlight | Purchase receipts, crash logs | Per Apple's policy |
| Cloudflare | DNS, CDN, Email Routing for our domain | Inbound email metadata to privacy@filvy.app / support@filvy.app (forwarded to our inbox, not stored by Cloudflare) | Global anycast network |
We do not share data with data brokers, ad networks, analytics vendors, Anthropic, or any other party not listed above. We do not use your document content to train third-party AI models — Google and OpenAI are used with their "enterprise" / "API" data-handling terms, under which submitted content is not used for model training.
6. Retention
- Account & profile data — until you delete your account
- Documents — until you delete them or your account; soft-delete window 30 days (recovery from accidental deletion)
- Server logs — 90 days, then automatic purge
- Backups — 30 days rolling
- Subscription records — retained by RevenueCat & Apple per their policies, typically 7 years for tax/accounting purposes
7. Your rights (GDPR)
You have the right to:
- Access — request a copy of your data
- Rectification — correct inaccurate data
- Erasure ("right to be forgotten") — delete your account; in-app Settings → Delete Account
- Restriction of processing
- Portability — receive your documents in machine-readable format
- Object to processing based on legitimate interests
- Withdraw consent — at any time for consent-based processing
- Lodge a complaint with the Czech Data Protection Authority (Úřad pro ochranu osobních údajů, https://www.uoou.cz) or the supervisory authority in your country of residence
To exercise any right, email privacy@filvy.app. We respond within 30 days.
8. Security
Transport encryption: All communication between the app and backend uses TLS 1.3.
Storage encryption: Document files and database are encrypted at rest with AES-256 (Supabase-managed).
Local redaction: When you black out sensitive areas in a document, the black pixels are baked into the image on your device before the document leaves the phone. The Filvy server never sees the original (unredacted) version of any page you redacted.
iCloud Backup exclusion: Working files (cache,
redaction intermediates) are flagged with
NSURLIsExcludedFromBackupKey, so they are not
included in your device's iCloud backup.
Authentication layer: JWT validation with
algorithm-confusion attack protection, mandatory claims
(exp, iat, iss,
aud, sub) and strict issuer
verification.
Row-level security (RLS): Database rows and
storage objects are isolated per auth.users.id and
family membership — policies are defined in version-controlled
SQL migrations, auditable.
Tokens in Keychain: Session and refresh
tokens are stored in the iOS Keychain via
expo-secure-store, never in plain-text storage.
Zero-data-retention with AI partners: Google (Gemini) and OpenAI are configured with "zero data retention" / "API" terms — content sent to these providers is not used for model training or retained beyond the duration required to process the specific request.
No routine production access: Developers do not have routine access to production user data; the exception is technical support initiated by the user themselves (e.g. recovering an accidentally deleted document on request).
What Filvy does not do
For transparency, here is what Filvy does not use. We list it not to undersell our security work, but so you can make an informed decision about what data you entrust to us.
- End-to-end encryption (E2EE). Documents are not encrypted with a key held only by you. Our servers technically can process your content (and need to — OCR, semantic search and AI question answering would be impossible otherwise). E2EE is on our future roadmap.
- Zero-knowledge architecture. The operator of Filvy has database-level access to user data, the same way Dropbox, Google Drive or iCloud Drive do. This access is limited contractually (we do not use, sell, or analyse data beyond the in-app feature set) and procedurally (no reads without a user-initiated support request), but not cryptographically.
- "Bank-grade" / "military-grade" encryption. We don't use these phrases — they are marketing labels with no technical meaning. We name concrete algorithms and versions (TLS 1.3, AES-256) above instead.
9. Children
Filvy is not directed at children under 13 (COPPA) or under 16 (GDPR). We do not knowingly collect data from children. If you believe a child has created an account, contact privacy@filvy.app for removal.
10. Tracking
We do not track you across apps or websites owned
by other companies. We do not use Apple's IDFA /
ASIdentifierManager. Filvy does not display
AppTrackingTransparency prompts because we do not track.
11. International transfers
Data at rest stays in the EU:
- Supabase — Central EU (Frankfurt, Germany). All your account data, document files, and OCR text are stored here.
- Railway — Western EU (Amsterdam, Netherlands). Our AI pipeline runs here; document content passes through memory during processing but is not persisted on Railway infrastructure.
Transfers outside the EU occur only during API calls to the following processors, each under Standard Contractual Clauses (SCCs) and an executed Data Processing Agreement:
- Google (Gemini API) — US / global, for Vision OCR.
- OpenAI API — US, for text extraction, embeddings, and RAG.
- RevenueCat — US, for subscription state synchronization.
- Apple — per Apple's published regions, for payments and crash reports.
Outbound API calls transmit only what is needed for the specific feature: document images or OCR text to the AI providers, device ID and subscription state to RevenueCat, purchase receipts to Apple. No bulk export of your data happens outside the EU storage layer.
12. Changes
We may update this policy. Material changes will be announced via in-app notice and by email. The "Last updated" date at the top reflects the most recent version.
13. Contact
Privacy questions and rights requests:
privacy@filvy.app
General support:
support@filvy.app