Who We Are
Filey.in ("Filey", "we", "us", "our") is a browser-based file conversion service operated by Psylinks Security, based in India. Filey is designed as a privacy-first alternative to cloud-based file converters.
For privacy-related enquiries, please contact us at: privacy@psylinkssecurity.com
When this policy refers to "you" or "your", we mean any person who visits or uses filey.in.
What Data We Collect & Why
We collect the absolute minimum data required to operate this service. The table below is a complete and honest account of every data point that leaves your browser when you use Filey.
| Data | What & When | Purpose | Retention |
|---|---|---|---|
| IP Address | Automatically captured on every HTTP request to our Cloudflare Worker infrastructure | Rate limiting Security |
Ephemeral — used only for rate-window checks; not persisted to a database |
| File Header (256 bytes) | The first 256 bytes of your chosen file, sent once when you select a file to detect its true format | File type detection | Discarded immediately after analysis — never stored, never logged |
| Encoded Filename | Your file's name (URL-encoded) is sent as an HTTP header alongside the 256-byte snippet | File type detection | Discarded immediately — never stored, never logged |
| Timestamp | A client-side timestamp sent with engine requests for HMAC authentication | Security / Anti-abuse | Used only for token validation — not stored |
| CDN Request Logs | When your browser loads open-source libraries (jsDelivr, cdnjs), those CDN providers receive your IP address | Service delivery | Controlled by jsDelivr / Cloudflare per their own privacy policies |
We do not collect: browsing history, device fingerprints, cookies, localStorage data, session identifiers, account information, or any form of analytics telemetry.
How We Use Your Data
We use the minimal data described above for three narrow purposes only:
1. File Type Detection — The 256-byte file header is analysed to determine the true format of your file (based on magic bytes), independent of the file's extension. This is necessary to show you accurate conversion options. The snippet is processed in memory and immediately discarded.
2. Rate Limiting & Abuse Prevention — Your IP address is used to enforce fair-use limits and prevent automated abuse of the service. This protects the service for all users. We do not store IP addresses persistently; they are checked ephemerally within the rate-limiting window.
3. Secure Engine Delivery — A time-based cryptographic token (HMAC-SHA256) derived from a shared secret is used to authenticate requests for the conversion engine code. This prevents unauthorised access to our proprietary engine. No personal data is embedded in or derived from this token.
Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), United Kingdom, and Switzerland, our legal basis for the limited processing described above is Legitimate Interests (Article 6(1)(f) of the GDPR).
Specifically:
File type detection — Processing the 256-byte header is strictly necessary to provide the core functionality of the service you have requested. Without it, we cannot offer you the correct conversion options. Our interest in providing this service is balanced against, and does not override, your fundamental rights, given that only a tiny, non-content portion of your file is transmitted and immediately discarded.
Rate limiting / security — We have a legitimate interest in protecting the integrity and availability of our service from abuse. IP-based rate limiting is a proportionate, standard security measure. We do not persist IP addresses beyond the ephemeral rate-window checks.
We do not rely on consent as our legal basis because we process no personal data for marketing, advertising, profiling, or any purpose beyond the technical operation of the service.
Third-Party Services & Sub-Processors
Filey relies on the following third-party providers to operate. Each acts as a data processor on our behalf (or independently under their own policies):
| Provider | Role | Data Shared | Their Privacy Policy |
|---|---|---|---|
| Cloudflare, Inc. | Edge computing (Cloudflare Workers), infrastructure, DDoS protection, CDN (cdnjs) | IP address, request metadata, the 256-byte file header sent to our Worker | cloudflare.com/privacypolicy |
| jsDelivr (Prospect One sp. z o.o.) | CDN for open-source JavaScript libraries (jszip, xlsx, pdf-lib, mammoth, marked) | IP address, browser type, referrer domain (as part of standard CDN operation) | jsdelivr.com/privacy-policy |
We do not use Google Analytics, Meta Pixel, or any other advertising or behavioural tracking tools. We have no advertising relationships. We do not share your data with any other third parties.
Cloudflare maintains a Data Processing Addendum (DPA) incorporating Standard Contractual Clauses for EU/EEA data transfers, which is incorporated into their service agreement. jsDelivr processes data under legitimate interests as described in their privacy policy.
Cookies & Browser Storage
All application state (the file you selected, your chosen output format, conversion progress) is held only in JavaScript memory for the duration of your browser session and is automatically cleared when you close the tab or click "Convert Another".
Because we set no cookies or tracking technologies, no cookie consent banner is required for our own services. Third-party CDNs (jsDelivr, Cloudflare) may set browser-level caches for performance, but these are standard HTTP caching mechanisms — not tracking cookies.
Data Retention
File data: The 256-byte file header is processed in memory within our Cloudflare Worker and is never written to any database, file system, or log. It is discarded as soon as the file type determination is returned to your browser — this typically takes milliseconds.
Rate-limit state: IP-based rate counters are maintained in ephemeral Cloudflare Worker memory for the duration of a rolling time window only. These are not stored in a persistent database and are automatically purged.
Your converted files: Converted files exist only in your browser's memory as Blob URLs. They are never uploaded to any server. They are automatically freed from memory when you navigate away, close the tab, or click "Convert Another".
Server/infrastructure logs: Cloudflare may retain standard HTTP access logs (containing IP addresses and request metadata) in accordance with their own data retention policies, typically for a short period for security and operations purposes.
Data Security
All communication between your browser and our Cloudflare Worker infrastructure is encrypted in transit using HTTPS/TLS.
The conversion engine code is delivered in an encrypted form and is decrypted client-side using a time-limited HMAC-SHA256 authentication token. This prevents unauthorised parties from accessing or tampering with the engine.
Because the actual file conversion is performed entirely within your browser, your file content is protected by your own device's security controls and never traverses the internet.
While we take reasonable measures to protect the data we do process, no system is 100% secure. We encourage you to keep your browser and operating system updated.
Your Privacy Rights
Depending on where you live, you may have certain rights regarding your personal data. Given that we retain no personal data in any database, most of these rights are automatically satisfied by our architecture. Nonetheless, we honour them fully.
California Residents (CCPA/CPRA): You have the right to know what personal information we collect, the right to delete it, the right to opt out of the sale of your personal information (we do not sell it), and the right not to be discriminated against for exercising your rights. To exercise any right, contact us at privacy@psylinkssecurity.com.
Children's Privacy
Filey is not directed to children under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children. Because we collect no account information or personal data profiles of any kind, we have no mechanism to identify the age of our users.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@psylinkssecurity.com.
International Data Transfers
Filey is operated by Psylinks Security, based in India. Our backend infrastructure runs on Cloudflare Workers, which operate across Cloudflare's global edge network. When you use Filey, your request (including IP address and the 256-byte file header) may be processed at a Cloudflare edge node in any country.
For users in the EEA, UK, or Switzerland, Cloudflare provides appropriate safeguards for international data transfers via Standard Contractual Clauses (SCCs) incorporated into their Data Processing Addendum, which is available at cloudflare.com/trust-hub/gdpr.
Changes to This Policy
We may update this Privacy Policy from time to time as our service evolves or as legal requirements change. When we make material changes, we will update the "Last Updated" date at the top of this page.
We encourage you to review this policy periodically. Continued use of Filey after any changes constitutes your acceptance of the updated policy.
Previous versions of this policy can be requested by emailing privacy@psylinkssecurity.com.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out:
Psylinks Security — Privacy Team
Email: privacy@psylinkssecurity.com
Website: filey.in
We aim to respond to all privacy enquiries within 5 business days.