Privacy Policy

Your Files. Your Device.
Your Privacy.

We built Filey so your files never have to leave your control. This policy explains exactly what little data we do touch — and why.

Effective: 25 May 2026 Last Updated: 25 May 2026 GDPR & CCPA Compliant
TL;DR — The short version
Your files are converted 100% in your browser
We never see, store, or upload your full files
No cookies, no accounts, no tracking
Only the first 256 bytes are sent to detect file type
We do not sell your data — ever
We do not use advertising or analytics SDKs
01

Who We Are

Filey.in ("Filey", "we", "us", "our") is a browser-based file conversion service operated by Psylinks Security, based in India. Filey is designed as a privacy-first alternative to cloud-based file converters.

For privacy-related enquiries, please contact us at: privacy@psylinkssecurity.com

When this policy refers to "you" or "your", we mean any person who visits or uses filey.in.

02

What Data We Collect & Why

We collect the absolute minimum data required to operate this service. The table below is a complete and honest account of every data point that leaves your browser when you use Filey.

Data What & When Purpose Retention
IP Address Automatically captured on every HTTP request to our Cloudflare Worker infrastructure Rate limiting
Security
Ephemeral — used only for rate-window checks; not persisted to a database
File Header (256 bytes) The first 256 bytes of your chosen file, sent once when you select a file to detect its true format File type detection Discarded immediately after analysis — never stored, never logged
Encoded Filename Your file's name (URL-encoded) is sent as an HTTP header alongside the 256-byte snippet File type detection Discarded immediately — never stored, never logged
Timestamp A client-side timestamp sent with engine requests for HMAC authentication Security / Anti-abuse Used only for token validation — not stored
CDN Request Logs When your browser loads open-source libraries (jsDelivr, cdnjs), those CDN providers receive your IP address Service delivery Controlled by jsDelivr / Cloudflare per their own privacy policies
Your file content is never transmitted. The conversion itself — the actual reading, processing, and writing of your file — happens entirely within your browser using local JavaScript APIs. No file content beyond the initial 256-byte header is ever sent to our servers or any third-party server.

We do not collect: browsing history, device fingerprints, cookies, localStorage data, session identifiers, account information, or any form of analytics telemetry.

03

How We Use Your Data

We use the minimal data described above for three narrow purposes only:

1. File Type Detection — The 256-byte file header is analysed to determine the true format of your file (based on magic bytes), independent of the file's extension. This is necessary to show you accurate conversion options. The snippet is processed in memory and immediately discarded.

2. Rate Limiting & Abuse Prevention — Your IP address is used to enforce fair-use limits and prevent automated abuse of the service. This protects the service for all users. We do not store IP addresses persistently; they are checked ephemerally within the rate-limiting window.

3. Secure Engine Delivery — A time-based cryptographic token (HMAC-SHA256) derived from a shared secret is used to authenticate requests for the conversion engine code. This prevents unauthorised access to our proprietary engine. No personal data is embedded in or derived from this token.

05

Third-Party Services & Sub-Processors

Filey relies on the following third-party providers to operate. Each acts as a data processor on our behalf (or independently under their own policies):

Provider Role Data Shared Their Privacy Policy
Cloudflare, Inc. Edge computing (Cloudflare Workers), infrastructure, DDoS protection, CDN (cdnjs) IP address, request metadata, the 256-byte file header sent to our Worker cloudflare.com/privacypolicy
jsDelivr (Prospect One sp. z o.o.) CDN for open-source JavaScript libraries (jszip, xlsx, pdf-lib, mammoth, marked) IP address, browser type, referrer domain (as part of standard CDN operation) jsdelivr.com/privacy-policy

We do not use Google Analytics, Meta Pixel, or any other advertising or behavioural tracking tools. We have no advertising relationships. We do not share your data with any other third parties.

Cloudflare maintains a Data Processing Addendum (DPA) incorporating Standard Contractual Clauses for EU/EEA data transfers, which is incorporated into their service agreement. jsDelivr processes data under legitimate interests as described in their privacy policy.

06

Cookies & Browser Storage

Filey sets zero cookies. We do not use localStorage, sessionStorage, IndexedDB, or any other form of persistent browser storage to store personal data.

All application state (the file you selected, your chosen output format, conversion progress) is held only in JavaScript memory for the duration of your browser session and is automatically cleared when you close the tab or click "Convert Another".

Because we set no cookies or tracking technologies, no cookie consent banner is required for our own services. Third-party CDNs (jsDelivr, Cloudflare) may set browser-level caches for performance, but these are standard HTTP caching mechanisms — not tracking cookies.

07

Data Retention

File data: The 256-byte file header is processed in memory within our Cloudflare Worker and is never written to any database, file system, or log. It is discarded as soon as the file type determination is returned to your browser — this typically takes milliseconds.

Rate-limit state: IP-based rate counters are maintained in ephemeral Cloudflare Worker memory for the duration of a rolling time window only. These are not stored in a persistent database and are automatically purged.

Your converted files: Converted files exist only in your browser's memory as Blob URLs. They are never uploaded to any server. They are automatically freed from memory when you navigate away, close the tab, or click "Convert Another".

Server/infrastructure logs: Cloudflare may retain standard HTTP access logs (containing IP addresses and request metadata) in accordance with their own data retention policies, typically for a short period for security and operations purposes.

08

Data Security

All communication between your browser and our Cloudflare Worker infrastructure is encrypted in transit using HTTPS/TLS.

The conversion engine code is delivered in an encrypted form and is decrypted client-side using a time-limited HMAC-SHA256 authentication token. This prevents unauthorised parties from accessing or tampering with the engine.

Because the actual file conversion is performed entirely within your browser, your file content is protected by your own device's security controls and never traverses the internet.

While we take reasonable measures to protect the data we do process, no system is 100% secure. We encourage you to keep your browser and operating system updated.

09

Your Privacy Rights

Depending on where you live, you may have certain rights regarding your personal data. Given that we retain no personal data in any database, most of these rights are automatically satisfied by our architecture. Nonetheless, we honour them fully.

Right of Access
Request a copy of the personal data we hold about you. Since we hold none in our databases, we will confirm this in writing.
Right to Erasure
Request deletion of your personal data. Because we store no personal data in databases, erasure is inherent to our design.
Right to Object
Object to our processing based on legitimate interests. You may contact us, and we will assess your objection.
Data Portability
Request your data in a portable format. Since we hold no personal data, no export is available — but your files are always on your own device.
Right to Rectification
Request correction of inaccurate personal data. As we hold no personal data in our databases, there is nothing to correct.
Lodge a Complaint
You have the right to lodge a complaint with your local data protection authority (e.g., ICO in the UK, your EU supervisory authority).

California Residents (CCPA/CPRA): You have the right to know what personal information we collect, the right to delete it, the right to opt out of the sale of your personal information (we do not sell it), and the right not to be discriminated against for exercising your rights. To exercise any right, contact us at privacy@psylinkssecurity.com.

10

Children's Privacy

Filey is not directed to children under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children. Because we collect no account information or personal data profiles of any kind, we have no mechanism to identify the age of our users.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@psylinkssecurity.com.

11

International Data Transfers

Filey is operated by Psylinks Security, based in India. Our backend infrastructure runs on Cloudflare Workers, which operate across Cloudflare's global edge network. When you use Filey, your request (including IP address and the 256-byte file header) may be processed at a Cloudflare edge node in any country.

For users in the EEA, UK, or Switzerland, Cloudflare provides appropriate safeguards for international data transfers via Standard Contractual Clauses (SCCs) incorporated into their Data Processing Addendum, which is available at cloudflare.com/trust-hub/gdpr.

12

Changes to This Policy

We may update this Privacy Policy from time to time as our service evolves or as legal requirements change. When we make material changes, we will update the "Last Updated" date at the top of this page.

We encourage you to review this policy periodically. Continued use of Filey after any changes constitutes your acceptance of the updated policy.

Previous versions of this policy can be requested by emailing privacy@psylinkssecurity.com.

13

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out:

Psylinks Security — Privacy Team

Email: privacy@psylinkssecurity.com
Website: filey.in
We aim to respond to all privacy enquiries within 5 business days.