Privacy Policy

Last updated: 2026-03-22

1. Who we are

Filarr is published by Mathis Belouar-Pruvot, an individual based in Sainte-Geneviève-des-Bois, France.

  • Data controller: Mathis Belouar-Pruvot
  • Email: contact@filarr.com

2. Data collected

2.1 Account data

When you create a Filarr cloud account, we collect:

  • Email required for cloud sync. Legal basis: contract performance (GDPR Art. 6.1.b).
  • Hashed password stored as a bcrypt hash. Your plaintext password is never stored or transmitted.
  • Account creation date

2.2 Device data

For multi-device management, we store:

  • Device name from os.hostname()
  • Operating system e.g. "Windows 10.0.26200"
  • Last connection date

2.3 Payment data

Payments are handled exclusively by Stripe, Inc. (PCI DSS Level 1 certified). Filarr never stores your banking details (card number, CVV, expiration date).

We only store the Stripe Customer ID (an opaque identifier) to link your Filarr account to your Stripe subscription.

2.4 File data (zero-knowledge encryption)

Zero-knowledge encryption

All files are encrypted client-side with AES-256-GCM before upload. The encryption key (FEK — File Encryption Key) is derived from your password and never leaves your device in cleartext. Filarr technically cannot read, index, or analyze the content of your files. Only opaque encrypted blobs are stored on our servers.

3. What Filarr does NOT collect

  • Content of your files and notes
  • Names of your files
  • Structure of your folders
  • Encryption keys
  • Telemetry or analytics data
  • IP address (no server-side logging)
  • Tracking or advertising cookies

4. Where data is stored

  • Database: Cloudflare D1 (EU region)
  • Encrypted files: Cloudflare R2 (EU region — Frankfurt)
  • Payments: Stripe, Inc. (PCI DSS Level 1 certified)
  • Website: Vercel Inc.
  • Transactional emails: Resend (via Cloudflare)

Transfers to the United States (Cloudflare, Vercel, Stripe) are governed by the EU-US Data Privacy Framework.

5. Data retention

  • Account data: retained until the user deletes their account.
  • Encrypted files: retained until deleted by the user or plan termination.
  • Payment data: managed by Stripe per their policy (typically 7 years for tax obligations).
  • Contact messages: retained for a maximum of 12 months.

6. Your rights (GDPR)

Under the GDPR, you have the following rights:

  • Access view your data from the app (Settings > Account) or via GET /account.
  • Rectification update your email from the app or via PUT /account.
  • Erasure delete your account from the app (Settings > Delete my account). This immediately deletes your account, all devices, and all encrypted files on R2. This operation is irreversible.
  • Portability export your data from the app (vault export as ZIP).
  • Objection contact@filarr.com

Response time: 30 days maximum. If you believe your rights are not being respected, you can file a complaint with the CNIL (cnil.fr).

7. Cookies

The filarr.com website does not use tracking cookies. No Google Analytics, no Facebook Pixel. Only a language preference cookie (fr/en) is used. No consent banner is needed.

8. DPO Contact

For any questions regarding your personal data:

  • Email: contact@filarr.com
  • Data controller: Mathis Belouar-Pruvot

9. Changes

In case of substantial changes to this policy, we will notify users with a cloud account by email. The last updated date at the top of this page will be updated accordingly.

See also: Terms of Service · Legal Notice