Privacy Policy

1. Definitions

"Personal data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of Regulation (EU) 2016/679 (GDPR).

"Processing" means any operation performed on personal data, whether or not by automated means, including collection, storage, use, transmission, or deletion.

"We", "us", "our" refers to Miltiadis Themelis, the Data Controller.

"Instance ID" means a randomly generated universally unique identifier (UUID v4) created by the extension on first installation and stored locally in Chrome extension storage. It contains no personal information and is used to count daily scans per installation and, for paid users, to pair a licence activation to an installation.

2. Identity and Contact Details of the Data Controller

Name: Miltiadis Themelis
Location: Greece
Email: info.statly@gmail.com

All data protection enquiries, requests to exercise data subject rights, and complaints should be directed to the email address above.

Data Protection Officer (DPO): No DPO has been appointed. This is not required under Article 37 GDPR, as the processing activities carried out do not meet the thresholds that trigger a mandatory DPO appointment (i.e., large-scale processing of special categories of data, or systematic monitoring of individuals).

3. About Statly and How It Works

Statly is a Chrome browser extension that runs on Instagram web pages. It reads publicly visible content already rendered in your browser and performs analytics calculations locally, within your browser session on your own device.

Statly does not:

• transmit Instagram profile data, scan results, analytics outputs, or browsing activity to any server we control;
• access login credentials, private messages, or authentication tokens;
• modify Instagram's backend systems; or
• bypass any authentication mechanism.

All Instagram analysis occurs exclusively on your device. The optional Statly API feature (Section 4.6) operates on the same principle: it initiates scans you request, and returns the resulting analytics to you.

4. Personal Data We Process

4.1 Licence Key Transmission (Paid Users Only)

If you hold a paid subscription, the extension transmits your licence key to a licence verification endpoint hosted on Cloudflare Worker infrastructure (at the domain core.trystatly.com). This transmission occurs over HTTPS and serves exclusively to confirm that your licence is valid, via our payment provider Lemon Squeezy.

IP addresses are personal data under GDPR. In the course of processing the HTTPS request, your IP address and standard connection metadata are received and processed by Cloudflare as a data processor providing infrastructure services. For licence verification specifically, we do not deliberately persist your IP address beyond the transient handling of the request. Cloudflare's processing of connection metadata is subject to its own data protection obligations and policies.

4.2 Instance ID, Scan Count, and IP-Based Rate Limiting (All Users)

To enforce the daily scan limit for free users and to prevent abuse of that limit, the extension transmits an anonymous Instance ID to a scan-counting endpoint hosted on Cloudflare Worker infrastructure (at the domain core.trystatly.com). This occurs when the extension is opened and on scan attempts by free-tier users.

The Instance ID is a randomly generated UUID created on first use and stored locally. It is not linked to your name, email address, Instagram account, or any other identifying information.

To prevent circumvention of the free limit (for example, by reinstalling the extension to obtain a fresh Instance ID), the scan-counting service also processes your IP address and, in this case, temporarily stores IP-derived data in Cloudflare's key-value storage. Specifically, it stores:

• a per-IP daily scan counter, and
• a binding between your IP address and the first Instance ID seen from that IP on a given day.

This IP-derived data is associated with a calendar date and is automatically deleted after approximately 48 hours. It is used solely to enforce fair daily usage limits and to detect abuse. The service additionally inspects the network provider (autonomous system number) associated with a request to apply stricter limits to traffic originating from commercial VPN or datacentre networks; this inspection is part of the rate-limiting logic and is not stored as a separate profile.

Pro (paid) users are not subject to daily scan limits; for them, the Instance ID is used for licence activation pairing rather than scan counting.

4.3 Local Storage (All Users)

The extension stores the following data locally in Chrome's extension storage on your device:

• Licence key (paid users only)
• Subscription status and tier
• Last licence verification timestamp
• Instance ID (UUID — anonymous, no personal information)
• Scan date (today's local date, in YYYY-MM-DD format) and scan count (resets daily at local midnight)
• Watchlist accounts you choose to track, together with the Instagram analytics fetched for them (such as reel view counts, likes, comments, follower counts, and timestamps)
• Folders and tags you create to organise your watchlist
• Saved reels you bookmark, with their associated analytics

All of this data remains on your device at all times. It is not transmitted to us, beyond the Instance ID and licence key transmissions described above and the scan requests you initiate via the optional API feature. It is automatically deleted when you remove the extension from your browser. The Instagram analytics stored locally are derived from publicly visible content and are cached on your device purely so you can revisit them without rescanning.

4.4 Payment Information

Payments for paid subscriptions are processed by Lemon Squeezy (a product of Lemon Squeezy LLC). Lemon Squeezy operates as a Merchant of Record, meaning that the legal transaction takes place directly between you and Lemon Squeezy — not between you and us. Lemon Squeezy is responsible for collecting and processing all payment data, including card details and billing information, which we do not receive, process, or store.

As part of licence fulfilment, Lemon Squeezy may transmit to us limited data, such as a transaction identifier and subscription status, solely for the purpose of generating and activating a licence key. We do not independently store customer transaction records.

4.5 Email Support Communications

If you contact us by email, we will process the information you provide — including your email address and the content of your message — for the purpose of responding to your enquiry. We do not use this information for any other purpose, and we do not share it with third parties. Email correspondence is retained for as long as reasonably necessary to resolve your enquiry.

4.6 Statly API Feature (Optional)

Statly includes an optional API that lets you trigger profile scans and retrieve reel analytics programmatically. When you use this feature, your scan requests are processed through a Cloudflare Worker endpoint (at the domain api.trystatly.com) which fetches the requested public Instagram analytics and returns them to you. As with all Cloudflare-handled requests, your IP address and standard connection metadata are processed by Cloudflare as part of delivering the request. Use of the API is entirely at your initiative; if you do not use it, no such requests are made.

5. What We Do Not Collect

For the avoidance of doubt, we do not collect, process, or store any of the following:

• Instagram login credentials, passwords, private messages, or authentication tokens;
• Browsing history or browsing activity outside the scans you explicitly initiate;
• Usage statistics or behavioural analytics;
• Data via Google Analytics, tracking pixels, advertising SDKs, or third-party analytics services;
• Cookies used for tracking or profiling;
• Any information that identifies you personally beyond what is described in Section 4.

The Instagram analytics you generate using Statly (profile data, reels, engagement metrics, and so on) are processed on your device and, where you choose to save them to your watchlist or bookmarks, stored locally on your device. We do not receive or retain this content on any server we control.

6. Legal Basis for Processing

We process personal data only to the extent described in Section 4. The applicable legal bases under Article 6 GDPR are as follows:

Contractual necessity (Article 6(1)(b) GDPR): Transmission of the licence key is necessary for the performance of a contract with you (your paid subscription). Without verifying your licence key, we cannot provide access to the paid features of Statly.

Legitimate interests (Article 6(1)(f) GDPR): Transmission of the anonymous Instance ID, and the temporary processing and storage of IP-derived data for scan counting and abuse prevention, are based on our legitimate interest in operating a commercially sustainable free tier with a fair usage limit and in preventing circumvention of that limit. The data is minimal, short-lived (deleted after roughly 48 hours), and used solely for this purpose. We have assessed that this interest is not overridden by the interests, rights, or freedoms of data subjects.

Legitimate interests (Article 6(1)(f) GDPR): To the extent that Cloudflare's processing of connection metadata during licence verification, scan counting, and API requests also serves fraud prevention and service integrity purposes, we rely on our legitimate interest in operating a secure and commercially sustainable service.

Legitimate interests (Article 6(1)(f) GDPR): Processing of email correspondence is based on our legitimate interest in responding to user communications and providing effective support.

7. Automated Decision-Making

We do not carry out any automated decision-making, including profiling, that produces legal effects or similarly significantly affects you, within the meaning of Article 22 GDPR. Licence verification, scan counting, and rate limiting are technical validation steps and do not involve any assessment of your personal characteristics or circumstances.

8. Data Retention

Licence key, subscription, watchlist, folder, tag, and saved-reel data stored locally in Chrome storage is retained on your device for as long as the extension is installed. It is automatically and permanently deleted when you uninstall the extension. We do not hold copies of this data on our own servers.

The Instance ID is stored locally and persists for as long as the extension is installed. The daily scan count and scan date reset automatically at local midnight each day.

IP-derived data stored by the scan-counting service (the per-IP daily counter and the IP-to-instance binding) is automatically deleted after approximately 48 hours.

Email correspondence is retained for as long as reasonably necessary to address your enquiry, after which it is deleted. Lemon Squeezy, as Merchant of Record, retains transaction data in accordance with its own legal and regulatory obligations and privacy policy. Cloudflare does not retain persistent request logs on our behalf beyond the short-lived rate-limiting data described above.

9. International Data Transfers

The licence verification, scan-counting, and API endpoints are delivered through Cloudflare's global network. Because Cloudflare operates data centres across multiple jurisdictions, including outside the European Economic Area (EEA), routing a request through Cloudflare's infrastructure may constitute a transfer of personal data (specifically, connection metadata including IP addresses, and the short-lived IP-derived rate-limiting data described in Section 4.2) to third countries within the meaning of Chapter V GDPR.

Cloudflare relies on appropriate safeguards for such transfers, including Standard Contractual Clauses (SCCs) adopted pursuant to Article 46 GDPR. Details of Cloudflare's transfer mechanisms are available at cloudflare.com/privacypolicy.

Payments are processed by Lemon Squeezy, which may also operate infrastructure outside the EEA. Its own privacy policy describes the applicable transfer safeguards. We do not ourselves transfer personal data outside the EEA.

10. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights in relation to personal data we process about you:

• Right of access (Article 15 GDPR): You may request confirmation of whether we process personal data about you and, if so, a copy of that data.
• Right to rectification (Article 16 GDPR): You may request correction of inaccurate personal data we hold.
• Right to erasure (Article 17 GDPR): You may request deletion of your personal data where the conditions of Article 17 are met.
• Right to restriction of processing (Article 18 GDPR): You may request that processing of your personal data be restricted in certain circumstances.
• Right to object (Article 21 GDPR): Where processing is based on legitimate interests, you may object. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Right to data portability (Article 20 GDPR): Where processing is based on contract and carried out by automated means, you may request a copy of your data in a structured, commonly used, machine-readable format.
• Right to lodge a complaint: You have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) at dpa.gr.

To exercise any of the above rights, please contact us at info.statly@gmail.com. We will respond within one month of receiving your request, as required by Article 12 GDPR.

Given that most data processed by Statly resides exclusively on your device, the most effective way to delete locally stored data is to uninstall the extension from your browser.

11. Children's Privacy

Statly is not directed at, and is not intended for use by, individuals under the age of 16. We do not knowingly process personal data relating to children under 16. If you believe that a child under 16 has provided us with personal data, please contact us at info.statly@gmail.com and we will take appropriate steps.

12. Security Measures

We apply the following technical measures commensurate with the nature and volume of data we process:

• All licence key, Instance ID, and API requests between the extension and the Cloudflare endpoints are protected by HTTPS (TLS) encryption in transit.
• The extension is designed on a data minimisation principle: only the licence key, anonymous Instance ID, and any scans you explicitly initiate are transmitted; no analytics, profile, or behavioural data leaves your device except as the result of a scan you request.
• The Instance ID is a randomly generated UUID with no link to any personal identifier, and IP-derived rate-limiting data is short-lived and automatically deleted.
• Local storage of subscription, watchlist, and scan data relies on Chrome's built-in extension storage mechanism, which is sandboxed to the extension and not accessible to other browser extensions or websites.

No method of transmission or storage over the internet can be guaranteed to be completely secure. However, the architecture of Statly is deliberately designed to minimise the volume and sensitivity of data processed, thereby reducing risk proportionately.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the functionality of Statly. Any changes will be reflected by an updated version number and effective date at the top of this document. Where the changes are material, we will seek to notify users via the Chrome Web Store listing or another appropriate channel.

Continued use of Statly after an updated policy becomes effective constitutes your acknowledgment of the revised terms.