Privacy Policy

1. Definitions

"Personal data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of Regulation (EU) 2016/679 (GDPR).

"Processing" means any operation performed on personal data, whether or not by automated means, including collection, storage, use, transmission, or deletion.

"We", "us", "our" refers to Miltiadis Themelis, the Data Controller.

"Instance ID" means a randomly generated universally unique identifier (UUID v4) created by the extension on first installation and stored locally in Chrome extension storage. It contains no personal information.

"Cloud sync" refers to the optional feature, available to active Pro users, that stores a copy of certain Statly content on our infrastructure so it can be accessed across the user's devices.

2. Identity and Contact Details of the Data Controller

Name: Miltiadis Themelis
Location: Greece
Email: info.statly@gmail.com

All data protection enquiries, requests to exercise data subject rights, and complaints should be directed to the email address above.

Data Protection Officer (DPO): No DPO has been appointed. This is not required under Article 37 GDPR, as the processing activities carried out do not meet the thresholds that trigger a mandatory DPO appointment.

3. About Statly and How It Works

Statly is a Chrome browser extension that runs on Instagram web pages. It reads publicly visible content already rendered in your browser and performs analytics calculations locally on your device.

Statly does not:

• transmit Instagram profile data, scan results, analytics outputs, or browsing activity to any server we control, except as part of the optional cloud sync feature for Pro users (Section 4.6) or the optional Statly API (Section 4.7);
• access login credentials, private messages, or authentication tokens;
• modify Instagram's backend systems;
• bypass any authentication mechanism.

4. Personal Data We Process

4.1 Licence Key Transmission (Paid Users Only)

If you hold a paid subscription, the extension transmits your licence key to a licence verification endpoint hosted on Cloudflare Worker infrastructure (at the domain core.trystatly.com). This transmission occurs over HTTPS and serves exclusively to confirm that your licence is valid, via our payment provider Lemon Squeezy.

IP addresses are personal data under GDPR. In the course of processing the HTTPS request, your IP address and standard connection metadata are received and processed by Cloudflare as a data processor providing infrastructure services. For licence verification specifically, we do not deliberately persist your IP address beyond the transient handling of the request.

4.2 Instance ID, Scan Count, and IP-Based Rate Limiting (All Users)

To enforce the daily scan limit for free users and to prevent abuse of that limit, the extension transmits an anonymous Instance ID to a scan-counting endpoint hosted on Cloudflare Worker infrastructure (at the domain core.trystatly.com).

The Instance ID is a randomly generated UUID created on first use and stored locally. It is not linked to your name, email address, Instagram account, or any other identifying information.

To prevent circumvention of the free limit, the scan-counting service also processes your IP address and temporarily stores IP-derived data in Cloudflare's key-value storage. Specifically, it stores: a per-IP daily scan counter, and a binding between your IP address and the first Instance ID seen from that IP on a given day. This IP-derived data is associated with a calendar date and is automatically deleted after approximately 48 hours.

The service additionally inspects the network provider (autonomous system number) associated with a request to apply stricter limits to traffic originating from commercial VPN or datacentre networks; this inspection is part of the rate-limiting logic and is not stored as a separate profile.

4.3 Local Storage (All Users)

The extension stores the following data locally in Chrome's extension storage on your device:

• Licence key (paid users only) and subscription status, tier, and last verification timestamp
• Instance ID (UUID, anonymous, no personal information)
• Scan date and scan count (resets daily at local midnight)
• Watchlist accounts you choose to track, together with the Instagram analytics fetched for them (such as reel view counts, likes, comments, follower counts, and timestamps)
• Folders and tags you create to organise your watchlist
• Trend Finder niches and their associated scan results
• Saved reels you bookmark, with their associated analytics
• User-interface preferences such as theme (light or dark mode)

All of this data remains on your device. Where you are a Pro user with cloud sync enabled (the default), a copy of the watchlist, Trend Finder, and saved-reels data is additionally stored on our infrastructure as described in Section 4.6. Local data is automatically deleted when you remove the extension from your browser.

4.4 Payment Information

Payments for paid subscriptions are processed by Lemon Squeezy. Lemon Squeezy operates as a Merchant of Record, meaning that the legal transaction takes place directly between you and Lemon Squeezy, not between you and us. Lemon Squeezy is responsible for collecting and processing all payment data, including card details and billing information, which we do not receive, process, or store.

As part of licence fulfilment, Lemon Squeezy may transmit to us limited data, such as a transaction identifier and subscription status, solely for the purpose of generating and activating a licence key. We do not independently store customer transaction records.

4.5 Email Support Communications

If you contact us by email, we will process the information you provide, including your email address and the content of your message, for the purpose of responding to your enquiry. We do not use this information for any other purpose, and we do not share it with third parties. Email correspondence is retained for as long as reasonably necessary to resolve your enquiry.

4.6 Cloud Sync for Pro Users (Optional)

If you hold an active Pro subscription, the extension offers cross-device synchronisation of certain content. When cloud sync is enabled (this is the default for Pro users, and can be turned off at any time from the Settings tab), the extension transmits the following content to a sync endpoint hosted on Cloudflare Worker infrastructure (at the domain sync.trystatly.com):

• Your watchlist (the Instagram accounts you have chosen to track, the folders and tags you have created, and the analytics that have been fetched for those accounts)
• Your Trend Finder data (the niches you have created, the accounts assigned to each niche, and the analytics that have been fetched for those accounts)
• Your saved reels (the reels you have bookmarked, with their associated analytics)

This content is stored on our infrastructure in Cloudflare's key-value storage, keyed by your licence key. It is used solely to provide the sync feature, so that activating the same licence key on another device retrieves the same content. We do not analyse, profile, or commercially exploit this content.

Before allowing sync operations, our sync service verifies with Lemon Squeezy that the supplied licence key is currently active. As with all Cloudflare-handled requests, your IP address and standard connection metadata are processed by Cloudflare as part of delivering the request.

You can disable cloud sync at any time in the Settings tab. Disabling sync stops new uploads from your device. Data already stored on our infrastructure is retained until you request deletion (Section 10) or until your licence is no longer active for an extended period, after which it may be removed.

4.7 Statly API Feature (Optional)

Statly includes an optional API that lets you trigger profile scans and retrieve reel analytics programmatically. When you use this feature, your scan requests are processed through a Cloudflare Worker endpoint (at the domain api.trystatly.com) which fetches the requested public Instagram analytics and returns them to you. Use of the API is entirely at your initiative; if you do not use it, no such requests are made.

5. What We Do Not Collect

For the avoidance of doubt, we do not collect, process, or store any of the following:

• Instagram login credentials, passwords, private messages, or authentication tokens
• Browsing history or browsing activity outside the scans you explicitly initiate
• Usage statistics or behavioural analytics
• Data via Google Analytics, tracking pixels, advertising SDKs, or third-party analytics services
• Cookies used for tracking or profiling
• Any information that identifies you personally beyond what is described in Section 4

The Instagram analytics you generate using Statly are processed on your device. Where you have enabled cloud sync as a Pro user, a copy of that content is stored on our infrastructure solely to provide the sync feature, as described in Section 4.6.

6. Legal Basis for Processing

We process personal data only to the extent described in Section 4. The applicable legal bases under Article 6 GDPR are as follows:

Contractual necessity (Article 6(1)(b) GDPR): Transmission of the licence key is necessary for the performance of a contract with you (your paid subscription). Cloud sync, where enabled, is also performed in the context of providing the paid service you have contracted for.

Legitimate interests (Article 6(1)(f) GDPR): Transmission of the anonymous Instance ID and the temporary processing and storage of IP-derived data for scan counting and abuse prevention are based on our legitimate interest in operating a commercially sustainable free tier with a fair usage limit.

Legitimate interests (Article 6(1)(f) GDPR): Processing of email correspondence is based on our legitimate interest in responding to user communications and providing effective support.

7. Automated Decision-Making

We do not carry out any automated decision-making, including profiling, that produces legal effects or similarly significantly affects you, within the meaning of Article 22 GDPR. Licence verification, scan counting, rate limiting, and cloud sync are technical operations and do not involve any assessment of your personal characteristics or circumstances.

8. Data Retention

Licence key, subscription, watchlist, folder, tag, Trend Finder, and saved-reel data stored locally in Chrome storage is retained on your device for as long as the extension is installed, and is automatically deleted when you uninstall the extension. We do not hold copies of locally-stored data on our own servers, except for the cloud-sync copy described below.

IP-derived data stored by the scan-counting service is automatically deleted after approximately 48 hours.

Cloud-synced content (watchlist, Trend Finder, and saved-reels data, for Pro users with sync enabled) is retained on our infrastructure for as long as the associated licence remains active and the user continues to use the sync feature. Users may request deletion of this content at any time by emailing info.statly@gmail.com. Content associated with licences that have been inactive for an extended period may be removed at our discretion to reduce storage of unused data.

Email correspondence is retained for as long as reasonably necessary to address your enquiry, after which it is deleted. Lemon Squeezy retains transaction data in accordance with its own legal and regulatory obligations and privacy policy.

9. International Data Transfers

The licence verification, scan-counting, API, and cloud-sync endpoints are delivered through Cloudflare's global network. Because Cloudflare operates data centres across multiple jurisdictions, including outside the European Economic Area (EEA), routing a request through Cloudflare's infrastructure may constitute a transfer of personal data (specifically, connection metadata, the short-lived IP-derived rate-limiting data described in Section 4.2, and the cloud-synced content described in Section 4.6) to third countries within the meaning of Chapter V GDPR.

Cloudflare relies on appropriate safeguards for such transfers, including Standard Contractual Clauses (SCCs) adopted pursuant to Article 46 GDPR. Details are available at cloudflare.com/privacypolicy.

Payments are processed by Lemon Squeezy, which may also operate infrastructure outside the EEA. Its own privacy policy describes the applicable transfer safeguards.

10. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to object (Article 21)
• Right to data portability (Article 20)
• Right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) at dpa.gr

To exercise any of the above rights, contact info.statly@gmail.com. We will respond within one month as required by Article 12 GDPR. Most data resides on your device; the most effective way to delete locally-stored data is to uninstall the extension. To delete cloud-synced data, please email us with the licence key for which deletion is requested.

11. Children's Privacy

Statly is not directed at, and is not intended for use by, individuals under the age of 16. We do not knowingly process personal data relating to children under 16.

12. Security Measures

We apply the following technical measures:

• All transmissions between the extension and our endpoints are protected by HTTPS (TLS) encryption in transit
• The extension is designed on a data minimisation principle
• The Instance ID is a randomly generated UUID with no link to any personal identifier
• IP-derived rate-limiting data is short-lived and automatically deleted
• Cloud-synced content is keyed to the user's licence key and is only accessible by requests presenting that key
• Local storage uses Chrome's sandboxed extension storage, inaccessible to other extensions or websites

No method of transmission or storage over the internet can be guaranteed to be completely secure. Statly's architecture is designed to minimise the volume and sensitivity of data processed, reducing risk proportionately.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be reflected by an updated version number and effective date at the top of this document. Where the changes are material, we will seek to notify users via the Chrome Web Store listing or another appropriate channel.