Last updated: 9 March 2026

Overview

Statly analyses Instagram pages entirely within your browser. No Instagram data, scan results, or browsing activity is ever sent to any server we control. The only outbound transmissions from the extension are: (1) your licence key, sent over HTTPS to verify your paid subscription, and (2) an anonymous instance identifier (UUID), sent to our scan-counting service to enforce the daily scan limit for free users. Neither transmission contains any Instagram data or personally identifiable information beyond what is described in Section 4.

Payments are handled entirely by Lemon Squeezy, who act as Merchant of Record. The legal transaction is between you and Lemon Squeezy directly — we never see your card details. If you contact us by email for support, we use your message solely to respond to you.

We do not use analytics, tracking pixels, advertising SDKs, or cookies of any kind. Your licence, subscription details, and scan count data are stored locally in Chrome on your device and are deleted automatically when you uninstall the extension.

You can exercise any GDPR right — including requesting deletion of data we hold — by emailing info.statly@gmail.com. Full details are in the numbered sections below.

1. Definitions

"Personal data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of Regulation (EU) 2016/679 (GDPR).

"Processing" means any operation performed on personal data, whether or not by automated means, including collection, storage, use, transmission, or deletion.

"We", "us", "our" refers to Miltiadis Themelis, the Data Controller.

"Instance ID" means a randomly generated universally unique identifier (UUID v4) created by the extension on first installation and stored locally in Chrome extension storage. It contains no personal information and is used solely to count daily scans per installation.

2. Identity and Contact Details of the Data Controller

Name: Miltiadis Themelis

Location: Thessaloniki, Greece

Email: info.statly@gmail.com

All data protection enquiries, requests to exercise data subject rights, and complaints should be directed to the email address above.

Data Protection Officer (DPO): No DPO has been appointed. This is not required under Article 37 GDPR, as the processing activities carried out do not meet the thresholds that trigger a mandatory DPO appointment (i.e., large-scale processing of special categories of data, or systematic monitoring of individuals).

3. About Statly and How It Works

Statly is a Chrome browser extension that runs on Instagram web pages. It reads publicly visible content already rendered in your browser and performs analytics calculations locally, within your browser session on your own device.

Statly does not:

• transmit Instagram profile data, scan results, analytics outputs, or browsing activity to any server;

• access login credentials, private messages, or authentication tokens;

• modify Instagram's backend systems; or

• bypass any authentication mechanism.

All Instagram analysis occurs exclusively on your device.

4. Personal Data We Process

4.1 Licence Key Transmission (Paid Users Only)

If you hold a paid subscription, the extension transmits your licence key to a licence verification endpoint hosted on Cloudflare Worker infrastructure. This transmission occurs over HTTPS and serves exclusively to confirm that your licence is valid.

IP addresses are personal data under GDPR. In the course of processing the HTTPS request, your IP address and standard connection metadata will be received and processed by Cloudflare as a data processor providing infrastructure services. We do not intentionally log, store, or otherwise retain IP address data on our systems. Cloudflare's processing of connection metadata is subject to its own data protection obligations and policies, over which we have no direct operational control.

4.2 Instance ID and Scan Count Transmission (All Users)

To enforce the daily scan limit for free users, the extension transmits an anonymous Instance ID to a separate scan-counting endpoint hosted on Cloudflare Worker infrastructure. This occurs on every extension open and on every scan attempt by free-tier users.

The Instance ID is a randomly generated UUID (e.g. "a1b2c3d4-...") created on first use and stored locally. It is not linked to your name, email address, Instagram account, or any other identifying information. It exists solely to count how many scans have been performed from a given installation within a calendar day.

As with licence key verification, Cloudflare will process your IP address and standard connection metadata as part of handling the HTTPS request. We do not log or retain this data on our own systems.

Pro (paid) users are not subject to daily scan limits; the Instance ID is used for licence activation pairing rather than scan counting in their case.

4.3 Local Storage (All Users)

The extension stores the following data locally in Chrome's extension storage on your device:

• Licence key (paid users only)

• Subscription status and tier

• Last licence verification timestamp

• Instance ID (UUID — anonymous, no personal information)

• Scan date (today's local date, in YYYY-MM-DD format)

• Scan count (number of scans performed today — resets daily at local midnight)

All of this data remains on your device at all times. It is not transmitted to us (beyond the Instance ID and licence key transmissions described above). It is automatically deleted when you remove the extension from your browser.

4.4 Payment Information

Payments for paid subscriptions are processed by Lemon Squeezy (a product of Lemon Squeezy LLC). Lemon Squeezy operates as a Merchant of Record, meaning that the legal transaction takes place directly between you and Lemon Squeezy — not between you and us. Lemon Squeezy is responsible for collecting and processing all payment data, including card details and billing information, which we do not receive, process, or store.

As part of licence fulfilment, Lemon Squeezy may transmit to us limited data via webhook upon a successful transaction, such as a transaction identifier and subscription status, solely for the purpose of generating and activating a licence key. We do not independently store customer transaction records.

4.5 Email Support Communications

If you contact us by email, we will process the information you provide — including your email address and the content of your message — for the purpose of responding to your enquiry. We do not use this information for any other purpose, and we do not share it with third parties. Email correspondence is retained for as long as reasonably necessary to resolve your enquiry.

5. What We Do Not Collect

For the avoidance of doubt, we do not collect, process, or store any of the following:

• Instagram profile data, posts, followers, engagement metrics, or any other content you analyse using Statly;

• Browsing history or browsing activity;

• Usage statistics or behavioural analytics;

• Data via Google Analytics, tracking pixels, advertising SDKs, or third-party analytics services;

• Cookies used for tracking or profiling;

• Login credentials, passwords, or authentication tokens;

• Any information that identifies you personally beyond what is described in Section 4.

6. Legal Basis for Processing

We process personal data only to the extent described in Section 4. The applicable legal bases under Article 6 GDPR are as follows:

Contractual necessity (Article 6(1)(b) GDPR): Transmission of the licence key is necessary for the performance of a contract with you (your paid subscription). Without verifying your licence key, we cannot provide access to the paid features of Statly.

Legitimate interests (Article 6(1)(f) GDPR): Transmission of the anonymous Instance ID for scan counting is based on our legitimate interest in operating a commercially sustainable free tier with a fair usage limit. The Instance ID contains no personal information and the processing is minimal and non-intrusive. We have assessed that this interest is not overridden by the interests, rights, or freedoms of data subjects.

Legitimate interests (Article 6(1)(f) GDPR): To the extent that Cloudflare's processing of connection metadata during licence verification and scan counting also serves fraud prevention and service integrity purposes, we rely on our legitimate interest in operating a secure and commercially sustainable service.

Legitimate interests (Article 6(1)(f) GDPR): Processing of email correspondence is based on our legitimate interest in responding to user communications and providing effective support.

7. Automated Decision-Making

We do not carry out any automated decision-making, including profiling, that produces legal effects or similarly significantly affects you, within the meaning of Article 22 GDPR. Licence verification and scan counting are technical validation steps and do not involve any assessment of your personal characteristics or circumstances.

8. Data Retention

Licence key and subscription data stored locally in Chrome storage is retained on your device for as long as the extension is installed. It is automatically and permanently deleted when you uninstall the extension. We do not hold copies of this data on our own servers.

The Instance ID is stored locally and persists for as long as the extension is installed. The daily scan count and scan date reset automatically at local midnight each day and are deleted when the extension is uninstalled.

Email correspondence is retained for as long as reasonably necessary to address your enquiry, after which it is deleted. Lemon Squeezy, as Merchant of Record, retains transaction data in accordance with its own legal and regulatory obligations and its own privacy policy. Cloudflare Workers do not retain persistent logs of verification or scan-count requests by default.

9. International Data Transfers

The licence verification and scan-counting endpoints are delivered through Cloudflare's global network. Because Cloudflare operates data centres across multiple jurisdictions, including outside the European Economic Area (EEA), routing a request through Cloudflare's infrastructure may constitute a transfer of personal data (specifically, connection metadata including IP addresses) to third countries within the meaning of Chapter V GDPR.

Cloudflare relies on appropriate safeguards for such transfers, including Standard Contractual Clauses (SCCs) adopted pursuant to Article 46 GDPR. Details of Cloudflare's transfer mechanisms are available at https://www.cloudflare.com/privacypolicy/. We do not have independent contractual control over Cloudflare's infrastructure routing decisions.

Payments are processed by Lemon Squeezy, which may also operate infrastructure outside the EEA. Its own privacy policy describes the applicable transfer safeguards. We do not ourselves transfer personal data outside the EEA.

10. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights in relation to personal data we process about you:

• Right of access (Article 15 GDPR): You may request confirmation of whether we process personal data about you and, if so, a copy of that data.

• Right to rectification (Article 16 GDPR): You may request correction of inaccurate personal data we hold.

• Right to erasure (Article 17 GDPR): You may request deletion of your personal data where the conditions of Article 17 are met.

• Right to restriction of processing (Article 18 GDPR): You may request that processing of your personal data be restricted in certain circumstances.

• Right to object (Article 21 GDPR): Where processing is based on legitimate interests, you may object. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

• Right to data portability (Article 20 GDPR): Where processing is based on contract and carried out by automated means, you may request a copy of your data in a structured, commonly used, machine-readable format.

• Right to lodge a complaint: You have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) at https://www.dpa.gr.

To exercise any of the above rights, please contact us at info.statly@gmail.com. We will respond within one month of receiving your request, as required by Article 12 GDPR.

Given that most data processed by Statly resides exclusively on your device, the most effective way to delete locally stored data is to uninstall the extension from your browser.

11. Children's Privacy

Statly is not directed at, and is not intended for use by, individuals under the age of 16. We do not knowingly process personal data relating to children under 16. If you believe that a child under 16 has provided us with personal data, please contact us at info.statly@gmail.com and we will take appropriate steps.

12. Security Measures

We apply the following technical measures commensurate with the nature and volume of data we process:

• All licence key and Instance ID transmissions between the extension and the verification/scan-counting endpoints are protected by HTTPS (TLS) encryption in transit.

• The extension is designed on a data minimisation principle: only the licence key and anonymous Instance ID are transmitted, and no analytics, profile, or behavioural data leaves your device.

• The Instance ID is a randomly generated UUID with no link to any personal identifier.

• Local storage of subscription and scan data relies on Chrome's built-in extension storage mechanism, which is sandboxed to the extension and not accessible to other browser extensions or websites.

No method of transmission or storage over the internet can be guaranteed to be completely secure. However, the architecture of Statly is deliberately designed to minimise the volume and sensitivity of data processed, thereby reducing risk proportionately.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the functionality of Statly. Any changes will be reflected by an updated version number and effective date at the top of this document. Where the changes are material, we will seek to notify users via the Chrome Web Store listing or another appropriate channel.

Continued use of Statly after an updated policy becomes effective constitutes your acknowledgment of the revised terms.

Statly Privacy Policy — © 2026 Miltiadis Themelis — info.statly@gmail.com