Get-Filly helps hospitality businesses fill smarter with AI marketing, automation, analytics and online visibility. To deliver our services, we process personal data of users, business owners and in some cases also guests of our customers. In this privacy statement we explain which data we process, why we do so, who we share data with, how long we retain data and which rights data subjects have.
The data controller within the meaning of the General Data Protection Regulation, hereinafter: GDPR, is:
| Data controller | Get-Filly, registered under Chamber of Commerce number 42068177 |
|---|---|
| Address | Saxen Weimarlaan 44-2, 1075 CD Amsterdam |
| info@get-filly.com | |
| Phone | +31 6 57737372 |
| Supervisory authority | Dutch Data Protection Authority |
In this privacy statement, "Get-Filly", "we", "us" and "our" refer to Get-Filly. We are established in the Netherlands and are subject to Dutch law and the supervision of the Dutch Data Protection Authority.
We process various categories of data, depending on how you use Get-Filly.
When you create an account, log in or use our platform, we process among other things:
We use this data among other things to create your account, give access to the platform, provide support and keep our services secure.
To make Get-Filly work properly, we process data about your business. This may include among other things:
When you connect a reservation system, import guest lists or use marketing features within Get-Filly, we may process personal data of your guests.
In that situation, you as the business owner are in principle the data controller within the meaning of the GDPR. You determine which personal data of your guests is collected, for which purposes it is used and how long it is retained.
Get-Filly acts as a processor here. We process guests' personal data solely on your instructions as a customer and according to your instructions.
With customers for whom we process guests' personal data, we conclude a data processing agreement in accordance with article 28 GDPR where legally required.
Guests' personal data may consist of, among other things:
The business owner remains responsible for having a valid legal basis for this processing and for informing guests about the use of their personal data. Get-Filly does not use guests' personal data for its own advertising purposes and does not sell this data to third parties.
When you use Get-Filly's AI features, we process data needed to run, secure and improve these features. This may consist of, among other things:
As far as possible, we limit the amount of personal data sent to AI systems.
When you use our website or platform, we automatically process certain technical data, such as:
We use this data for security, debugging, performance improvement and abuse prevention.
Get-Filly can analyse publicly accessible business information to generate insights, scores and recommendations. This may relate to, among other things:
These analyses are based on data that is publicly accessible or data for which the user has given consent via a connection or integration.
For payments, billing and administration we process data needed to handle subscriptions, invoices and payments. This may consist of, among other things:
For online payments we use Stripe. For banking services and business bank administration we may use bunq B.V. Stripe and bunq may act as independent data controllers for certain processing, for example for legal obligations, fraud prevention, security, payment processing and their own administrative obligations.
We only process personal data when there is a legal basis for it under the GDPR. When we rely on legitimate interest, we weigh our interest against the privacy interests of data subjects.
| Purpose | Examples | Legal basis |
|---|---|---|
| Create and manage account | login, user profile, roles | performance of the contract |
| Deliver services | AI suggestions, campaigns, analyses, dashboards | performance of the contract |
| Health Scores and benchmark reports | online visibility, reviews, website analysis | performance of the contract and legitimate interest |
| Connect integrations | Google, Meta, reservation systems, CRM | performance of the contract and consent where required |
| Process guest data on behalf of customer | reservation data, guest lists, marketing actions | processor role; customer determines the basis |
| Payment and billing | subscriptions, invoices, payment status | performance of the contract and legal obligation |
| Banking and administrative processing | bank transactions, reconciliation, bookkeeping | legal obligation and legitimate interest |
| Security and fraud prevention | logs, IP address, abuse detection | legitimate interest |
| Product improvement | aggregated or anonymised analyses | legitimate interest |
| Marketing to users | newsletters, product updates | consent or legitimate interest, depending on context |
| Legal administration | tax retention obligation | legal obligation |
Get-Filly analyses data about businesses, online visibility, reviews, websites, reservations, marketing activities and other relevant signals to generate insights and recommendations. Automatically calculated scores may be used here, including:
These scores are intended to give business owners insight into their digital presence, marketing potential and improvement opportunities. The scores are advisory in nature. They do not automatically lead to legal, financial or similarly significant consequences for individuals.
Get-Filly does not use these scores to assess, rank or make decisions about individual guests. Users can always ask for additional explanation about how analyses and recommendations are produced.
Get-Filly can be connected to external services, including among others: Google Business Profile, Google Analytics, Google Ads, Meta, Facebook, Instagram, TikTok, reservation systems, CRM systems, email marketing platforms, payment systems and bookkeeping and banking services.
We only obtain access to data for which the user has given consent or that is necessary for the functionality activated by the user. Per integration, the platform indicates where possible:
We do not request access to data that is not needed for the functionality we offer.
When you choose to connect your Google Business Profile to Get-Filly, we obtain access to certain data from your business profile via official Google APIs. Depending on the consent you have given, we may retrieve among other things the following data:
We use Google Business Profile data solely to deliver, manage and improve the Get-Filly features for which you have given consent. This may consist of, among other things:
Data we retrieve via the Google APIs is stored encrypted (both in transit and at rest). Access to this data is limited to authorised personnel who need the data to deliver our service. Get-Filly uses a multi-tenant architecture in which each customer's data and access tokens are stored logically separated and isolated, so that the data of one business is never accessible to another. Access tokens are stored encrypted and used solely for the specific connection for which you have given consent.
We do not retain the data retrieved via Google longer than necessary for the purposes described above. When you disconnect a connected Google Business Profile, the associated access tokens are revoked immediately and the stored Google Business Profile data is deleted from our systems within 30 days, except for data we are legally required to retain longer.
The use and transfer of information that Get-Filly receives via Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.
Get-Filly's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
For features where Get-Filly can perform actions automatically, such as replying to reviews, publishing posts or updating profile data, these are only carried out when you deliberately activate the feature or give prior consent for it.
You can disconnect a connected Google Business Profile at any time via the Get-Filly dashboard or via your Google account. After disconnection we no longer retrieve new data via that connection and connected tokens are revoked or deleted as described above.
In addition, you can manage or revoke the consent you have given directly via your Google account: myaccount.google.com/permissions. Revoking consent does not affect data that has already been lawfully processed before the moment of revocation.
When you choose to connect your Meta, Facebook or Instagram account to Get-Filly, we obtain access solely to the data and features for which you have given consent via the official Meta APIs.
Depending on the connected integration, we may obtain access to, among other things:
We use this data and these features solely to deliver, manage and improve the Get-Filly features for which you have given consent. This may consist of, among other things:
We do not sell Meta, Facebook or Instagram data to third parties.
We do not use this data for third-party advertising purposes.
We do not use this data to train public AI models.
We do not share this data with advertising networks or data brokers.
We do not publish, change, schedule, reply to, moderate or delete content on your Meta, Facebook or Instagram account without an explicit action, approval, setting or instruction from you as the user.
For features where Get-Filly can perform actions automatically, such as publishing pre-approved posts, scheduling content or replying to reactions, these are only carried out when you deliberately activate the feature or give prior consent for it.
When content is published via Get-Filly on Facebook, Instagram or other Meta platforms, this is done on behalf of the connected business or the connected account of the customer. The customer remains responsible for the content, accuracy, timing, lawfulness and consequences of published content.
You can remove a connected Meta, Facebook or Instagram integration at any time via the Get-Filly dashboard or via the settings of your Meta, Facebook or Instagram account. After disconnection we no longer retrieve new data via that connection and connected tokens are revoked or deleted according to our retention policy.
When Meta forwards a data deletion request to Get-Filly, or when you request deletion yourself, we delete the data associated with the relevant Meta integration, unless we are legally required to retain certain data longer.
Get-Filly uses AI systems to enable features such as: response generation within the Filly model, campaign proposals, review replies, menu analyses, website analyses, reports, chat features, internal quality control and code and development support.
For these features we may use services from Anthropic, PBC, including Claude, Claude Code and/or the Anthropic API.
When you use AI features, the content of your question, relevant business context, files, prompts, instructions, generated responses and technical metadata may be sent to and processed in Anthropic's systems. This means that data needed for response generation may technically end up in Anthropic's systems, storage environments or databases, insofar as necessary to deliver the AI service, ensure security, detect abuse or comply with applicable terms and legal obligations.
Insofar as we use Claude Code for response generation, analysis or development support within the Filly model, the same limitation applies: we provide only data that is reasonably necessary for the relevant feature and try to limit or pseudonymise personal data as much as possible.
Get-Filly does not use customer data to train public AI models. Insofar as we use external AI suppliers, we do so solely under terms that fit business services and data protection. We do not allow customer data to be used to train public AI models, unless a customer separately, in advance and explicitly agrees to this.
AI output may contain errors, be incomplete or be based on incorrect context. Users remain responsible for checking AI output before using it for:
Get-Filly does not guarantee that AI output is always complete, accurate, up to date or suitable for a specific purpose.
We only share personal data with parties when this is necessary to deliver our services, when you activate an integration, or when we are legally required to do so.
With parties that act as a processor, we conclude a data processing agreement where required. Some parties, such as Stripe, bunq, Google and Meta, may also act as independent data controllers for certain processing, for example for legal obligations, fraud control, security, payment transactions, platform management or their own services. In that case their own privacy policy also applies.
| Party | Function | Location / transfer |
|---|---|---|
| Supabase, Inc. | Database, authentication and file storage | EU region where possible |
| Anthropic, PBC | AI models, Claude, Claude Code, response generation and analysis | United States / international, with appropriate safeguards |
| Resend, Inc. | Transactional and marketing emails | EU/United States, depending on configuration |
| Vercel, Inc. | Hosting of website and dashboard | EU region where possible / international |
| Stripe | Payments, payment statuses, subscriptions and billing | EU/United States / international |
| bunq B.V. | Banking services, business account, payment administration | Netherlands/EU |
| Only when the user activates the Google integration | Depending on Google services and settings | |
| Meta Platforms | Only when the user activates the Meta, Facebook or Instagram integration | Depending on Meta services and settings |
We do not sell personal data. We do not share personal data with third-party advertising networks for their own advertising purposes.
Some service providers or platforms we use are established outside the European Economic Area, for example in the United States. When personal data is transferred outside the European Economic Area, we ensure an appropriate transfer mechanism. Depending on the situation, this may be:
We assess per supplier which safeguards apply and record these contractually where necessary.
We do not retain personal data longer than necessary for the purposes for which it was collected, unless we are legally required to retain data longer. After the retention periods expire, we delete or anonymise data. Aggregated and anonymous statistics, which are not traceable to individuals or customers, may be retained longer for product improvement, benchmarking and trend analysis.
| Type of data | Retention period |
|---|---|
| Account data | duration of the subscription + a maximum of 1 year after termination |
| Customers' guest data | according to the customer's settings; by default a maximum of 2 years after the last visit |
| Reservation, review and campaign results | duration of the subscription + a maximum of 1 year |
| Health Score and benchmark data | duration of the subscription + a maximum of 1 year |
| OAuth tokens and integration data | as long as the integration is active; after disconnection tokens are revoked or deleted |
| Google and Meta integration data | as long as necessary for the connected feature or until deletion/disconnection |
| AI usage logs | a maximum of 24 months for cost control, security and debugging |
| AI content at external AI suppliers | according to the contractual terms and retention periods of the relevant supplier |
| Invoices and payment administration | 7 years due to the tax retention obligation |
| Banking and payment data | as long as needed for administration, reconciliation and legal obligations |
| Security logs and error messages | a maximum of 12 months, unless needed longer for investigation |
| Marketing preferences | until you unsubscribe, plus registration of withdrawal where necessary |
We take appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, disclosure, alteration or destruction. Our measures include among other things:
OAuth tokens and API keys are stored securely and are only accessible to systems and staff who need them to perform the services.
Under the GDPR you have various rights regarding your personal data. You have, among other things, the right to:
You can submit a request via: info@get-filly.com. We respond in principle within 30 days.
When a request concerns personal data of guests that we process on behalf of a customer, we may forward the request to the relevant customer or handle it in consultation with the customer, because the customer is the data controller in that situation.
You can withdraw consent for integrations or data processing by:
After withdrawal of an integration we no longer retrieve new data via that connection. We delete data that has already been processed when a valid request for this is submitted, unless we still need to retain this data due to legal obligations, contractual obligations, security, disputes or legitimate administrative reasons.
Data supplied by customers or processed via connections on behalf of customers remains the property of the relevant customer or rights holder. Get-Filly only obtains the usage rights needed to perform the agreed services. Get-Filly does not claim ownership of:
Our services are aimed at business users and are not intended for persons under 16 years of age. We do not knowingly collect personal data of minors as direct users of our platform. When data of minors appears in a customer's guest data, Get-Filly processes it solely as a processor on the instructions of the relevant customer.
When a security incident occurs that may affect personal data, we act in accordance with our internal data breach procedure and the applicable legal reporting obligations. If necessary, we report a data breach to the Dutch Data Protection Authority and/or inform data subjects.
Did you discover a vulnerability or security issue? Report it via info@get-filly.com with the subject "Security report". We take security reports seriously and investigate reports as soon as possible.
We may change this privacy statement from time to time, for example when we add new features, offer new integrations, use other suppliers or when laws and regulations change. In the event of material changes, we inform existing customers via email, the dashboard or another appropriate way. The date at the top of this statement indicates when the statement was last updated.
For questions about this privacy statement, privacy requests or concerns about the processing of personal data, you can contact:
Do you disagree with how we process your personal data and can we not work it out together? Then you have the right to file a complaint with the Dutch Data Protection Authority: autoriteitpersoonsgegevens.nl.