Privacy Policy
Full transparency on how Fromly handles your data.
Last updated: May 22, 2026
1. Who we are
Fromly is a productivity service available on Web, Mac and iPhone, developed and operated by Alberto Lezaun Pérez. Contact: hello@fromly.app.
2. What data we collect
2.1 Account data
- Email: To identify your account, sign in and communicate with you.
- Password: Stored as a bcrypt hash (never in plain text). If you use Google or Apple sign-in, no password is stored.
- Subscription and license status: Active plan, renewal dates.
- AI token balance: If you use managed AI, we record consumption for billing.
2.2 Synced content
Fromly syncs your notes, tasks, projects and journal between devices through our server. All your content is stored in our database (PostgreSQL on Railway, US East region) encrypted in transit via TLS. This is required for real-time sync between Web, Mac and iPhone to work.
2.3 Payment data
Payments are processed through LemonSqueezy. We do not store card details or financial information. LemonSqueezy acts as Merchant of Record and has its own privacy policy.
2.4 AI data
When you use AI features (chat, AI editor, agents):
- Fromly selects relevant fragments from your notes and sends them along with your query to the chosen AI provider (Anthropic, OpenAI or Google).
- We do not store queries or responses on our servers.
- If you use your own API key, requests go directly from your device to the provider.
2.5 Google Calendar
If you connect your Google account, we access your Google Calendar exclusively to display your events in Fromly's planner and to create, update, or delete events when you schedule tasks. We use OAuth 2.0 for authentication; we do not store your Google password. Access is strictly limited to the permissions you grant.
Fromly's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
2.6 Published notes
If you choose to publish a note (optional feature), the content of that specific note is publicly accessible via a unique URL. You can unpublish it at any time, which removes it from public access.
3. Data we do NOT collect
- Usage telemetry or analytics: We do not track which features you use, time in app, or browsing behavior.
- Device identifiers, MAC address, hardware or location.
- Tracking cookies on fromly.app — we do not use Google Analytics, Facebook Pixel or similar.
4. How we use your data
- To provide and maintain the sync service.
- To manage your account, subscription and feature access.
- To send service-related communications (no marketing without your consent).
- To ensure the security and integrity of the service.
5. Legal basis for processing (GDPR)
- Contract performance (Art. 6.1.b): Account data and sync required to provide the service.
- Consent (Art. 6.1.a): Optional integrations such as Google Calendar.
- Legitimate interests (Art. 6.1.f): Service security and fraud prevention.
- Legal obligation (Art. 6.1.c): Billing data under applicable tax regulations.
6. Where data is stored
- Content and account data: PostgreSQL database on Railway, US East region (United States). Railway is SOC 2 Type II compliant.
- Attachments: Cloudflare R2 (global CDN with distributed storage).
- Payment data: Managed by LemonSqueezy (Merchant of Record).
Data transfers outside the EEA are made under appropriate GDPR safeguards (Standard Contractual Clauses).
7. Data retention
- Account data and content: Retained while your account is active. Deleted within 30 days of a deletion request.
- Billing data: Retained per legal obligations (minimum 4 years under Spanish law).
- Published notes: Deleted immediately upon unpublishing.
8. Your rights
Under the GDPR, you have the right to:
- Access: Request a copy of your data. You can export it from Settings → Export.
- Rectification: Correct inaccurate data.
- Erasure: Request deletion of your account and all associated data.
- Portability: Export your content in JSON or Markdown format.
- Objection and restriction: Object to or restrict certain processing.
- Withdraw consent for optional integrations at any time.
To exercise these rights: hello@fromly.app.
You may also lodge a complaint with your local data protection authority.
9. Security
We apply appropriate technical and organizational measures: TLS encryption in transit, secure password hashing (bcrypt), short-lived JWT token authentication and restricted database access.
10. Minors
Fromly is not directed at users under 16. If you believe a minor has created an account, contact us to have it removed.
11. Changes to this policy
We will publish changes on this page with the updated date. For significant changes, we will notify you by email.
12. Contact
hello@fromly.app