Privacy Policy

Last updated: 30 April 2026

This Privacy Policy explains what data the CleanFollow Chrome extension and its companion SaaS backend collect, why we collect it, how it is processed, where it is stored, and with whom it is shared. It applies to the Chrome extension (the "Extension"), the website at cleanfollow.me (the "Site") and the companion backend (the "Service"). Together they are referred to as "CleanFollow".

1. Data Controller

Les Artisans Du Digital — LADD
Legal form: SAS
SIREN: 952 778 041
Address: 25 rue de Ponthieu, 75008 Paris, France
Director: Jean-Michel BONI
Email: contact@lesartisansdudigital.fr
Phone: Call us

2. Summary — at a glance

• Email + password (or Google OAuth ID) → Firebase Authentication. Used for sign-in.
• Plan, usage counters, scan history, settings → Cloud Firestore (europe-west1). Used to enforce plan limits and sync across devices.
• Stripe customer / subscription ID → Firestore + Stripe. Used for subscription management.
• Card details & billing address → Stripe only, never reach our servers.
• Email address (transactional) → Brevo (Sendinblue). Used to send receipts and account emails.
• Instagram session cookies → stay in your browser. Used by the Extension to call Instagram's own API on your behalf. Never transmitted to us.
• Filter preferences, custom rules, friendship cache, snapshots → Local Chrome storage only.

We never sell your data, share it for advertising, train AI models on it, or transmit your Instagram credentials anywhere.

3. What the Extension reads from your browser

To perform its core function, the Extension runs on https://www.instagram.com/* and:

• Reads your authenticated Instagram session (cookies + CSRF token) inside your browser only, the same way the Instagram website itself does. These tokens are never sent to our servers.
• Calls Instagram's own private API endpoints (/api/v1/friendships/*, /api/v1/users/*) to:
  • List who you follow
  • Read public profile fields (username, full name, biography, follower / following / media counts, verified / private flags, default-avatar flag) used by the heuristic-based filters (advanced filters, dormant / fake account detection)
  • Read friendship state (mutual follow, follow date) when you opt in to the corresponding filters
  • Submit unfollow requests when you click Start Cleaning
• Stores the results locally in chrome.storage.local (filter preferences, whitelist, custom rules, friendship cache valid 24 h, scan history snapshots).

We do not read or transmit:

• Your Instagram password
• Direct messages
• Stories, posts, or any media content
• Browsing history outside instagram.com
• The content of any other tab

4. Account & subscription data (SaaS backend)

To enforce monthly unfollow limits across devices and to manage paid plans, the Extension communicates with our backend (Google Cloud Functions, region europe-west1, Firebase project cleanfollow-saas).

For each registered user we store, on Cloud Firestore:

• Firebase Auth UID and the email address you signed up with
• Optional Google OAuth profile name (if you choose Google sign-in)
• Plan name (free, starter, pro, unlimited), monthly usage counter, booster credits, billing cycle dates
• Stripe customer ID and subscription ID (no card data)
• Optional whitelist (usernames you protect from unfollowing) — opt-in cloud sync only
• Generated API key (only if you enable API access on the Unlimited plan)
• Aggregated, non-personal scan metadata (counts) for the in-app analytics on your own dashboard

We do not store your Instagram username, your following list, or any data scraped from Instagram on our servers.

Sign-in is handled by Firebase Authentication (Google LLC). You can sign in with email + password or with Google OAuth. Passwords are managed entirely by Firebase Auth — they never reach our backend code or our database in plaintext.

5. Payments

Subscriptions and one-time Booster Pack purchases are processed by Stripe, Inc.

• You enter your card details directly on Stripe's hosted Checkout page.
• Card numbers, CVV, and billing addresses never reach our servers or the Extension.
• We only store the resulting Stripe customer ID and subscription ID, returned by Stripe via webhook, in order to know which plan you have and to let you cancel.
• See Stripe's privacy policy: stripe.com/privacy

6. Transactional email

We use Brevo (formerly Sendinblue) to send transactional emails (welcome, plan change confirmation, payment receipt, churn / win-back). Your email address and first name are shared with Brevo strictly for this purpose. We do not use Brevo for unsolicited marketing.

See Brevo's privacy policy: brevo.com/legal/privacypolicy

7. Sub-processors / third parties

• Google LLC — Firebase Authentication — sign-in (email, password hash, OAuth ID)
• Google LLC — Cloud Firestore — account & usage storage (UID, email, plan, usage, Stripe IDs) — region europe-west1
• Google LLC — Cloud Functions — backend API (auth token, request parameters) — region europe-west1
• Google LLC — Firebase Hosting — Site hosting (IP address, user-agent in server logs)
• Stripe, Inc. — payment processing (email, billing address, card data)
• Brevo (Sendinblue) — transactional email (email, first name)
• Instagram (Meta Platforms, Inc.) — direct interaction by your browser using your existing Instagram session

We do not use Google Analytics, Facebook Pixel, or any other advertising / tracking script in the Extension. Some analytics scripts (Google Tag Manager, TikTok Pixel, Microsoft Clarity) may be loaded on the marketing Site only, subject to your cookie consent.

8. Permissions used by the Extension

• tabs — find your Instagram tab and reactivate it during a scan
• storage — save filter preferences, whitelist, friendship cache, and snapshots locally on your device
• identity — implement Google OAuth sign-in (chrome.identity.launchWebAuthFlow)
• alarms — schedule recurring scans (Pro plan)
• notifications — notify you when a long scan or cleaning session completes
• host_permissions for https://www.instagram.com/* — inject the content script that performs the scan and unfollow actions

The Extension does not request <all_urls>, webRequest, cookies, or any permission that would let it observe other websites.

9. Data retention & deletion

• Local extension data is removed automatically when you uninstall the Extension. You can also clear it from the Account tab → "Sign out".
• Account data (Firebase Auth + Firestore) is kept for as long as your account exists. To delete your account and all associated data, email contact@lesartisansdudigital.fr with the subject "Account deletion request" from the email address linked to your account. We confirm deletion within 30 days.
• Stripe data is retained according to Stripe's policies and applicable accounting law (typically 7 years for invoicing records).

10. Children

CleanFollow is not directed to children under 13. We do not knowingly collect data from children under 13. Instagram itself requires users to be at least 13 years old.

11. Your rights (GDPR / CCPA)

If you reside in the EEA, the UK, or California, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion ("right to be forgotten")
• Restrict or object to processing
• Receive your data in a portable format
• Lodge a complaint with your local data protection authority

To exercise these rights, contact contact@lesartisansdudigital.fr. We respond within 30 days.

12. Security

• All network traffic uses HTTPS / TLS.
• Firebase Auth ID tokens are short-lived (1 hour) and refreshed automatically.
• Firestore Security Rules restrict every document so it can only be read or written by the authenticated user it belongs to.
• Stripe webhooks are signed and verified.
• We do not store payment card data on any system we operate.

13. International data transfers

Our backend is hosted in the europe-west1 (Belgium) Google Cloud region. Some sub-processors (Stripe, Firebase Hosting CDN) may process data in the United States under appropriate safeguards (Standard Contractual Clauses, EU-US Data Privacy Framework where applicable).

14. Cookies

The Extension uses only essential storage via chrome.storage.local, no tracking cookies. The Site uses essential cookies (authentication, security) and, subject to your consent banner, optional analytics cookies.

15. Changes to this Policy

When we materially change this Policy we update the "Last updated" date and, for breaking changes, notify active users by email and via an in-extension banner.

16. Contact

Data Protection Officer (DPO): contact@lesartisansdudigital.fr