Privacy Policy

AutoFill Portal Chrome Extension — Last updated: April 15, 2026

Data minimization commitment: We store only what is essential for the product
to work. CSV files are stored in your browser only — they are never
retained in our database. Fill event analytics are stored as anonymized one-way hashes with
no link to your account. Fill snapshots (return-visit pre-fill data) are stored in your
browser, not on our servers. You can delete all your data at any time from your account page,
and account deletion is a hard delete with immediate effect — no waiting period, no
manual request required.

1. Who We Are

AutoFill Portal is a Chrome browser extension that helps licensed contractors fill out government permit application forms automatically using data from a spreadsheet (CSV or Excel file). The extension communicates with a hosted backend server (Railway) to perform intelligent field matching, learn from corrections, and optionally generate AI suggestions.

2. What Data We Collect

2a. Data You Enter Directly (“Profile”)

The extension includes a contractor profile where you can enter your name or company name, contractor license number, insurance policy number, phone number, email address, and business address. This data is stored on the AutoFill Portal backend server (PostgreSQL on Railway), in the users.profile_data column associated with your account. It is transmitted to the backend during each form-fill action, where it is used to pre-fill contractor-identity fields on the current form. Profile data is retained until you delete your account (see §7).

2b. Your CSV / Excel Spreadsheet

When you upload a CSV or Excel file, your data is stored in your browser (chrome.storage.local) and is never retained in our database. For form-fill actions, the currently selected row from your CSV may be sent to the server as a dictionary of field values to power field matching — but no copy of the full CSV is stored on our servers. We do not share, sell, or analyze your CSV for any purpose other than powering the field-matching feature.

2c. Fill Session Analytics

Each time you use Auto-Fill, the extension sends two records to the server:

Anonymized aggregate record (fill_events table):

A one-way SHA-256 hash of your API key — cannot be reversed to identify you. After account deletion, the hash cannot be linked back to any account.
The domain name of the permit portal (e.g., permits.city.gov)
The PDF form fingerprint (a hash of form structure, not content)
Counts of fields found, filled, and skipped
Fill rate, retry count, and confidence score

Return-visit pre-fill snapshot (chrome.storage.local, browser only):

To pre-populate the same form on your next visit, a snapshot of filled field values is stored in your browser (chrome.storage.local), keyed by portal domain and a stable project row key. No field values are retained on our servers. The submission_history table on the server records only aggregate metadata: portal domain, project row key, and the count of fields filled — no field values, no personal data. This metadata is used to match return visits to known projects and is deleted when you delete your account or use the “Clear my data” button.

Fill event analytics older than 90 days can be deleted via the “Clear my data” button on your account page.

2d. Self-Learning Corrections

When you manually swap a field’s assigned column, a correction record is stored in the field_locks_global table containing the field fingerprint and the CSV column name you chose. No user identity, form values, or personal information are stored. These records improve future auto-fill results for all users on the same form.

2e. Portal Field Mappings (Shared Cache)

When you fill forms, a statistical fingerprint of the field-to-column mapping is recorded in the pdf_field_maps table. Each record contains only the form structure fingerprint, field names, and matched column names — no user identity, no form values. These records improve matching for all users on the same form and are shared globally.

2f. PDF Filler

When you use the PDF Filler feature, your PDF document is processed entirely within your browser using JavaScript. No PDF content, PDF bytes, or document text is ever transmitted to our servers. We receive only the AcroForm field names extracted from your PDF — not their values, not the document content — for the purpose of matching them to your project data. After you save a filled PDF, a fill-success signal is sent containing only field names, counts, and hashed analytics (see §2c).

When loading a PDF from a URL (e.g., a link detected by the extension on a government permit portal), the document is fetched through our servers via the /api/pdf-proxy endpoint solely to bypass browser security restrictions that prevent direct cross-origin downloads. The PDF bytes are immediately streamed to your browser and are never stored, logged, or retained in any form on the server.

2g. AI Field Analysis (PDF Vision)

When you use the PDF Filler feature, each page of your PDF is rendered as an image in your browser and sent to Anthropic’s Claude AI API solely to identify the form fields and their labels. These images contain only the blank form layout — not your personal data or filled values. Anthropic does not store these images beyond the duration of the API call. Analysis results are cached on our servers by form fingerprint so the same form is never analyzed twice. We never send filled PDF content or personal information to Anthropic.

2m. CSV Project Data (PDF Filler Storage)

When you upload a CSV or Excel file directly within the PDF Filler page, your project data is stored in your browser (chrome.storage.local) and is never retained in our database. The project selector is pre-populated from browser storage on each visit. See §2b for full details on CSV data handling.

2h. Account Data

When you create an account at autofillportal.com/signup, we collect and store your email address, a bcrypt-hashed password (we never store your plain-text password), and a randomly generated API key used to authenticate the extension. We also record the account creation timestamp and your last login timestamp. Your API key can be rotated at any time from the account page, which immediately invalidates the previous key.

3. What Data We Do Not Collect

We do not collect, log, or store any values you type into government permit forms.
We do not use your real name, email address, or contact information for marketing without your explicit consent.
We do not use cookies, tracking pixels, or third-party analytics services.
We do not sell, rent, or share any data with third parties.
We do not use your data for advertising.
We do not store raw API keys in fill analytics — only SHA-256 hashes.

4. How Data Is Stored

In Your Browser

Preferences, session context, CSV row selections, match type settings, and your stored API key are stored in chrome.storage.local and chrome.storage.session. This data remains on your device and is controlled entirely by Chrome. Your contractor profile is stored on the server, not in the browser.

On Our Server (Railway / PostgreSQL)

The production server uses a PostgreSQL database hosted on Railway. The following tables store user-associated data:

Table	Contents	Retention
`users`	Email, bcrypt password hash, API key, plan, timestamps, contractor profile data (name, company, license number, insurance carrier, phone, email, address). Contractor license credential arrays are stored in your browser only.	Until account deletion
`fill_events`	SHA-256 hash of API key, domain, PDF fingerprint, field counts, fill rate. No raw API keys, no form values, no CSV values.	Deleted on account deletion; older than 90 days removable via “Clear my data”
`submission_history`	Portal domain, project row key, count of fields filled. No field values, no personal data. Field value snapshots are stored in your browser only.	Deleted on account deletion; clearable via “Clear my data”
`field_confirmations`	Per-form field acceptance signals keyed by user ID (no form values)	Deleted on account deletion
`pdf_field_maps`	Form structure fingerprint → field names + column matches (shared, no user link)	Indefinite (community cache)
`portal_fingerprints`	Per-portal correction memory: field label + semantic concept name (e.g., “contractor_license”). Never stores raw form values or CSV data. Concept-only schema enforced since April 2026.	Indefinite (shared per-portal cache)
`field_locks_global`	Community-learned field-to-column mappings (no user link, no values)	Indefinite (community data)
`scope_cache`, `haiku_column_cache`	AI classification results keyed by form fingerprint (no user data)	Indefinite (shared cache)

5. Third-Party Services

AutoFill Portal uses the following third-party services:

Railway — cloud hosting for the Flask backend and PostgreSQL database. Railway’s privacy policy applies to infrastructure-level data: railway.app/legal/privacy.
Anthropic Claude API (optional) — used when ANTHROPIC_API_KEY is configured on your server:
- PDF field analysis — rendered page images (blank form layout only, no filled values) sent to identify field labels and positions. Results cached by form fingerprint; the same form is never analyzed twice.
- Form type classification — page URL, title, and field names (no values) sent to identify permit type.
- Section classification — form section labels (text only, no user data) sent to classify sections as contractor, project, owner, or neutral.
- Column matching — unmatched field names and CSV column names (no CSV values) sent to suggest the best column match.
No personally identifying information (names, addresses, license numbers) is sent to Anthropic. Anthropic’s privacy policy: anthropic.com/privacy.

6. Data Retention

CSV files are stored in your browser only and never retained on our servers. You control them entirely via Chrome’s extension storage.
Fill event analytics are stored as anonymized hashes (not linked to your account after deletion). Fill events older than 90 days can be cleared on demand.
Submission history records (domain, project key, field count) are retained until account deletion or manual clear via “Clear my data”.
Your contractor profile is retained until account deletion.
Community caches (PDF field maps, learned mappings, portal fingerprints) contain no user data and are retained indefinitely to improve matching quality for all users.
Browser-stored data (API key, settings, CSV files, fill snapshots) is retained until you sign out of the extension or clear Chrome’s extension storage.

7. Your Rights and How to Exercise Them

Right to Access

Your contractor profile and account details are visible at autofillportal.com/account and autofillportal.com/account/profile.

Right to Erasure (Right to Be Forgotten)

Account deletion is fully implemented and takes effect immediately. Clicking “Delete my account” on the account page permanently deletes:

Your user record (email, password hash, API key)
Your contractor profile (all profile fields)
Your fill event analytics (both hashed and unhashed rows)
Your submission-history aggregate records
Your per-form confirmation/learning signals

CSV files and fill snapshots are stored in your browser only. Clearing Chrome’s extension storage removes them. Community data (field maps, learned mappings, portal fingerprints) is not user-linked and cannot be individually deleted, but contains no personally identifying information.

Clear My Data (Without Deleting Account)

The “Clear CSV & old fill history” button on your account page:

Deletes fill event records older than 90 days
Deletes submission-history aggregate records older than 90 days
Your account, profile, and API key are kept

Right to Portability

Your contractor profile can be viewed and copied from the account profile page. Your CSV data was uploaded by you and remains in your control.

API Key Rotation

You can rotate your API key at any time from the account page. Rotating immediately invalidates the previous key. If you use the extension, you will need to reconnect it with the new key (open extension → gear icon → Sign Out → paste new key).

8. Security

All communication between the extension and the backend server uses HTTPS. The backend API is authenticated with a per-user API key. Rate limiting (60 requests per minute globally, 10 per minute for AI endpoints) is enforced to protect service availability. Passwords are stored using bcrypt with a cost factor of 12. Session cookies are httpOnly, SameSite=Lax, and Secure in production.

The extension declares the scripting permission, which is used exclusively to synchronize third-party rich-text editors (TinyMCE, CKEditor) with filled values when those editors are embedded in permit portal pages. The background service worker calls chrome.scripting.executeScript with world: 'MAIN' to invoke the editor’s native API. This permission is never used to inject arbitrary code or monitor page content.

The extension declares the downloads permission, which is used exclusively to save the completed, filled PDF to the user’s local Downloads folder via chrome.downloads.download() after the user clicks “Save PDF”. The PDF is assembled entirely in the browser using pdf-lib.js. No PDF content is transmitted to any server.

The extension declares the webRequest (read-only) permission, which is used exclusively to detect when the browser navigates to a URL that returns a PDF response (identified by the Content-Type: application/pdf response header). When a PDF is detected, the extension redirects the tab to its built-in PDF viewer so the user can fill and save it. The listener reads only the response Content-Type header; it does not read, modify, store, or log any request body, response body, or URL beyond the redirect decision. No page content is observed.

9. Children’s Privacy

AutoFill Portal is designed for use by licensed contractors and business professionals. It is not intended for use by persons under 18 years of age, and we do not knowingly collect information from minors.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the extension after a policy update constitutes acceptance of the revised terms.

11. Contact

If you have questions about this Privacy Policy or need assistance with data deletion, please contact us at support@autofillportal.com.