SmartFill Privacy Policy
Effective date: 2026-04-17 Last updated: 2026-04-17
SmartFill is designed around a simple promise: your form data stays on your device. This document explains exactly what the extension collects, what it doesn’t, and the choices you control.
This Privacy Policy is a companion to the SmartFill Terms of Service that you accept when you install the extension; the Terms govern use of the software, while this policy describes our data practices.
1. Summary (the short version)
- Form values you type or autofill (names, addresses, card numbers, etc.) are encrypted on your device and never leave your browser.
- Anonymous product analytics are off by default. You can turn them on during onboarding or in Options → Privacy, and turn them off at any time.
- If you opt in to analytics, we collect only non-PII usage signals — never your form values, URLs, or personal information.
- We do not sell, rent, trade, or share your data with advertisers.
2. Data stored locally on your device
The extension stores the following only on your device, inside your browser’s sandboxed storage:
| Kind of data | Where it lives | How it’s protected |
|---|---|---|
| Profile field values (name, email, addresses, cards, etc.) | Browser IndexedDB | AES-GCM-256 encrypted with a key held by your browser |
| Extension settings (enabled, backend URL, style) | chrome.storage.local |
Sandboxed per-user |
| Consent record (which terms you agreed to, when) | chrome.storage.local |
Sandboxed per-user |
| Classification learn-history (field labels seen on sites, no values) | Browser IndexedDB | Sandboxed per-user |
| Anonymous analytics ID (only if you opt in) | chrome.storage.local |
Sandboxed per-user |
None of this data is transmitted to us by default. You can delete all of it at any time via Options → Privacy → Delete all my data.
3. Data sent to the classification backend
When SmartFill detects form fields on a page, it sends only field metadata to the backend server that classifies them:
- field labels (e.g. “Email address”)
name/id/placeholderattributes- HTML input
type(text, email, tel, etc.) autocompleteattribute hints
It never sends the values you have typed into those fields.
By default, this backend runs on localhost on your own machine. If you
configure a remote backend URL (e.g. your own Railway deployment), that
metadata is sent to whatever server you pointed SmartFill at — choose
carefully.
4. Anonymous product analytics (optional, opt-in)
SmartFill can optionally share anonymous usage signals with us via PostHog, a privacy-oriented analytics platform, to help us improve classification accuracy and performance. This is off by default.
4.1 Exactly what we collect if you opt in
- A random anonymous ID (UUIDv4), generated the moment you opt in and stored only on your device. It is not linked to any identity, email, cookie, or third-party account. Clearing the extension’s data regenerates it.
- The names of form-field categories that SmartFill classified (e.g. “email,” “city,” “creditCard”) — never the values you typed.
- Which classifier stages ran (rules / zero-shot / LLM) and aggregate latency, so we can measure model quality.
- Your country, derived by PostHog from your IP address. The raw IP is discarded after this lookup per our PostHog “Discard client IPs” configuration — we do not store raw IP addresses.
- Your browser family and major version (e.g. Chrome 120), your operating system family (e.g. macOS), and the SmartFill extension version.
- Timestamps of events.
4.2 Exactly what we never collect
- form values, passwords, credit-card numbers, personal information of any kind
- URLs you visit, page titles, page contents, screenshots
- precise location, GPS coordinates, city, or postal code
- CPU, RAM, screen size, fonts, or any other hardware fingerprint
- raw IP addresses
- email addresses or any account identifiers
- any data from pages where you did not invoke SmartFill
4.3 How we use analytics
- To count active users at the country level
- To measure how often each classifier stage is needed
- To spot regressions in classification latency or accuracy
- To prioritise which field categories to improve
We do not use analytics for advertising, profiling, or sale to third parties, and we do not try to re-identify users from these signals.
4.4 How to turn it off
You can turn analytics off at any time:
- Options → Privacy → Share anonymous usage analytics (toggle off), or
- Options → Privacy → Delete all my data (wipes everything including the anonymous ID)
When you toggle off, SmartFill stops sending events immediately and clears the anonymous ID from your device.
4.5 Data processors
- PostHog, Inc. — the analytics backend. They act as a data processor for us; they do not sell your data. See their privacy policy.
- Railway — infrastructure for the optional remote classification backend (if you configure one). See their privacy policy.
4.6 Retention
Event-level analytics data is retained for up to 180 days, after which we keep only aggregate counts. Your anonymous ID is not linked to any identity, so deletion requests generally don’t apply — but if you want historical events removed, contact us (see § 8) with your anonymous ID (visible in Options → Privacy after opting in).
5. External LLM calls
When the classifier cannot resolve a field via local rules or the local zero-shot model, it may fall back to an external large-language-model provider (Anthropic Claude or OpenAI) to classify that field. In those requests:
- Only the field metadata described in § 3 is sent.
- No form values are sent.
- The request goes directly from the backend you control to the LLM provider you configured — SmartFill does not intermediate these calls or log them.
LLM provider data handling is governed by their respective terms: Anthropic (privacy) and OpenAI (privacy).
6. Children
SmartFill is not directed to children under 13 (or under 16 in the EU/UK). We do not knowingly collect data from children. If you believe a child has used SmartFill and we hold their anonymous analytics ID, contact us (§ 8) and we will remove the associated events.
7. Your rights
Depending on where you live, you may have rights under the GDPR (EU/EEA/UK), CCPA/CPRA (California), or similar laws — including rights to access, correct, delete, export, or object to processing of your data. Because the only personal-adjacent data we hold is (optionally) your opted-in anonymous ID, exercising these rights is straightforward:
- Access / export: Options → Privacy → Export my data (JSON).
- Delete: Options → Privacy → Delete all my data, or toggle analytics off.
- Opt out / object: Options → Privacy → toggle Share anonymous usage analytics off.
- Questions: contact us at the address below.
8. Contact
Questions, requests, or concerns about this policy can be sent via the support channels published with the extension on its Chrome Web Store listing.
9. Changes to this policy
We may update this Privacy Policy as SmartFill evolves. Material changes will be surfaced through the extension or by bumping the Terms of Service version, which will prompt you to review and re-accept. The “Last updated” date at the top of this document always reflects the most recent change.