Privacy Policy

Legal

Last Updated: March 4, 2026

Extension Name: FormAI — AI Job Application Autofill
Developer: FormAI
Contact: info@mohdanas.me

info

1. Introduction

FormAI ("the Extension," "we," "our") is a Chrome browser extension that helps users fill out online job application forms using AI. This Privacy Policy describes what data the Extension collects, how it is used, how it is stored, and your rights regarding that data. We are committed to protecting your privacy. The Extension is designed with a local-first, privacy-first architecture — your data stays in your browser.

database

2. Data We Collect

2.1 Data You Provide Directly

When you use FormAI, you may voluntarily provide the following personal information by entering it into the Extension's Data tab or by importing it from a resume PDF:

  • Full Name
  • Email Address
  • Phone Number
  • Location (city/state/country — typed by you, not derived from device GPS)
  • LinkedIn Profile URL
  • Work Experience (job titles, company names, dates, descriptions)
  • Education (schools, degrees, dates)
  • Skills (comma-separated list)
  • Additional Information (free-form text)

You choose what to enter. All fields are optional. You can delete all data at any time using the "Reset" function.

2.2 API Keys (Authentication Credentials)

If you choose a cloud-based AI provider (OpenAI or Google Gemini), you provide your own API key. This key is:

  • Encrypted using AES-256-GCM via the Web Crypto API before storage
  • Encrypted with a unique 256-bit key generated at installation time
  • Encrypted with a random 12-byte initialization vector (IV) per encryption operation
  • Stored only in chrome.storage.local (browser-local, not synced)
  • Decrypted only at the moment of an API call, then immediately discarded from memory
  • Never logged, never displayed in plain text in the UI, and never transmitted to any party other than the AI provider you configured

If you choose WebLLM (Local AI) or Ollama, no API key is needed.

2.3 Form Fill History

When you use the "Fill This Page" feature, the Extension records:

  • The domain name (e.g., "boards.greenhouse.io")
  • The full page URL
  • The timestamp
  • The number of form fields detected
  • The number of fields successfully filled

This is stored locally (last 50 entries) so you can see where you've previously used FormAI. No fill history is transmitted externally.

2.4 Form Field Labels (Transient — Not Stored)

When you click "Fill This Page," the Extension reads form field labels from the current page (e.g., "First Name," "Email Address," "Years of Experience"). These labels are:

  • Processed in memory to match against your saved data
  • Sent to your configured AI provider (if using a cloud provider) as part of the form-filling prompt
  • Not stored persistently — they exist only during the active fill operation

2.5 Resume PDF Text (Transient — Not Stored)

When you use "Import from Resume," the Extension extracts text from your uploaded PDF file using the pdf.js library running locally in your browser. The extracted text is:

  • Processed locally to extract structured fields (name, email, phone via regex; experience, education, skills via AI)
  • Sent to your configured AI provider for parsing (if using a cloud provider)
  • Not stored after parsing is complete — only the extracted structured fields are saved to your profile

2.6 Data We Do NOT Collect

FormAI does NOT collect:

  • Browsing history or web history
  • Keystrokes, mouse movements, scroll activity, or clicks (outside the explicit picker mode)
  • Device geolocation (GPS, IP-based location, etc.)
  • Health information
  • Financial or payment information
  • Personal communications (emails, messages, chats)
  • Cookies or tracking identifiers
  • Device fingerprints or hardware identifiers
  • Network traffic or monitoring data
  • Screenshots or page content (other than form field labels)
  • Any data when the Extension is not actively being used by you
assignment

3. How We Use Your Data

All data collected by FormAI is used for a single purpose: filling job application forms.

Data How It Is Used
Personal information (name, email, etc.) Matched to form fields to auto-fill job applications
Work experience, education, skills Provided as context to AI for intelligent field matching and cover letter generation
API key Authenticates requests to your chosen cloud AI provider
Fill history Displayed to you in the Extension popup so you can track your applications
Form field labels Matched against your profile data to determine the correct value for each field
Resume PDF text Parsed to extract your personal information to pre-populate your profile

We do NOT use your data for:

  • Advertising or personalized ads
  • User profiling or behavioral analysis
  • Credit assessment or lending decisions
  • Training AI models (your data is not used to train any models)
  • Selling or transferring to data brokers
  • Analytics, telemetry, or usage tracking
  • Any purpose unrelated to form filling
folder

4. How We Store Your Data

4.1 Local Storage Only

All user data is stored exclusively within your browser using:

  • chrome.storage.local: Your personal information, encrypted API key, provider settings, fill history
  • chrome.storage.sync: Theme preference (dark/light) and onboarding completion flag only — synced across your Chrome profile
  • IndexedDB (via EntityDB library): Vector embeddings of your profile data for semantic search during form filling. The embedding model (Xenova/all-MiniLM-L6-v2) runs locally in your browser

4.2 No External Servers

Important: FormAI has no backend server, no database, no cloud storage, and no developer-operated infrastructure. There is no server for your data to be sent to. The developer never has access to your data.

4.3 Encryption

API keys are encrypted before storage using:

  • Algorithm: AES-256-GCM (authenticated encryption)
  • Key derivation: A 256-bit random key generated via crypto.getRandomValues() at Extension installation, stored in chrome.storage.local
  • IV: A fresh random 12-byte IV is generated for each encryption operation
  • Implementation: The Web Crypto API (crypto.subtle), which is the browser's native cryptographic library
hub

5. Data Sharing and Third-Party Access

5.1 Cloud AI Providers (User-Configured)

If you choose to use a cloud-based AI provider, the following data is sent to that provider's API when you initiate a form fill or cover letter generation:

Provider Endpoint Data Sent
OpenAI api.openai.com/v1/chat/completions Your API key (in Authorization header), form field labels, relevant portions of your profile data as context
Google Gemini generativelanguage.googleapis.com/v1beta/openai/ Your API key (in Authorization header), form field labels, relevant portions of your profile data as context
Ollama localhost:11434/v1/chat/completions Form field labels and relevant portions of your profile data — no data leaves your machine
WebLLM None (runs in browser) No data is transmitted anywhere. All inference happens locally via WebGPU

Important: When using OpenAI or Gemini, the data sent to those providers is governed by their respective privacy policies, not ours. You are using your own API key and your own account with those providers. We encourage you to review:

OpenAI's Privacy Policy  |  Google's Privacy Policy

5.2 Model Weight Downloads

  • WebLLM: The Gemma 2 2B model weights (~1.5 GB) are downloaded from Hugging Face's CDN (huggingface.co) the first time you activate local AI. This is a one-time download of model data files, cached in your browser. No personal data is sent to Hugging Face during this download.
  • Embedding model: The all-MiniLM-L6-v2 ONNX model is downloaded from Hugging Face via the transformers.js library. Same as above — no personal data is transmitted.

5.3 No Other Third Parties

FormAI does NOT share data with:

  • Advertising networks or platforms
  • Data brokers or information resellers
  • Analytics services (no Google Analytics, no Mixpanel, no telemetry)
  • Social media platforms
  • The extension developer or any affiliated entity
  • Any other third party not listed above
delete

6. Data Retention and Deletion

6.1 Retention

Your data persists in local browser storage for as long as the Extension is installed. There is no time-based expiration. Fill history is automatically trimmed to the most recent 50 entries.

6.2 Deletion

You can delete your data at any time through:

  1. Reset button in the Extension's Data tab: Deletes all personal information and fill history from chrome.storage.local and clears the IndexedDB vector database
  2. Uninstalling the Extension: Chrome automatically removes all data in chrome.storage.local, chrome.storage.sync, and IndexedDB associated with the Extension
  3. Browser data clearing: Using Chrome's "Clear browsing data" → "Cookies and other site data" will clear IndexedDB. Storage data can be cleared via Developer Tools → Application → Storage

When you delete your data, it is permanently removed. There are no backups, no retention periods, and no recovery options (unless you previously used the Export feature).

6.3 Export and Import

FormAI includes a data export feature that downloads a JSON file containing your profile data, fill history, and settings. This file is saved to your local device. You can import this file to restore your data (e.g., after reinstalling or on a new device). The export file does not include your API key for security reasons.

gavel

7. Your Rights

You have the right to:

  • Access: View all data the Extension has stored about you (visible in the Data and Settings tabs, or via the Export feature)
  • Modify: Edit any of your stored personal information at any time
  • Delete: Remove all stored data using the Reset function or by uninstalling the Extension
  • Portability: Export your data as a JSON file for backup or migration
  • Choose your AI provider: Switch between cloud (OpenAI, Gemini) and fully local (WebLLM, Ollama) providers at any time
  • Opt out of cloud processing: By selecting WebLLM or Ollama, you ensure that absolutely no personal data is transmitted over the internet
child_care

8. Children's Privacy

FormAI is not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided personal information to the Extension, please contact us and we will delete that information.

lock

9. Security

We take reasonable measures to protect your data:

  • API keys are encrypted with AES-256-GCM before storage
  • Encryption keys are unique per installation
  • The content script is injected only when explicitly triggered by you, not on every page
  • The Extension's Content Security Policy restricts executable code to bundled sources only (script-src 'self' 'wasm-unsafe-eval')
  • No data is transmitted to developer-controlled servers
  • No remote code is loaded or executed

However, as a browser extension, FormAI's security ultimately depends on the security of your browser, your operating system, and your device. We recommend keeping Chrome updated to the latest version.

shield

10. Content Security Policy

The Extension uses the following Content Security Policy:

script-src 'self' 'wasm-unsafe-eval'; object-src 'self';
  • 'self': Only scripts bundled with the Extension can execute
  • 'wasm-unsafe-eval': Required for WebLLM's WebAssembly modules, which perform local AI inference on your GPU
  • No remote scripts, inline scripts, or eval() are permitted
security

11. Permissions Explanation

storage storage

Saves your profile data, settings, encrypted API key, and fill history locally in the browser.

tab activeTab

Accesses the current tab's form fields ONLY when you click the extension icon or "Fill This Page."

code scripting

Injects the form-filling script into the active page ONLY when you explicitly request it.

cloud OpenAI API

Communicates with OpenAI's API when you've selected OpenAI as your provider.

cloud Google Gemini API

Communicates with Google Gemini's API when you've selected Gemini as your provider.

computer Ollama (localhost)

Communicates with your local Ollama server when you've selected Ollama as your provider.

update

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last Updated" date at the top of this policy. Your continued use of the Extension after any changes constitutes acceptance of the updated policy. We recommend reviewing this policy periodically.

verified

13. Limited Use Disclosure

The use of information received from Chrome APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. Specifically:

  • Data is used only for the Extension's core functionality (form filling)
  • Data is not sold or transferred to third parties outside of the approved use cases
  • Data is not used for purposes unrelated to form filling
  • Data is not used to determine creditworthiness or for lending purposes
  • Data is not used for serving advertisements
balance

14. California Privacy Rights (CCPA)

If you are a California resident, you have the right to know what personal information is collected, the right to delete it, and the right to opt out of the sale of your personal information. FormAI does not sell personal information. You can exercise your rights by using the Extension's built-in Reset and Export features, or by contacting us.

public

15. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have additional rights including the right to access, rectification, erasure, data portability, and the right to lodge a complaint with a supervisory authority. FormAI processes data based on your explicit consent (you choose to enter your data and choose when to fill forms). All data is stored locally in your browser. You can exercise your rights by using the Extension's built-in data management features, or by contacting us.

mail

16. Contact

For questions or concerns about this Privacy Policy or the Extension's data practices, please contact:

Email Support

info@mohdanas.me

Website

www.mohdanas.me
code

17. Open Source

FormAI's source code is available for review. You can inspect exactly what data the Extension accesses, stores, and transmits by reading the source code directly.

This privacy policy applies to FormAI version 1.0.0 and later.