Privacy Policy
Last updated: June 2026
FillOnce helps you fill forms and documents from information you store once. Privacy is the core of the product — this policy explains exactly what we do and don't do with your data.
What we store
The personal information you add to your vault (names, contact details, IDs, etc.) and the documents you upload. Vault values are encrypted in your browser before upload — FillOnce stores ciphertext plus wrapped key material, not readable plaintext. Your passphrase is not sent to our servers; if you lose both your passphrase and recovery credentials, you may lose access to your vault. See Security. Every record is scoped to your account and isolated by row-level security.
How we process documents
To detect fields, run OCR on scans, and fill PDFs or Word documents, our servers handle the raw document bytes in memory. Source files and exported (filled) outputs are stored in object storage that is encrypted at rest, scoped per account at the database layer, and retained until you delete them or your account — we do not auto-purge documents on a timer. We do not analyze documents, share them, or use them to train any model. After each export we wipe the plaintext field values from our database; the encrypted vault values remain available for future fills. Every document can be permanently deleted from its review page, and account deletion removes the whole account's files in one step.
What the browser extension does
The extension reads only the structure of forms on pages you choose to fill — field labels and types, never values already on the page, and never hidden fields. It never submits a form; it fills matched fields, then you review the result and submit yourself. It only communicates with your FillOnce account's own backend.
What we never do
We never sell your data, never use it for advertising, and never share it with third parties for their own purposes. Your vault values are not used to train any model.
Optional AI matching
AI-assisted field matching is off by default. If you enable it, only field labels (form structure) are sent for matching — never your stored values — and only after you explicitly consent.
Cookies
We use only essential cookies — the secure session cookies that keep you signed in. We do not use advertising, analytics, or third-party tracking cookies, so there is nothing to opt into. Because these cookies are strictly necessary to operate the service, no consent banner is required.
Your control
You can view, edit, export, or delete your vault data at any time. Sensitive fields require your review before they are written into an exported document. The app can be self-hosted so files stay on infrastructure you operate.
Data retention & deletion
Your data is kept until you delete it or close your account. Deleting your account removes your vault, documents, and generated files. We retain only what is needed to provide the service and meet legal obligations, then delete it.
Your rights (PIPEDA / BC PIPA)
We handle personal information in accordance with Canada's PIPEDA and British Columbia's Personal Information Protection Act (PIPA). You have the right to access the personal information we hold about you, to request corrections, and to withdraw consent. To exercise these rights, contact our Privacy Officer below; we respond within 30 days.
Your rights (Quebec — Law 25)
If you reside in Quebec, Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25) applies. You have the right to access, correct, and erase your personal information; the right to data portability for information you have actively provided; the right to be informed if automated decision-making is used to make a decision about you (FillOnce does not make automated decisions about Quebec residents — every field mapping is reviewed by you before any value is filled); and the right to a written response to your request within 30 days. Our Privacy Officer (named below) is responsible for this compliance.
Your rights (European Union and United Kingdom — GDPR / UK GDPR)
If you are located in the EEA, the UK, or Switzerland, we process your personal information under the EU/UK General Data Protection Regulation. Our lawful bases are: contract (to deliver the service you signed up for), legitimate interests (security, fraud prevention, service improvement), consent (for optional features such as AI-assisted matching and marketing email), and legal obligation (e.g. tax, breach notification). You have the right to access, rectify, erase, restrict, port, and object to the processing of your personal information. You may also lodge a complaint with your local supervisory authority. We are based in Canada — Canada has an adequacy decision from the European Commission for transfers of personal information from the EEA, so no Standard Contractual Clauses are required for the transfer itself. We do not maintain an EU establishment or designated EU representative at this time; if you need to reach us regarding EU/UK rights, contact our Privacy Officer below.
Your rights (United States — California, Virginia, Colorado, Connecticut, Utah, Texas, and similar state laws)
If you are a resident of a US state with a comprehensive privacy law (including California's CCPA/CPRA), you have the right to know what personal information we hold, the right to access it, the right to correct it, the right to delete it, and the right to opt out of the sale or sharing of your personal information. We do not sell or share your personal information for cross-context behavioral advertising or any other purpose, so there is nothing to opt out of, but the right exists. We do not offer financial incentives in exchange for your personal information. To exercise your rights, contact our Privacy Officer below; we respond within 45 days as required by California law.
Cross-border data transfers
FillOnce is operated from Canada and our primary databases and object storage are hosted in Canada (Supabase ca-central-1). When you use the service from outside Canada, your personal information will be transferred to and processed in Canada. Canada has an adequacy decision from the European Commission, so transfers from the EEA are recognized as providing an equivalent level of protection. For users in other jurisdictions, we rely on the contractual safeguards in this policy and our agreements with sub-processors.
Children's information (and a note on COPPA)
FillOnce is designed for adults filling forms for themselves and members of their household. The service is not directed to children under 13 and we do not knowingly collect personal information directly from children. If a parent or guardian chooses to add a child's information to their household vault, they do so as the legal guardian of that child, and the parent — not the child — is the user of the service. We treat this as the parent providing the child's information for the parent's use (filling camp forms, school forms, medical intake), consistent with COPPA's parental-consent framework. If you are under 13, please ask your parent to use the service on your behalf. If you believe we have collected personal information from a child under 13, contact our Privacy Officer immediately and we will delete it.
Breach notification
If a privacy breach creates a real risk of significant harm, we will notify affected users and the Office of the Privacy Commissioner of Canada as soon as feasible, as required by PIPEDA, and we maintain records of breaches.
Email & communications (CASL)
We send transactional emails (e.g. sign-in, receipts, service notices) as part of operating your account. We only send marketing emails if you opt in, and every such email identifies us, includes our mailing address, and offers a one-click unsubscribe — consistent with Canada's Anti-Spam Legislation (CASL).
Sub-processors
We use a small number of service providers to operate the app (cloud hosting and database, and — if you enable billing — a payment processor). They process data only to provide their service to us and are bound by confidentiality and data-protection terms. See our sub-processor list.
Governing law
This policy and your use of the service are governed by the laws of British Columbia and the applicable laws of Canada.
Privacy Officer & contact
Questions, access requests, or complaints? Contact our Privacy Officer:
[set PRIVACY_OFFICER_NAME], [set COMPANY_LEGAL_NAME]
[set COMPANY_ADDRESS]
[set PRIVACY_EMAIL]
You may also contact the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the Office of the Information & Privacy Commissioner for BC (oipc.bc.ca).