Privacy Policy — Quantum Autofill

TL;DR: Quantum Autofill stores everything locally in your browser. We operate no servers that see your autofill data, clip content, vault secrets, macros, or form history. The only data we process is your account email (for login) and subscription status (to verify your paid plan).

1. What data we handle

1.1 Data stored on your device only

All of the following stays in your browser (IndexedDB + chrome.storage.local) and is never transmitted to us or any third party:

Replacement rules (domains and field values you configure)
Text clips, text expansions, macros
Form history entries (passwords are excluded at capture time)
Vault entries — encrypted client-side with AES-GCM 256, key derived from your master password via PBKDF2 (100,000 iterations). We never see your master password.
Application settings (theme, shortcuts, preferences)

1.2 Data handled by third parties to enable your account

Supabase (authentication provider) processes:

Your email address (login identifier)
Your hashed password (bcrypt)
Account creation timestamp and last sign-in time
Your Supabase-assigned user ID

LemonSqueezy (payment processor, merchant of record) processes:

Your email address
Payment-method details (collected directly by LemonSqueezy/Stripe — we never see card numbers)
Billing address and tax info if applicable
Subscription status, renewal dates, customer ID

After a payment event, LemonSqueezy sends a signed webhook to our backend (a single Supabase Edge Function) with subscription status. We store only the minimum: user ID, status, renewal date, customer/subscription IDs. See Supabase privacy policy and LemonSqueezy privacy policy.

2. What we do NOT do

No tracking or analytics inside the extension
No telemetry or diagnostic pings
No advertising networks
No selling, sharing, or renting of your data
No access to your autofill content, clip content, vault entries, or form history
No browsing history collection

3. Permissions the extension uses

storage — persist settings locally
tabs — open the dashboard in a new tab
activeTab — fill the current tab when you trigger it
scripting — inject autofill logic into the page
contextMenus — provide the right-click "Insert clip" item
host_permissions: http(s)://*/* — required to fill forms on any website you visit

Permissions are used only for the features they enable. They are not used for tracking, data collection, or any purpose beyond the feature set.

4. Data retention

Local browser data: retained until you delete it (uninstalling the extension also removes it in most cases).
Account and subscription data on Supabase: retained while your account is active. Deletion on request within 30 days.
Payment data on LemonSqueezy: retained per their policy and applicable tax law.

5. Your rights

You can at any time:

Export all local data from Settings → Backup.
Delete local data by uninstalling the extension or using the Reset vault / Clear history actions.
Request deletion of your Supabase account and associated subscription record by emailing us.
Cancel your subscription from the LemonSqueezy customer portal linked in the extension.

6. Children

Quantum Autofill is not directed to children under 13. We do not knowingly collect data from children under 13.

7. Changes to this policy

We may update this policy to reflect changes to features or legal requirements. We'll update the effective date at the top. Material changes will be surfaced in the extension before they take effect.