Privacy Policy

Last updated 14 June 2026

This policy covers the OttoFill browser extension (Firefox now, Chrome coming soon) and this website, ottofill.xyz. OttoFill is an independent product by Bala Kumar.

What OttoFill stores

OttoFill builds a personal “knowledge base” — the field labels and values it learns from the forms you fill, plus anything you import or enter manually. This, along with your settings, is stored locally using your browser’s extension storage. The knowledge base is encrypted, and you can optionally lock it behind a master passphrase (a local vault lock).

Where your data lives

By default, everything stays on your device. OttoFill is designed so that the free, local features never transmit your data anywhere. Capture, matching, and filling all happen in your browser.

On-device processing

OttoFill’s matching engine runs in tiers, and tiers 0–2 are entirely local and work offline:

• Tier 0 — exact recall and Tier 1 — deterministic matching are simple rule-based lookups against your local knowledge base.
• Tier 2 — on-device AI uses a local machine-learning model (Transformers.js running in WebAssembly) to match differently-worded fields. The model runs in your browser; no field data is sent over the network.

The Tier-3 LLM (optional)

When the on-device matcher cannot resolve a field, an optional Tier-3 step can ask a large language model (LLM) to help. This is off until you explicitly consent during onboarding, and it works like this:

• Only the unresolved field is involved — not your whole knowledge base.
• By default the field’s value is sent so the model can map it. You can switch to labels only so values never leave your device, or disable Tier-3 entirely and stay fully local.
• The request goes either through OttoFill’s privacy-respecting proxy (a Cloudflare Worker that forwards to a third-party LLM provider, currently Fireworks AI) or, if you prefer, directly to your own provider using an API key and endpoint you configure.
• The data is used only to resolve that field. OttoFill does not store it, and it is not used to train OttoFill.

Sync (optional, zero-knowledge)

If you enable cross-device sync, your knowledge base is encrypted with your passphrase on your device before it is uploaded. The sync server (a Cloudflare Worker with Cloudflare KV storage) only ever stores ciphertext. Without your passphrase, the operator cannot read your data.

Licensing & payments

OttoFill Pro unlocks the Tier-3 LLM, unstructured import, and sync. When Pro billing launches it will be handled by a third-party payment processor (LemonSqueezy); license validation contacts the OttoFill Worker with your license key to issue a short-lived entitlement token. No payment details are handled by the extension itself.

What we don’t collect

• No analytics, tracking pixels, fingerprinting, or advertising.
• No telemetry or usage reporting.
• We never sell or share your data. The Firefox listing declares no data collection.
• This website uses no third-party analytics and self-hosts its font — no Google Fonts or external CDN calls.

Permissions the extension requests

• Storage — to save your knowledge base and settings locally.
• Access to web pages — to read form fields and fill them on the sites where you use OttoFill. It acts on the page in front of you; it does not browse or collect from sites in the background.

Third parties

Depending on the features you use, OttoFill may interact with: the browser add-on stores it’s distributed through (Mozilla Add-ons, and the Chrome Web Store when available), Cloudflare (hosting the optional proxy and sync infrastructure), a third-party LLM provider (only if you enable Tier-3 and use the proxy), and your own chosen API provider (only if you supply your own key). Each is involved only for the specific feature you opt into.

Children

OttoFill is a general-purpose tool and is not directed at children under 13.

Changes to this policy

If this policy changes, we’ll update this page and the “last updated” date above.

Contact

Questions? Email mail@balakumar.dev.