Privacy Policy

Last updated: February 25, 2026

FillRight ("the Extension") is a Chrome browser extension developed by Sunshine Solutions ("we", "us", "our"). We are committed to protecting the privacy and security of the financial data you work with.

    Key principle: All loan data processing happens locally in your browser. We never see, store, or transmit your borrowers' personal or financial information to our servers.
  

1. Information We Collect

1.1 Data You Enter (Loan Data)

Borrower names, SSNs, addresses, income, employment, and loan details captured from LOS/CRM systems and lender portals.
This data never leaves your browser. It is stored in Chrome's local storage using AES-256-GCM encryption and is automatically deleted after 30 minutes of inactivity.
We have zero access to this data. It is not sent to any server, API, or third party.

1.2 Account Information

If you create an account: email address and password (hashed, managed by Supabase Auth).
If you sign in via Google OAuth: email and basic profile info provided by Google.
Subscription and billing data is managed by Stripe. We store a Stripe customer ID — never your card number.

1.3 Anonymous Analytics

We collect anonymous usage events via PostHog to improve the product.
Events include: capture count, auto-fill count, feature usage, error types.
No personally identifiable information (PII) is ever sent.
Your analytics ID is a random UUID unlinked to your identity.
You can opt out of analytics in the extension settings.

2. How We Use Information

Loan data: Used only within your browser to auto-fill forms. Never transmitted externally.
Account data: To manage your subscription, provide support, and enforce usage limits.
Analytics: To understand feature usage, identify bugs, and improve the product.

3. Data Storage and Security

Loan data is encrypted with AES-256-GCM in Chrome's local storage.
Data auto-clears after 30 minutes of inactivity.
Users can manually clear all data at any time.
A compliance audit trail logs field types accessed (never values) for TRID/RESPA compliance.
Account data is stored in Supabase (SOC2-compliant, hosted on AWS).
Payment data is handled by Stripe (PCI-DSS Level 1 certified).

4. Third-Party Services

Supabase — Authentication and account management. Privacy Policy
Stripe — Payment processing. Privacy Policy
PostHog — Anonymous analytics only. Privacy Policy

5. Data We Do NOT Collect

We do not collect SSNs, financial data, or any borrower PII.
We do not sell, rent, or share any data with third parties.
We do not use data for advertising or marketing profiling.
We do not access your browsing history beyond detecting form fields on the active tab.

6. Your Rights

Opt out of analytics at any time in Settings.
Delete all stored loan data with one click.
Delete your account by contacting support.
Export your compliance audit log as CSV.
For GDPR/CCPA requests, contact us at the address below.

7. Chrome Extension Permissions

activeTab: Access the current webpage to detect and fill form fields.
storage: Store encrypted loan data and preferences locally.
scripting: Inject the form detection script into web pages.
alarms: Auto-clear data after 30-minute timeout.
identity: Google OAuth sign-in.
sidePanel / contextMenus: UI features for quick access.
host_permissions (specific domains): Limited to specific LOS and lender portal domains (e.g., wellsfargo.com, rocketmortgage.com, encompass360.com) to detect and fill form fields.

8. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Continued use of the Extension after changes constitutes acceptance of the updated policy.

9. Contact

Sunshine Solutions
Email: support@fillright.io
Address: 13727 SW 152 Street, #956, Miami, FL 33177