AppStride
Get Early Access

Extension Privacy Policy

Effective Date: June 7, 2026

This policy covers the AppStride Autofill browser extension specifically. It explains what the extension reads, what it sends to AppStride, who else touches your data, and the choices you have. It is separate from the AppStride web app privacy policy, though the two share the same backend and the same commitments.

1. Plain-Language Summary

AppStride Autofill fills out job applications for you on supported job sites (Workday, Greenhouse, Lever, Ashby, iCIMS, SmartRecruiters). You click Fill; we fill. You always click Submit.

We collect three things: the profile and resume data you already gave the AppStride web app; the labels of form fields on the job page you ask us to fill; and — at the moment you fill — the values that go into those fields. We send those to our backend so we can figure out what to fill, and so the next time you see the same kind of question we can fill it again.

We do not sell your data. We do not use it for advertising. We do not auto-submit applications. We do not fill password fields. We do not run on websites you didn't ask us to.

If you want to leave, open the extension Settings page and click “Clear all my data.” That clears the extension's saved data from your browser and signs you out. To delete your AppStride account entirely (backend included), use the AppStride web app — see Section 10.

2. What This Extension Does (Single Purpose)

AppStride Autofill helps you fill job application forms on Applicant Tracking System (ATS) websites you visit: Workday, Greenhouse (including European subdomains), Lever, Ashby, iCIMS, and SmartRecruiters. It can also activate on other websites when you right-click and choose “AppStride: Fill this page” or click the AppStride toolbar icon — for example, when a company embeds an Ashby or Greenhouse form on their own custom careers domain.

The extension does not auto-submit applications. The Submit button is always pressed by you. The extension does not run when you have not asked it to. It does not fill password fields. It does not fill any field on a page until you click “Fill this page” or use the right-click / toolbar action.

3. Who We Are (Data Controller)

AppStride is the data controller for personal data processed by the AppStride Autofill browser extension. You can contact us at any time at privacy@appstride.io. If you are in the European Union or the United Kingdom, the same address reaches us for data-protection matters.

4. What Data We Collect

4.1 Profile data you already gave AppStride

Always collected. This is the profile you entered in the AppStride web app: your name, email address, phone number, mailing address, work history, education history, skills, and the work-authorization preferences you set. The extension caches a copy on your device so it can fill forms quickly without re-fetching it on every page. We store it on our backend (Supabase Postgres, encrypted at rest) for as long as your AppStride account is active.

4.2 Form field labels and structure

Collected when you click Fill. The extension reads the labels and types of the form fields on the page you are on — for example, “First Name” (text), “Are you authorized to work?” (Yes/No), “What about this company excites you?” (text area). These labels are sent to our backend (api.appstride.io) so it can match each field to one of your saved profile items or saved answers. We retain field labels in backend logs for up to 90 days for diagnostics; they are not used to train any model.

4.3 Form field values during a fill

Collected only at the moment you click Fill; transient. When the backend returns the value it believes belongs in each field, the extension fills it into the form. The value is also written back to our backend as part of the fill record so we can verify the fill succeeded and so the learning loop knows what was used. We retain individual fill records in backend logs for up to 90 days. Past 90 days, only aggregate statistics remain.

4.4 Saved Q&A answers

Collected only when you opt in, per answer, after submission. When you submit an application, the extension shows a card asking which of your novel answers — answers you typed that weren't already in your profile — you want to save for next time. Each answer has its own checkbox; nothing is saved unless you tick it. Saved answers go to your account and you can view or delete them at any time from the extension's Saved Answers screen. We keep them until you delete them or delete your account.

4.5 Telemetry (optional)

When telemetry is on, the extension reports anonymous event counts — how many fields filled, how many succeeded, how many needed your input — and error reports if something crashes. Telemetry never includes form field values or saved-answer content. We retain telemetry for up to 30 days aggregated, 7 days raw.

4.6 Authentication state

The smallest amount possible. The extension reads the AppStride session cookie set on appstride.io so it knows you are signed in and stops working when you sign out. The extension does not read cookies from any ATS website. It does not store passwords, security questions, or PINs.

4.7 Browsing data we do NOT collect

The extension does not track the URLs of pages you visit. It does not log a page until you click Fill or use the right-click / toolbar action on it. The browser-navigation permission (Section 5) is used only to notice when you move between pages of a multi-page application on Workday and similar sites you have already asked us to fill; it does not produce a log of your browsing.

5. Why We Ask for Each Permission

The extension declares the smallest set of permissions we could engineer it down to. We do not ask for access to all websites, your browsing history, or your bookmarks.

  • storage / cookies / alarms / scripting — the technical mechanisms by which the extension caches your profile on your device, detects when you sign in or out of AppStride on the web, refreshes your session token in the background, and injects the fill script into the page when you click Fill. None of these, by themselves, send data anywhere.
  • webNavigation — used to notice when you move from one page of a multi-page Workday application to the next so the extension can re-scan the new page. Events are filtered to the supported ATS domains; we do not log which sites you visit.
  • identity — used to complete Google sign-in for users who choose to authenticate with Google instead of an email and password. Used only at sign-in.
  • activeTab + contextMenus — when you right-click and choose “AppStride: Fill this page” (or click the toolbar icon), the extension is granted temporary access to that one tab so it can scan for form fields. This is how it supports companies that embed an Ashby or Greenhouse form on their own domain. Access expires when you navigate away or close the tab, and nothing happens until you make the gesture.
  • sidePanel — renders the AppStride control panel during a fill, showing per-field progress and the post-submit save prompt. It only shows content related to filling the current application.
  • Host access to appstride.io and its subdomains — reads the AppStride session cookie so the extension knows you are signed in.
  • Host access to api.appstride.io — calls our backend matching service.
  • Host access to the ATS domains (Workday, Greenhouse, Lever, Ashby, iCIMS, SmartRecruiters) — activates the fill script on supported job application pages. The extension does not run on other websites unless you make the right-click / toolbar gesture.

6. Sub-Processors

These are the third-party services AppStride uses to operate. They receive only the data they need to perform their function, under written contracts with confidentiality and security obligations and, where applicable, GDPR data processing agreements.

  • Supabase (database, authentication, file storage) — hosts your profile, resume, saved Q&A, and the session infrastructure. SOC 2 Type II; ISO 27001 certified.
  • Vercel (web app hosting) — hosts the appstride.io website.
  • Railway (backend API hosting) — hosts the api.appstride.io matching backend.
  • Mailgun (transactional email) — used only if you enable email forwarding in the AppStride web app; not used by the extension itself.

We add or change sub-processors only with 30 days' notice published on the AppStride blog before any new sub-processor handles personal data.

7. How We Use What We Collect

We use your data for one purpose: to help you fill job applications and to improve our ability to fill the next one for you.

  • We use your profile, resume, and saved answers to figure out the correct value for each field on the application page.
  • We use the labels of fields you encountered and the values that got filled to improve the matching engine (so next time the same question phrasing shows up, we recognize it).
  • We use telemetry, if on, to detect when something is broken and fix it.

We do not:

  • sell your data to anyone;
  • share your data with third parties for their own purposes (only the sub-processors named in Section 6, providing services to AppStride);
  • use your data for personalized advertising;
  • transfer your data to advertising platforms, data brokers, or information resellers;
  • use your data to determine creditworthiness or for lending purposes;
  • train AI models on your data.

These are commitments that match the Limited Use requirements of the Chrome Web Store User Data Policy, which we comply with as a condition of distributing the extension.

8. Who at AppStride Can See Your Data

Humans on the AppStride team can see your personal data only when: you ask us for help and explicitly authorize support access; it is strictly necessary for security (e.g., investigating a confirmed account compromise); it is aggregated and anonymized for internal operations (e.g., dashboards of fill counts across all users); or it is required for legal compliance (e.g., a valid subpoena). This matches the Chrome Web Store Limited Use rule for restricted access.

9. How Long We Keep Your Data

DataWhereHow long
Profile (name, email, phone, address, work history, education, skills, work-auth preferences)Backend + on-device cacheUntil you delete your AppStride account
Resume PDF/DOCX + parsed textBackend + Supabase Storage + cacheUntil you delete the resume in the web app, or account deletion
Saved Q&A answersBackendUntil you delete the answer in Saved Answers, or account deletion
Form field labels (during fill)Backend logs90 days
Form field values (during fill)Backend logs90 days
TelemetryBackend30 days aggregated, 7 days raw
AppStride session cookieBrowser onlyUntil you sign out or it expires

Account deletion: when you ask us to delete your account (from the AppStride web app), we mark it deleted immediately, sign you out, and hard-delete after a 7-day grace period during which you can reactivate. After 7 days the deletion is permanent.

10. Your Rights

You have rights over the data we hold about you. Where you live affects which rights are written in law, but in practice we honor all of the following for every user. Exercise any of them by emailingprivacy@appstride.io; we respond within 30 days.

  • Access / portability — ask us for a copy of your data as a JSON archive (profile, resume metadata, saved Q&A, recent fill activity).
  • Deletion — two scopes. The extension Settings → “Clear all my data” button clears the extension's saved data from your browser and signs you out immediately. To delete your AppStride account and all backend data, use the AppStride web app account settings (or email us).
  • Correction — fix anything that is wrong, mostly directly from the AppStride web app.
  • Restriction / objection — ask us to stop processing your data for a specific purpose. Where this means the extension can no longer function, we explain that and let you decide.
  • Withdraw consent — where we relied on your consent, you can withdraw it at any time. Withdrawing does not affect the lawfulness of past processing.

EU and UK (GDPR / UK GDPR). Our legal bases are: (i) performance of the contract you have with us (the autofill service) for profile, resume, and field-fill data; (ii) your consent for optional features (post-submit Saved Answers, telemetry where consent applies); (iii) legitimate interest for telemetry, balanced against your right to opt out. You have the right to complain to your national data protection authority.

California (CCPA / CPRA). The categories we collect are in Section 4. We do not sell or share your personal information. You have the right to know, delete, correct, opt out of sale or sharing (honored by default), and limit use of sensitive personal information. We honor the Global Privacy Control (GPC) signal. Emailprivacy@appstride.io or use the “Clear all my data” button; we respond within 45 days.

11. How We Keep Your Data Safe

In transit: every connection between the extension and our backend uses HTTPS with TLS 1.2 or higher. We do not allow unencrypted transit.

At rest in our backend: Supabase Postgres encrypts your data with AES-256 at rest, and resume files in Supabase Storage are similarly encrypted.

At rest on your device: in the current version, your cached profile and resume content are stored in the browser's extension storage, which is partitioned to the extension (no website can read it) but is not encrypted at rest by default. Anyone with physical access to your computer and your browser profile could read the cached data. We plan to add an on-device encryption layer in a future release. In the meantime, the “Clear all my data” button removes the cache whenever you want.

Breach notification: if we discover a personal-data breach that affects you, we will notify you within 72 hours of discovery (the GDPR deadline) and explain what happened and what you should do.

12. Limited Use Commitment

AppStride's use of information received from the websites you visit (form labels, your answers, resume data) adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. We do not transfer, use, or sell this data for personalized advertising, share it with data brokers, or use it for credit determination. Human access is limited to your explicit consent or what is strictly necessary for security and legal compliance.

13. Children's Privacy

The AppStride Autofill extension is not directed at children. We do not knowingly collect personal data from anyone under 16 (for users in the EU) or under 13 (elsewhere). If you believe a child has provided us with personal data, email privacy@appstride.io and we will delete it.

14. Browser-Specific Notes

Chrome and Edge. Profile and resume data are cached in the browser's extension storage. The AppStride session cookie is read from appstride.io.

A Firefox version is planned and will follow the same data practices described here. This policy applies to it as well.

15. Changes & Contact

If we make material changes to this policy — adding a sub-processor that handles personal data, changing what we collect, or changing how long we keep it — we will post a notice on the AppStride blog and show a notice in the extension the next time you launch it after the change. Non-material changes (clarifications, typo fixes) are reflected in the “Last updated” date above without separate notice.

For any privacy question, email privacy@appstride.io. For general support, email support@appstride.io.