Legal · Privacy

Privacy Policy

FormYaar is built on a simple promise: your personal data — including your name, Aadhaar details, and address — never leaves your device. This document explains exactly how that works, what we collect, and what we don't.

Effective Date May 9, 2026
Last Updated May 9, 2026
Applies To Chrome Extension + Website
Governing Law Republic of India
🔒 Plain-English Summary (TL;DR)
Your Aadhaar, name, DOB, and address are saved only on your device — never on our servers.
We never sell your personal information to anyone, ever.
We collect anonymous usage data (like which form you filled) to improve the product.
Payment is processed by Razorpay. We only receive confirmation that payment succeeded — not your card details.
You can delete all your data from the extension settings at any time.
Our extension is open-source. You can audit every line of code on GitHub.
Section 01

Who We Are

FormYaar ("we", "us", "our") is a product developed and operated by Hemant Chauhan (trading as ExcuseME Brother), an individual entrepreneur based in Bareilly, Uttar Pradesh, India.

FormYaar is a Chrome browser extension and associated website that helps Indian citizens auto-fill government forms (such as PAN card, Driving Licence, and Passport applications) on official government portals. We are not affiliated with, endorsed by, or connected to the Government of India, NSDL, UTIITSL, Parivahan, Passport Seva, or any other government entity.

Contact:
Email: privacy@formyaar.in
Website: formyaar.pages.dev
Location: Bareilly, Uttar Pradesh, India

Section 02

Scope of This Policy

This Privacy Policy applies to:

This policy does not apply to the government portals you visit while using FormYaar (such as the NSDL PAN portal, Sarathi Parivahan, or Passport Seva). Those portals have their own privacy policies and are operated independently. FormYaar's role is only to assist in populating form fields — all data you submit to those portals is governed by the relevant government authority.

⚠️ Important Distinction

FormYaar helps you fill government forms. The data you submit to those forms goes directly to the government, not to us. We only see anonymous confirmation that a form was filled successfully.

Section 03

Data We Collect

We are transparent about every piece of data that touches FormYaar. The table below separates what stays on your device from what we receive on our servers.

3A. Personal Data You Enter (Stored Locally on Your Device Only)

When you set up FormYaar, you enter details needed to fill government forms. This data is stored exclusively in your browser's local storage (chrome.storage.local) and is never transmitted to our servers.

Data Type Examples Where Stored Purpose
Full Name First, middle, last name Your Device Auto-fill name fields on government forms
Date of Birth DD/MM/YYYY format Your Device Auto-fill DOB fields on government forms
Gender Male / Female / Other Your Device Auto-fill gender selection on government forms
Aadhaar Last 4 Digits e.g. "4892" Your Device Auto-fill Aadhaar verification field (PAN form requires only the last 4 digits, not the full number)
PIN Code 6-digit area PIN code Your Device Auto-fill address/AO Code section on PAN form; also sent anonymously to our pincode lookup API to retrieve state and city name
Father's / Mother's Name Parent name fields Your Device Auto-fill family detail fields required by PAN, DL, and Passport forms
Email Address example@gmail.com Your Device Auto-fill contact fields on government forms; also collected at payment time (see Section 7)
Mobile Number 10-digit Indian number Your Device Auto-fill contact fields on government forms
Place of Verification City name Your Device Auto-fill the "Place" field in the declaration section of government forms
Proof of DOB Selection e.g. "Aadhaar Card" Your Device Auto-select the proof of date of birth document type on forms that require it
Source of Income Salary, Business, No income, etc. Your Device Auto-select the income source checkboxes on the PAN form
🔒 We Never Store Your Full Aadhaar Number

FormYaar only asks for the last 4 digits of your Aadhaar number, which is what government forms typically display for verification. We do not ask for, store, or process your 12-digit Aadhaar number at any point. Collecting, processing, or storing Aadhaar data without UIDAI's Aadhaar KUA registration is prohibited under Section 40 of the Aadhaar Act, 2016 — and we are fully compliant by design, not just by policy.

3B. Anonymous Usage Data (Sent to Our Servers)

FormYaar collects minimal anonymous telemetry to understand how the product is used and to detect when government portals change their form structure. This data does not identify you.

Data Type Details Where Stored
Form fill events Which form type was filled (e.g. "pan_card"), timestamp, success/failure status Our Server
Extension version Version number of the FormYaar extension Our Server
Error events Anonymous error codes when a field fails to fill (no personal data included) Our Server
Pincode lookup Your 6-digit PIN code is sent to our backend to retrieve the corresponding state and city name for the AO code section of the PAN form. The PIN code is not stored after the lookup is complete. Transient (not stored)

3C. Payment Data (Processed by Razorpay)

When you pay for a form fill, your payment is processed entirely by Razorpay Payment Solutions Pvt. Ltd., a PCI-DSS compliant payment gateway. We do not see, store, or process your credit/debit card number, UPI ID, or bank account details. See Section 7 for full details.

3D. Server Logs

Our backend server (hosted on Railway) generates standard HTTP access logs that include IP addresses, request timestamps, and API endpoints called. These logs are retained for up to 30 days for security monitoring and debugging and are not used for any other purpose.

Section 04

Why We Collect This Data

We follow strict data minimisation: we collect only what is necessary for the extension to function, and nothing more. Here is the specific purpose for each category:

Personal details (name, DOB, etc.)
To auto-fill government forms. This is the core function of FormYaar. Without this data, the extension cannot fill any fields. You provide this data voluntarily when setting up FormYaar, and it remains on your device.
Email address
Two purposes: (1) to auto-fill email fields on government forms; (2) when you pay for a form fill, your email is collected by Razorpay to send you a payment receipt and is provided to us (without payment details) solely to manage your fill credits and provide support if a refund is needed.
PIN code (lookup)
To resolve your Area Office (AO) Code on the PAN card form. The NSDL portal requires you to select a state and city to fetch your AO code. We look up your PIN code against a public postal database to pre-select the correct state and city automatically. The PIN code is used for this lookup only and is not stored.
Anonymous telemetry
To maintain product quality. Government portals change their HTML structure without notice. Anonymous fill events help us detect breakage and push fixes quickly through our self-healing config system, without requiring you to update the extension.
Server logs (IP, timestamps)
For security and abuse prevention. Standard server logs help us identify unusual traffic patterns, prevent abuse of our payment verification endpoints, and debug errors.
Section 05

How Data Is Stored

Your Personal Data — Device Only

All personal data you enter into FormYaar (name, DOB, Aadhaar last 4, family names, address details) is stored using chrome.storage.local — a browser API that stores data locally on your computer, inside your Chrome profile. This data:

  • Never leaves your device over the network
  • Is accessible only to the FormYaar extension — no other website or extension can read it
  • Is automatically deleted when you uninstall the FormYaar extension
  • Can be deleted manually at any time from the FormYaar extension settings panel

Session Data — Temporary

During an active form-filling session, FormYaar uses chrome.storage.session to temporarily store the current autofill state (e.g. "pan_card autofill is active on page 2 of 5"). This data:

  • Is automatically cleared when you close Chrome
  • Contains no personal information — only a flag indicating which form is being filled

Server-Side Data — Minimal

Our backend server stores only:

  • Payment order records (order ID, Razorpay payment ID, timestamp, amount) — retained for 7 years as required by Indian financial regulations
  • Anonymous telemetry events (form type, timestamp, extension version) — retained for 90 days
  • Standard HTTP access logs (IP address, endpoint, timestamp) — retained for 30 days
🔐 Encryption in Transit

All communication between the FormYaar extension and our backend server uses HTTPS (TLS 1.2 or higher). The payment page at formyaar.pages.dev is served over HTTPS. We do not support non-HTTPS connections to any endpoint that handles user data.

Section 06

Data Sharing and Disclosure

✓ We Do Not Sell Your Data. Full Stop.

FormYaar does not sell, rent, lease, or trade any personal information to data brokers, advertisers, marketing companies, or any other third parties. This is a structural commitment — we do not have the data to sell, because we do not collect your personal data on our servers in the first place.

The following are the only circumstances in which we share any data:

Razorpay (Payment Processing)

When you make a payment, you are redirected to a FormYaar-hosted payment page that loads the Razorpay checkout. Your payment details (card number, UPI ID, bank details) are entered directly into Razorpay's secure payment interface and are never seen by FormYaar. Razorpay shares with us only: payment status (success/failure), order ID, payment ID, and the email address you provide for the receipt. Razorpay's privacy policy is at razorpay.com/privacy.

Postal Pincode API

To resolve the state and city from your PIN code for the PAN form's AO Code section, we call a public Indian postal database API (api.postalpincode.in). Your PIN code is included in this request. It is a public API and the PIN code is not stored by us after the lookup.

Railway (Backend Hosting)

Our backend API is hosted on Railway (San Francisco, USA). Railway processes server-side data (logs, payment verification requests) as our infrastructure provider. Railway is GDPR-compliant and does not have access to your form data (which stays on your device).

Cloudflare (Website and Payment Page Hosting)

Our website and payment page are hosted on Cloudflare Pages. Cloudflare may process standard web request data (IP addresses, request headers) as part of their CDN and DDoS protection services.

Legal Requirements

We may disclose information if required to do so by law, court order, or government authority under Indian law (including the Information Technology Act, 2000 and any applicable successor legislation including DPDP Act, 2023), provided such disclosure is narrowly limited to what is legally required.

Section 07

Payments and Razorpay

FormYaar uses Razorpay Payment Solutions Pvt. Ltd. (CIN: U74900KA2013PTC097389) as its payment gateway. Razorpay is authorised by the Reserve Bank of India (RBI) as a Payment Aggregator and is PCI-DSS Level 1 compliant.

How the Payment Flow Works

  • When you click "Fill Form", the FormYaar extension creates a payment order via our backend and opens the payment page at formyaar.pages.dev/pay in a new tab
  • You complete payment on this page using UPI, credit/debit card, or net banking — all entered directly into Razorpay's hosted checkout
  • Razorpay notifies our backend via webhook that payment is complete
  • Our backend verifies the webhook signature using crypto.timingSafeEqual and marks the order as paid
  • The extension polls our backend, receives confirmation, and begins autofill

What FormYaar Receives from Razorpay

We receive and store: the Razorpay order ID, the payment ID, the amount (in paise), the payment timestamp, and (optionally) your email address for sending a receipt and managing your fill credits. We never receive or store your card number, CVV, UPI ID, bank account number, or any raw payment credentials.

Refunds

If you are entitled to a refund (e.g. a form fill that results in a government rejection due to a FormYaar error), refunds are processed back to your original payment method via Razorpay. To request a refund, email support@formyaar.in with your payment ID.

💳 Razorpay Handles All Card Data

FormYaar is not involved in processing, transmitting, or storing payment card data. All card-related data is handled solely by Razorpay under their PCI-DSS certification. FormYaar never touches raw card data at any point in the transaction.

Section 08

Chrome Extension Permissions

FormYaar requests the following Chrome extension permissions. We request only the minimum permissions necessary for the extension to function (the principle of least privilege).

storage
Essential. Used to save your personal details in chrome.storage.local on your device, and to manage the active autofill session state in chrome.storage.session. Without this, FormYaar cannot remember your details between sessions.
activeTab
Essential. Allows FormYaar to interact with the currently active tab — specifically to detect when you are on a supported government portal and to inject the autofill script into that page. FormYaar only activates on government portal domains (e.g. onlineservices.nsdl.com, parivahan.gov.in, passportindia.gov.in).
scripting
Essential. Allows FormYaar to inject its autofill content script into supported government portal pages so it can read form fields and fill them with your data.
tabs
Essential. Used to open the payment page in a new tab and to detect when the payment tab has closed (so the extension can stop polling for payment confirmation).
alarms
Essential. Used to poll our backend for payment confirmation at 5-second intervals. Alarms are used instead of setInterval because they survive Chrome's MV3 service worker lifecycle (service workers can be terminated between events).
host_permissions (government portals only)
Scoped access. FormYaar requests host permissions only for the specific government portal domains it supports. It does not request broad <all_urls> access. This means FormYaar cannot run on any website other than the explicitly listed government portals.
📋 Why We Don't Request Broader Permissions

FormYaar does not request permissions for browsing history, cookies, bookmarks, downloads, geolocation, camera, microphone, or clipboard beyond what is needed to fill form fields. We do not read your browsing history. We do not have access to any website you visit that is not a supported government portal.

Section 09

Data Retention

Data Category Retention Period Deleted When
Personal details in extension Until you delete it or uninstall the extension Extension uninstalled; or you click "Clear Data" in settings
Active session state Duration of one browser session Chrome is closed or restarted
Payment records (order ID, payment ID) 7 years Required by Indian financial regulations; not deleted earlier
Email (from payment) Until you request deletion Email privacy@formyaar.in to request deletion
Anonymous telemetry 90 days Automatically purged after 90 days
Server access logs (IP, timestamps) 30 days Automatically purged after 30 days
PIN code (lookup) Not stored Used only transiently during the lookup API call; not stored on our server
Section 10

Your Rights

Under Indian law (including the Digital Personal Data Protection Act, 2023) and general principles of good data stewardship, you have the following rights:

Right to Access

You can view all personal data stored by the FormYaar extension at any time by opening the extension side panel and navigating to "My Details". The data is displayed directly — it is stored on your device and we do not need to retrieve it for you.

Right to Correction

You can edit or correct any of your personal details in the FormYaar extension settings panel at any time. Changes are saved immediately to your device.

Right to Erasure (Deletion)

You can delete all your personal data stored in the extension by clicking "Clear All Data" in the extension settings. This is permanent and immediate. For data stored on our servers (such as your email address from a payment), email privacy@formyaar.in with "Data Deletion Request" in the subject line. We will process deletion requests within 30 days, subject to legal retention requirements (e.g. payment records cannot be deleted before the end of the legally required retention period).

Right to Portability

All personal data in the extension is stored in your Chrome profile. You can export it from Chrome's settings. There is no data locked in our servers that you cannot access.

Right to Withdraw Consent

You can stop using FormYaar and delete all your data at any time by uninstalling the extension. Uninstalling FormYaar clears all locally stored data automatically.

Right to Complain

If you believe we have not handled your data appropriately, you may contact us at privacy@formyaar.in. If you are not satisfied with our response, you may contact the relevant data protection authority in India.

Section 11

Children's Privacy

FormYaar is not directed at children under the age of 18. Government form applications for PAN cards, Driving Licences, and Passports are generally only available to individuals aged 18 or above (with some exceptions for minors applying with parental consent). We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided personal information to FormYaar, please contact us at privacy@formyaar.in and we will promptly delete that information.

Section 12

Security Measures

We take security seriously and have implemented the following measures:

  • HTTPS everywhere: All network communication uses TLS 1.2 or higher. No unencrypted HTTP endpoints exist for data handling.
  • Local-only storage: Personal form data is stored in chrome.storage.local, accessible only to the FormYaar extension and only on your device.
  • Webhook signature verification: Razorpay payment webhooks are verified using HMAC-SHA256 and crypto.timingSafeEqual to prevent payment fraud.
  • Path traversal protection: Our backend API allowlists supported form names to prevent path traversal attacks on the config endpoint.
  • Rate limiting: Our AI chat endpoint and API endpoints are rate-limited to prevent abuse.
  • CORS restrictions: Our backend only accepts requests from allowed origins (the FormYaar extension and payment page).
  • No raw card data: Payment card data is handled exclusively by Razorpay — FormYaar never touches raw payment credentials.
  • Structured logging: Backend logs use structured pino logging and are not logged to public services.
  • Helmet middleware: Standard HTTP security headers are applied to all backend responses.
  • Open source: Our extension code is open source, allowing public audit of our data handling practices.

Despite these measures, no system is perfectly secure. If you discover a security vulnerability in FormYaar, please report it responsibly to security@formyaar.in.

Section 13

Third-Party Links and Government Portals

FormYaar operates on top of government portal websites (such as the NSDL PAN portal at onlineservices.nsdl.com). These websites are operated by the Government of India and its agencies and have their own privacy policies, terms of service, and data handling practices. FormYaar is not responsible for the data practices of any government portal.

Our website may contain links to third-party websites (such as GitHub, the Chrome Web Store, or YouTube tutorials). These links are provided for convenience. We are not responsible for the privacy practices of any third-party website.

Section 14

Changes to This Policy

We may update this Privacy Policy from time to time as the product evolves, new forms are supported, or applicable law changes. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Display a notice in the FormYaar extension panel for 14 days following the change
  • Send an email notification to users who have provided their email address, if the changes are significant

Your continued use of FormYaar after any changes to this Privacy Policy constitutes your acceptance of the updated policy. If you do not agree with the changes, you may uninstall the extension and delete your data at any time.

We will not retroactively change how we use data already collected without providing notice and, where required by law, obtaining fresh consent.

Section 15

Contact Us

If you have any questions about this Privacy Policy, your data, or FormYaar's data practices, please contact us:

📬 Privacy Contact Details

Name: Hemant Chauhan (ExcuseME Brother)
Privacy Email: privacy@formyaar.in
Support Email: support@formyaar.in
Website: formyaar.pages.dev
Location: Bareilly, Uttar Pradesh, India — 243001
Response Time: We aim to respond to all privacy-related enquiries within 48 hours.

For data deletion requests, please email privacy@formyaar.in with the subject line "Data Deletion Request" and include: your email address (if you made a payment), and a brief description of what data you want deleted. We will confirm deletion within 30 days.

For security vulnerability reports, please email security@formyaar.in. We take all reports seriously and will acknowledge them within 24 hours.