Privacy Policy — Papeleo
Last updated: February 21, 2026 Effective date: February 21, 2026
1. Who we are
This browser extension (“Papeleo”) is developed and published by:
Xabarin B.V. KvK: 69834717 Registered in Amsterdam, The Netherlands Contact: hola@getpapeleo.com
For questions about this privacy policy or your personal data, you can reach us at hola@getpapeleo.com.
2. What this extension does
Papeleo is a productivity tool designed for anyone who fills online forms repeatedly — bookkeepers, accountants, sellers, expats, families and administrative professionals. It allows users to:
- Import data from CSV and XLSX files into collections (groups of same-type data)
- Auto-fill web form fields using the imported records
- Create and save custom field mappings per website
- Store multiple collections and records locally for repeated use
3. Data we process — and where it stays
3.1 Data imported by the user
When you import a CSV or XLSX file, the records (names, identification numbers, addresses, contact details, tax identifiers, product details, and any other fields present in your file) are:
- Stored exclusively on your local device, in the browser’s local storage (chrome.storage.local)
- Encrypted at rest using AES-256-GCM via the Web Crypto API
- Never transmitted to our servers or any third party
- Never accessible to Xabarin B.V. or any of our service providers
We have no technical means to access, view, recover, or process the data you import into the extension. Your device is the sole location where this data exists.
3.2 Field mappings and configuration
Custom field mappings (which CSV column maps to which form field) and your extension settings are stored locally on your device alongside the imported data, under the same encryption. These mappings may contain field labels from websites you use but do not contain PII.
3.3 Account and payment data
When a paid version of Papeleo becomes available, your payment will be processed by Paddle (as Merchant of Record). During this process:
- Your email address is collected to create and manage your subscription
- Your payment details (credit card, SEPA, PayPal, etc.) are processed directly by Paddle and are never accessible to us
- Your subscription status (active, cancelled, trial) is stored by Paddle to enable premium features
- VAT is calculated and collected by Paddle automatically based on your location
Paddle’s privacy policy: https://www.paddle.com/legal/privacy
3.4 Usage analytics
We use Umami, a privacy-focused, cookie-free analytics tool, to collect anonymous, aggregated usage data on our website (getpapeleo.com). This includes:
- Page views and referral sources
- Browser type and device category
- Country (approximate, from IP — IP addresses are not stored)
We do not collect: the content of any form field, any imported data, any URL containing personal information, or any browsing history. Umami does not use cookies and does not track individual users across sessions.
The extension itself makes no analytics or telemetry network requests.
4. Legal basis for processing (GDPR Article 6)
| Data | Legal basis | Details |
|---|---|---|
| Imported data (CSV/XLSX) | Not applicable — data is processed locally on your device; Xabarin B.V. is not a data processor | You remain the sole data controller |
| Email (payment) | Contract performance (Art. 6(1)(b)) | Necessary to provide the subscription service |
| Payment details | Contract performance (Art. 6(1)(b)) | Processed by Paddle as Merchant of Record |
| Website analytics | Legitimate interest (Art. 6(1)(f)) | To improve website quality; anonymous, cookie-free, no PII |
Important note on roles
Because all imported data is processed exclusively on your local device and is never transmitted to or accessible by Xabarin B.V., we do not act as a data processor under GDPR with respect to the data you import. You (the user) remain the data controller for any personal data stored in your collections.
If you are a professional processing your clients’ personal data using this extension, you are responsible for having a lawful basis for that processing under GDPR (typically: contractual necessity or legitimate interest in performing your administrative services).
5. Data sharing
We do not sell, rent, trade, or share any personal data with third parties for advertising, marketing, or any purpose unrelated to the core functionality of the extension.
The only third-party services involved are:
| Service | Purpose | Data shared |
|---|---|---|
| Paddle | Payment processing and subscription management (Merchant of Record) | Email, payment method, billing address (processed by Paddle directly) |
| Umami | Anonymous website analytics (cookie-free) | Aggregated page views, browser type, country — no PII |
No imported data (the data you store in collections from CSV/XLSX files) is ever shared with any third party.
6. Data retention
| Data | Retention |
|---|---|
| Imported data (local) | Until you delete it from the extension, or uninstall the extension |
| Field mappings (local) | Until you delete them or uninstall |
| Payment/subscription data | As long as your account exists with Paddle; subject to Paddle’s retention policies |
| Website analytics | Aggregated data retained for up to 24 months; no individual user data is stored |
7. Data security
- Imported data is encrypted at rest using AES-256-GCM via the browser’s Web Crypto API
- No imported data is transmitted over any network
- The extension requests only the minimum permissions required:
activeTab— to read and fill form fields on the current page, only when you click “Fill”storage/unlimitedStorage— to store encrypted collections and records locally<all_urls>(host permission) — to fill forms on any website you navigate to (only triggered by explicit user action)alarms— to implement automatic session lock after inactivity (clears decrypted data from memory)webNavigation— to detect iframes within pages so form fields inside embedded frames can also be filled
- Payment data is handled by Paddle, which maintains PCI DSS compliance
8. Your rights under GDPR
If you are in the European Economic Area (EEA), you have the following rights regarding the personal data we hold about you (specifically: your email and subscription data managed by Paddle):
- Access — Request a copy of the data we hold about you
- Rectification — Request correction of inaccurate data
- Erasure — Request deletion of your data (“right to be forgotten”)
- Restriction — Request that we limit processing of your data
- Portability — Request your data in a machine-readable format
- Objection — Object to processing based on legitimate interest
- Withdraw consent — Where processing is based on consent, withdraw it at any time
To exercise any of these rights, contact us at hola@getpapeleo.com. We will respond within 30 days.
Regarding data stored locally in the extension: since this data exists only on your device and we have no access to it, you can exercise full control over it directly within the extension (view, export, delete).
You also have the right to lodge a complaint with your local data protection authority. In The Netherlands: Autoriteit Persoonsgegevens (https://autoriteitpersoonsgegevens.nl). In Spain: Agencia Española de Protección de Datos (https://www.aepd.es).
9. International transfers
We do not transfer imported data internationally (it never leaves your device). Subscription-related data (email, payment status) may be processed by Paddle, whose servers may be located outside the EEA. Paddle maintains appropriate safeguards for international data transfers (Standard Contractual Clauses).
10. Children’s privacy
This extension is not directed at individuals under the age of 16. We do not knowingly collect personal data from children.
11. Chrome Web Store compliance
In accordance with Chrome Web Store Developer Program Policies:
- This extension’s use of data is limited to providing or improving the extension’s core functionality (form auto-filling)
- Data collected by this extension is not used for personalized advertising
- Data is not sold to third parties, data brokers, or information resellers
- Data is not used to determine creditworthiness or for lending purposes
- All sensitive data is encrypted at rest and in transit (where applicable)
12. Changes to this policy
We may update this privacy policy to reflect changes in the extension’s functionality or legal requirements. Material changes will be communicated through the extension or the Chrome Web Store listing. The “last updated” date at the top of this policy indicates when it was most recently revised.
13. Contact
For any questions, concerns, or requests related to this privacy policy or your personal data:
Xabarin B.V. Email: hola@getpapeleo.com KvK: 69834717