Privacy Policy

The short version

PopNxt is a community platform for Chicago vendors. We also offer a Chrome extension ("PopNxt Auto-Fill") that helps you fill out event application forms faster. We collect what we need to run the platform and extension, we never sell your data, and we only share form field labels (not your answers) with our AI provider to match fields to your profile.

PopNxt Website

What we collect (website)

When you create an account, we collect:

• Your email address (for login and account recovery)
• Display name (what other vendors see)
• Business name
• Business category
• What you sell
• Bio (optional)

If you sign in with Google, we receive your name and email from Google. We don't access your Google contacts, calendar, or anything else.

We also collect content you create on the platform: event submissions, comments, votes, and bookmarks.

How we use it (website)

• Running your account and keeping you logged in
• Showing your display name and business info to other vendors
• Displaying your contributions (comments, votes, submissions)
• Sending you important account-related emails (password resets, etc.)
• Improving the platform based on how people use it

Cookies

We use cookies for one thing: keeping you logged in. These are authentication session cookies managed by our auth provider (Supabase). We don't use tracking cookies, advertising cookies, or third-party analytics cookies.

PopNxt Auto-Fill Chrome Extension

What the extension does

The PopNxt Auto-Fill extension detects event application forms on web pages and fills them in with your saved vendor profile data. It saves you from re-typing your business name, contact info, and booth preferences on every application.

What data the extension collects

Application profile

When you set up the extension, you provide an expanded vendor profile used for auto-filling. This includes:

• Contact name, email, and phone number
• Instagram handle and website URL
• Business description
• Booth preferences (size, electricity, tent/canopy)
• Experience info (events attended, years in business)
• City, state, and zip code
• Tax ID and food handler's license status (if applicable)
• Custom answers you save from previous applications

This profile data is stored in our database (Supabase) and in Chrome's local extension storage on your device.

Form field labels

When the extension detects a form, it reads the field labels, placeholder text, field names, and select-menu options from that form. These labels are sent to our server so we can match them to your profile fields. We send the form's structure -- not the values you or anyone else has typed into the form.

Application tracking

When you fill or submit a form, we record:

• The URL and domain of the form
• The page title
• How many fields were detected, auto-filled, and manually completed
• A snapshot of which fields were filled and what values were used (so you can review what was submitted)
• The status of the application (filled, submitted, confirmed, etc.)

Authentication tokens

The extension stores your PopNxt authentication token in Chrome's extension storage to keep you logged in. This token is used to communicate securely with our API.

What the extension does NOT collect

• Browsing history. The content script runs on all pages but only activates when it finds a form with 4 or more visible fields that looks like an application. It ignores search forms, login forms, checkout pages, and payment forms. We never record which pages you visit.
• Passwords or payment info. The extension explicitly excludes login, checkout, and payment forms. It never reads or fills password or credit card fields.
• Other people's data. The extension only reads form structure (labels and field types), not values that anyone has typed into the form.
• Data from non-form pages. If a page doesn't have a qualifying form, the extension does nothing and sends nothing to our servers.

How the extension uses your data

• Your application profile is used to auto-fill form fields
• Form field labels are used to determine which profile field maps to which form field
• Application tracking lets you see a history of forms you've filled and what was submitted
• Custom answers you save are reused on future forms that ask the same questions

Host permissions (<all_urls>)

The extension requests access to all websites because event application forms live on hundreds of different domains (Google Forms, Jotform, Squarespace, Wix, GoHighLevel, custom sites, etc.). There is no way to predict which domains you'll encounter. The extension only activates on pages with qualifying forms and does not read, store, or transmit any data from pages without forms.

Shared Practices

Third-party services

• Supabase -- database and authentication. Your account data, vendor profile, application profile, and application history are stored in a Supabase-hosted PostgreSQL database (US-based cloud infrastructure).
• Anthropic (Claude Haiku) -- AI field matching. When the extension encounters form fields that can't be matched by pattern alone, we send the form field labels (not your profile values or form answers) to Anthropic's Claude API for smarter matching. Anthropic does not use API data to train their models. Your profile data is included in the matching request so the AI can determine which profile fields correspond to which form fields.
• Vercel -- hosting. The PopNxt website and API are hosted on Vercel (US-based).

We do not share your data with advertisers, data brokers, or any other third parties.

What we don't do

• We don't sell your data to anyone
• We don't share your email with other vendors (only your display name and business info are visible on the platform)
• We don't run targeted ads
• We don't track you across websites
• We don't use your data for AI model training

Data retention

We keep your data for as long as your account is active. Application tracking records are retained so you have a history of every application you've filled.

If you delete your account, we remove your vendor profile, application profile, and authentication data. Content you created on the platform (comments, event submissions, votes) remains but is no longer linked to your identity.

Extension storage on your device is cleared when you uninstall the extension or log out.

Security

• All data is transmitted over HTTPS
• Authentication uses Supabase Auth with secure token handling
• The extension communicates with our API using bearer token authentication
• Database access is protected by row-level security (you can only access your own data)
• API endpoints are rate-limited to prevent abuse
• We do not store your password in plain text (handled by Supabase Auth with bcrypt hashing)

Where your data lives

Server-side data is stored in Supabase (US-based cloud infrastructure) and served through Vercel (US-based). The extension also stores your profile and auth token locally in Chrome's extension storage on your device.

Your rights

• Access. You can view all your profile data in your account settings and all application history in the extension or on the website.
• Update. You can edit your profile and application profile at any time.
• Delete. You can request deletion of your account and all associated data by emailing us. We will remove your account, vendor profile, application profile, and application history.
• Export. You can request a copy of your data by emailing us.
• Uninstall. You can remove the Chrome extension at any time. This clears all locally stored data. Your server-side data remains until you delete your account.

Children

PopNxt is not designed for anyone under 18. We don't knowingly collect information from minors. If you believe a minor has created an account, please contact us and we'll remove it.

Changes to this policy

If we make meaningful changes to how we handle your data, we'll update this page and the "last updated" date. For major changes, we'll do our best to give you a heads up.

Questions?

Reach out to isaac.lee@saccly.com.