How this works

This site is built around one strict rule: nothing you type ever leaves your browser. That isn’t a promise — it’s a property the browser itself enforces. Here is exactly how it’s done, and how you can verify it in 60 seconds.

The architecture

• Each form is a single static HTML page. No server processes any of your answers.
• Your in-progress answers are saved in your browser’s localStorage — not a cookie, not a session token, not a request to us.
• When you finish, you download the result as a PDF (rendered by your browser’s built-in print-to-PDF) or as a JSON file. Both go straight to your computer.
• There are no third-party scripts, no analytics, no trackers, no fonts loaded from elsewhere. Even our fonts are self-hosted.

What this is not

This isn’t end-to-end encrypted form submission. Many privacy products encrypt your data in your browser, send it to a server, and have the recipient decrypt it on the other side. That’s a different model — your data still travels, even if it’s scrambled in transit.

Private Forms doesn’t encrypt anything, because nothing is being sent. When you finish, you save a PDF or JSON file to your own computer — the same way you save a Word document. What you do with that file next (email it, print it, hand it to your attorney) is entirely up to you.

It’s closer to the privacy of paper than to the privacy of an encrypted message: nothing is in motion at all.

The lock: Content-Security-Policy

Every page on this site sets a strict CSP that the browser enforces:

default-src 'none'; connect-src 'none'; form-action 'none'; ...

connect-src 'none' is the key line. It tells your browser to refuse every outbound network request this page could ever attempt — fetch, XHR, WebSocket, EventSource, beacon, anything. Even if a bug or a malicious extension tried to send your data somewhere, the browser would block it. This is enforced at the browser layer, not by our code.

Verify in 60 seconds

1. Read the CSP. Open DevTools (F12) → Network tab → reload → click the HTML document → Headers. You’ll see Content-Security-Policy with connect-src 'none'.
2. Watch the network. With Network open, fill in a form, scroll, click buttons. Only the HTML, fonts, and engine files load. No third-party domains. No POSTs.
3. Try to cheat it. In DevTools Console, paste fetch('https://example.com'). The browser blocks it with a CSP violation message. The same rule applies to every line of JavaScript on this page.
4. Airplane-mode test. After a form loads, turn off Wi-Fi. Fill fields, autosave still works, download PDF and JSON still work. A page that can’t reach the network can’t exfiltrate anything.
5. Read the source. The whole site is plain HTML / CSS / JavaScript with zero external dependencies. Press Ctrl+U (or Cmd+Option+U) on any page to view source.

What is not hidden

• The hosting provider sees that an IP visited the URL — same as any website. They cannot see what you type.
• Your browser’s autofill may store data locally; that’s your browser, not this site.
• When you share the downloaded file by email or upload, the security of that channel is on you.

Want to add a form?

Each form is a JSON file in the /forms/ directory of the open-source repo. A small build script renders each into its own static page. If you have a paper form you’d like to see online, browse the catalog — or fork the repo and add your own.