Legal
Privacy policy
DiscordPGP is built so that we can't read your messages even if we wanted to. This page states plainly what the extension and site do and don't collect.
What we never collect
- Your message content. Messages are encrypted in your browser with RSA-2048 + AES-256 before they leave your device. We only ever store ciphertext.
- Your private key. Keypairs are generated locally with the Web Crypto API. The private key is downloaded to you and is never transmitted to us.
- No tracking. No analytics, no advertising, no third-party trackers, no behavioural profiling.
What the extension accesses
- storage: to keep your loaded key and settings on your device, in the browser's local extension storage.
- scripting and host access to
discord.com: to encrypt outgoing messages and decrypt incoming ones inside the Discord tab. - Host access to
discordpgp.com: to register your public key and store/fetch encrypted message envelopes.
What the server stores
- Public keys mapped to your Discord user ID.
- Encrypted message envelopes: ciphertext, IV, per-recipient wrapped keys, sender ID and signature. No plaintext.
- Metadata: sender, recipients and timing of encrypted messages, and short-lived channel presence for recipient discovery.
- Your optional public profile if you create one.
We don't sell or transfer user data to third parties, don't use it for anything unrelated to running DiscordPGP, and don't use it for creditworthiness or lending. For the full technical detail see the protocol & threat model.
Contact
Questions or requests: open a GitHub issue. This policy may be updated; material changes will be noted in the repository.