Privacy Policy — Caja Fuerte

Caja Fuerte does not collect, transmit, sell, or share any personal data. There is no account, no server, no sync, and no analytics. Everything stays on
your own device.

What the extension handles: the links you save (URL and title), your tags, per-entry settings (expiry date, maximum opens, scheduled-reveal date), a salt
and an encrypted verification value used to check your master password, and your auto-lock preference.

Where it is stored: locally in your own Firefox profile, using extension storage (salt, verification value, settings) and IndexedDB (the encrypted link
records). The extension never uses sync and never writes your data to any remote location.

How it is protected: link URLs and titles are encrypted with AES-256-GCM, with a key derived from your master password using PBKDF2 (SHA-256, 600,000
iterations) and held in memory only. Some per-entry metadata (expiry date, maximum opens, scheduled-reveal date, slot) is stored as plaintext flags so the
app can manage entries without decrypting them; this metadata contains no URLs or titles.

Not collected or transmitted: no browsing history, no analytics, telemetry or crash reporting, no advertising identifiers, no personal information sent to
anyone. The extension makes no network requests. The serverless sharing feature produces a self-contained encrypted code on your device; you choose how
to send it.

Permissions: "storage" (keep the encrypted vault on your device), "clipboardWrite" (copy a single URL when you click Copy), and "activeTab" (read the
active tab's URL/title only when you click "Add current page"). No host permissions; no access to page content.

No password recovery: your master password is never stored and cannot be recovered. If you forget it, the encrypted data cannot be decrypted.

Full policy: https://gist.github.com/JIZR-DEV/5bba2e6c23937833ecac3372de1ce829
Contact: joseignaciozavalarocha@gmail.com