To use these add-ons, you'll need to download Firefox.

Log in
Add-on icon

Privacy policy for Soapbox.pub Signer

Soapbox.pub Signer by Soapbox

5 Stars out of 5
5
1
4
0
3
0
2
0
1
0
Privacy policy for Soapbox.pub Signer

Privacy Policy

Last Updated: November 1, 2025

Overview

Soapbox Signer is a browser extension that implements the NIP-07 signer protocol
for Nostr. This privacy policy explains how the extension handles your data.

Core Principle: The extension does not collect, transmit, or share any data
except for operations you explicitly authorize through its user interface.

What Data the Extension Stores

All data is stored locally on your device using the browser's extension storage
API. The extension stores:

User Profiles

  • Public key (hex format)
  • Private key (nsec or hex format) - stored only locally, never transmitted
  • Profile metadata (display name, username, avatar, bio, website, etc.) -
    retrieved from Nostr relays when you add a profile
  • Timestamps (when profile was created, last used)

Permissions
  • Domain permissions - which websites you've granted access to which actions
  • Per-domain authorizations including:
  • Public key reading permissions
  • Event signing permissions (with specific event kind allowlists)
  • Encryption/decryption permissions
  • Trusted domains list - websites set to automatically approve certain
    operations

Settings
  • Active profile selection
  • Trusted domains for auto-approval
  • User preferences (e.g., reload tabs on identity change)
  • Extension version

What Data the Extension Transmits

The extension does not transmit any data to external servers. All
cryptographic operations happen locally:
  • Event signing - performed entirely on your device
  • Encryption/decryption - performed entirely on your device using NIP-04 and
    NIP-44 standards
  • Public key derivation - performed entirely on your device

Browser Communication

The extension only communicates with:
  • Your browser - through standard extension APIs
  • Websites you visit - responding to NIP-07 signer requests you explicitly
    authorize
  • Nostr relays - the three big Nostr relays. This is to fetch your account
    data and publish your profile event to/from relays.

What the Extension Never Does
  • ✗ Sends your private keys to any server
  • ✗ Tracks which websites you visit
  • ✗ Collects analytics or usage statistics
  • ✗ Transmits event content or transaction history
  • ✗ Stores cookies or tracking identifiers
  • ✗ Communicates with external services without your explicit action
  • ✗ Monetizes or sells any data

How Permissions Work

The extension requires explicit permission for each domain (website) to perform
actions:
  1. First Request - When a website requests an action (sign event, encrypt,
    etc.), the extension shows you a confirmation dialog
  2. User Authorization - You can:
  3. Approve once
  4. Approve and remember for this domain/action
  5. Approve and remember for all actions on this domain
  6. Deny the request
  7. Permission Storage - Approved permissions are stored locally only
  8. Permission Revocation - You can revoke any permission at any time through
    the extension's options page

Data Deletion

You maintain complete control over all stored data:
  • Remove profiles at any time through the extension UI
  • Delete permissions for any domain
  • Clear all data by uninstalling the extension (all local data is deleted)
  • Export/import your profiles for backup purposes

Security Practices
  • Private keys are stored locally in the browser's extension storage
  • No backups or sync services are used
  • Cryptographic operations use the nostr-tools library
  • The extension runs with minimal permissions
  • All code is open source for security review

Third-Party Code

The extension uses the following open-source dependencies (which do not collect
data):
  • nostr-tools - Nostr cryptography utilities
  • @nostrify/nostrify - Nostr SDK
  • React - UI framework
  • Tailwind CSS - Styling

None of these dependencies include tracking or data collection code.

Changes to This Policy

This policy may be updated as the extension evolves. Significant changes will be
noted in the extension's changelog.

Contact

For privacy questions, contact the developers through the extension's source
repository.

Your Rights

You have complete control over:
  • What data is stored locally
  • Which permissions are granted to each domain
  • When to revoke permissions
  • Whether to continue using the extension

No data is processed, stored, or transmitted without your explicit
authorization.