PGP for Firefox does not collect, transmit, or store any user data on remote servers.

All keys, passphrases, and message contents stay on your device, in your Firefox profile (browser.storage.local). No telemetry. No analytics. No remote logging.

The only outbound network requests the addon ever makes are public-keyserver lookups (to keys.openpgp.org and keyserver.ubuntu.com), and only when you explicitly click "Look up & verify" on an in-page badge. These lookups transmit the signer's public key ID — the same identifier that anyone reading the signed message can see — and nothing else. The addon never sends page contents, your keyring, or any other identifying information to any server.

Permissions the addon requests:
• storage — to persist your keyring locally.
• tabs — to open the notepad / keyring pages.
• host_permissions <all_urls> — the page scanner must read text from every site (PGP blocks can appear anywhere), but it never sends that text anywhere.

Source code is available; see the source bundle submitted to Mozilla or the upstream repository.