Privacy Policy

Hush Notes – Chrome Extension

Overview

Hush Notes is a browser extension that provides an encrypted, password-protected notes and to-do list in your browser sidebar. All data is encrypted and stored locally on your device. This privacy policy explains what data is collected, how it is secured, and how it is stored.

Encryption and Security

Hush Notes uses industry-standard cryptography to protect your data:

• Password handling: Your password is never stored. It is used to derive a cryptographic key via PBKDF2 (100,000 iterations, SHA-256). A verification token (encrypted known plaintext) is stored to validate the password on subsequent unlocks.
• Note encryption: All notes and to-dos are encrypted with AES-256-GCM before being written to storage. Data is only readable when unlocked with the correct password.
• Key lifecycle: The encryption key exists only in memory while the extension is unlocked. It is cleared immediately when the extension is locked or the browser is restarted.
• Brute-force protection: After 5 consecutive failed password attempts, the extension enforces exponential backoff delays.

Data Collection and Usage

The extension stores the following data entirely on the user's device:

• Encrypted notes and to-dos: All note content, titles, types, priorities, tags, and groups are encrypted with AES-256-GCM and stored locally using Chrome's chrome.storage.local API.
• User preferences: Settings such as auto-lock duration, custom tags, and groups are stored locally on the user's device.
• Password verification token: An encrypted token used to verify the password. The plaintext password is never stored.

Third-Party Services

Hush Notes does not connect to any third-party services, APIs, or external servers. All functionality operates entirely offline within the browser.

The extension includes an optional "Buy me a coffee" button that opens a PayPal donation page (paypal.me) in a new browser tab. This action does not transmit any extension data — it simply navigates to an external URL.

Data Storage

• All user data is encrypted and stored locally on the user's device using Chrome's storage API.
• No note content, passwords, or personal data is ever transmitted over the network.
• No data is sent to the extension developer or any server controlled by the extension developer.
• No analytics, tracking, or telemetry data is collected.

Data Sharing

The extension does not sell, share, or transfer user data to any third party. No user data leaves the device under any circumstances.

Permissions

The extension requests the following browser permissions:

• sidePanel: Required to display the notes interface in the browser sidebar.
• storage / unlimitedStorage: Required to save encrypted notes, settings, and the password verification token locally on the device.

User Control

• Users can export all notes as Markdown files at any time from the Settings tab.
• Users can reset all data (notes and settings) at any time from the Settings tab.
• Users can change their password at any time from the Settings tab. Notes are re-encrypted with the new key automatically.
• Uninstalling the extension removes all locally stored data.

Changes to This Policy

This privacy policy may be updated from time to time. Any changes will be reflected on this page with an updated effective date.

Contact

If you have any questions or concerns about this privacy policy, please contact us at jay.fu.ai@gmail.com.

Effective date: March 19, 2026