Your Private Key (nsec)
Your nsec is never stored in plain text. When
you set an encryption password, we encrypt your nsec using
AES‑256‑GCM and derive the encryption key using
PBKDF2 with 200,000 iterations. Only the
encrypted blob is saved in your browser's local storage.
When you unlock the app with your password, the nsec is
decrypted on‑the‑fly and used to sign Nostr events. It is never
transmitted to any server.
Where Your Data Lives
Everything stays on your device. All your
messages, contacts, settings, profile information, and pinned
chats are stored exclusively in your browser's
localStorage. We do not have any backend database.
Your encrypted DMs are sent directly to the Nostr relays you
configure, but we never see or store them.
Decentralized by Design
NostrChat is a pure client‑side application. It runs entirely in
your web browser or as an installed PWA. There is no central
server that can access your private key or messages. You remain
in full control.
Deleting Messages
When you delete a message, we publish a Kind 5 deletion request
to the Nostr network. Compliant relays will remove the event.
The message is also removed from your local view immediately.
Open Source
NostrChat is open source (MIT). You can inspect the code to
verify that no data leaves your device unexpectedly. The source
is available on GitHub.
No telemetry, no
tracking, no external analytics – ever.