Privacy Policy
Last updated: April 17, 2026
SignalFire is operated by Orange-Hat, LLC. This policy explains what we collect, how we use it, and what your choices are. The short version: we try hard not to know things we don't need to know.
1. Your plaintext never leaves your browser
When you author a signal, the plaintext is normalized, hashed, and encrypted in your browser before anything is sent to our servers. We receive only the ciphertext, its SHA-256 hashes, and the metadata you chose (unlock time, burn amount, author mode). This is a design property, not a promise: the server-side code in /api/posts/draft verifies the hash before pinning, and the repository is open-source if you want to audit it.
2. What we do store
- Your DigiByte address -- the public key you authenticate with via Digi-ID. It is your account identifier. We never see your private key.
- Session rows in our database, for active logins. These expire after 7 days, or sooner if you sign out or revoke them.
- Post metadata: status, unlock time, burn amount, author mode, and the IPFS CID + hashes of your encrypted payload. This information is public on locked / revealed posts.
- Judgments you record on other posts (Accurate / Wrong / Debatable). Public.
- An append-only audit log of reveal successes, reveal failures, login callbacks, and similar internal events. Used for debugging by operators; not exposed publicly.
3. What we do not store
- Plaintext titles or bodies of signals.
- Your private keys, recovery phrases, or wallet seed.
- Email addresses, phone numbers, or legal names.
- Browser fingerprints, ad identifiers, or third-party tracking.
4. Cookies
We set exactly one cookie: sf_session. It carries a server-side session identifier, signed with HMAC-SHA256 so we can detect tampering. The cookie is HttpOnly, SameSite=Lax, and Secure in production. No analytics cookies, no ad cookies.
5. Third parties we talk to
- DigiByte block explorer (default:
digibyteblockexplorer.com). When you submit a burn txid, our server queries the explorer's public API. The explorer sees our server IP and the txid; not you. - drand quicknet (public randomness beacon). We pin the encrypted content key to a future drand round; the reveal worker fetches that beacon when the time comes. No personal data is sent to drand.
- IPFS: the encrypted payload is pinned to our local Kubo node and replicates to the public IPFS network. Anyone can retrieve the ciphertext; only the drand beacon (after unlock) can decrypt it.
- Let's Encrypt issues the TLS certificate for the site. Standard certificate-transparency logs publish the domain name publicly.
6. Data retention
- Locked and revealed signals: retained indefinitely. Integral to the product's public-record function.
- Draft posts (
pending_commit): you may delete them at any time via the UI. - Active sessions: revoked automatically 7 days after creation, or immediately on sign-out or manual revoke.
- Expired / failed Digi-ID challenges: deleted by a background sweep 7 days after they fall out of use.
- Audit events: retained indefinitely for operational debugging.
7. Your rights
You can sign out at any time, revoke individual sessions on the account page, and delete any draft you haven't yet locked. Locked and revealed signals cannot be deleted -- their whole point is that they're cryptographically committed on-chain and on IPFS.
8. Security
We keep the application and its dependencies current, run automated security audits on the code path, and log potentially-suspicious events. If you find a vulnerability, please let us know before disclosing publicly.
9. Changes
We may update this policy. Material changes will be announced on the site. Continued use after an update means you accept the revised policy.