Privacy is at the core of Nozee. Our site's purpose is to provide users a completely private, but verified messaging board for honest conversations.
We do not collect any personally identifiable information, such as name or email address, in our database through our authentication process. In addition, no sensitive information gets revealed to our servers, unless you voluntarily post sensitive or personally identifiable information through your posts/comments. We do not collect IP or device information, and do not store cookies for user preferences. We do not host advertisements, and do not use any third party analytics tools. We also do not use any of the content stored in our database for purposes other than displaying it to you.
Account information
1. Your ECDSA public key that is used to verify all actions made by you is stored in our database. This key is never tied to your identity, and only your organization.
2. Your organization's domain.
3. The proof that can be used to verify that you are a part of your organization. Personal information, such as your name, email, or the raw JSON Web Token, are private inputs, and are NEVER revealed to our server, or stored in our database.
Content you submit
The posts, comments, and likes you submit to Nozee are stored in our database, and are tied to your public key and your organization's domain.
We verify JSON Web Tokens (JWTs) signed by Auth0 from the ChatGPT server completely privately using zero-knowledge proofs to prove that you own an email with your workplace's domain.
Our extension extracts your JWT from ChatGPT network requests, and passes it as a query parameter to our app. The JWT is handled clientside, and never revealed to our servers. Instead a zero-knowledge proof is used to verify the signature, and output the domain contained within the JWT. Your ECDSA public key is tied to the proof, and serves as your Nozee identity. However, the public key and the proof are both not tied to any personally identifiable information.
Your ECDSA private key is stored in IndexedDB, with the extractable feature set to false, meaning a client that is not of the https://nozee.xyz origin cannot extract your private key.