← Back to FuseBox

Privacy Policy

Last updated: 31 March 2026

FuseBox is a browser extension that blocks distracting websites. We built it to be as private as possible. Here's exactly what we collect, what we don't, and how your data is protected.

What we collect

If you create an account to sync across devices, we store:

• Email address — encrypted at rest using AES-256-GCM. We cannot read your email in our database. It's used solely to identify your account when you log in.
• Password — hashed using PBKDF2-SHA256 with 100,000 iterations and a unique random salt. We never see or store your actual password.
• Fuse configuration — which categories, sites, and features you've toggled on or off. This is what syncs between your devices.

What we don't collect

• No browsing history
• No page content
• No cookies or session data from other sites
• No analytics or usage tracking
• No advertising identifiers
• No data is sold or shared with third parties

Without an account

FuseBox works perfectly without creating an account. Your fuse selections are stored locally in your browser's storage and are never sent anywhere. No data leaves your device.

Where data lives

• Local device — your selections are stored in the browser's local storage. This data stays on your device and is removed when you uninstall the extension.
• Cloud sync (optional) — if you create an account, your encrypted email, hashed password, and fuse configuration are stored on Cloudflare's D1 database infrastructure.
• Self-hosted option — you can run your own FuseBox sync server using Docker. In this case, all data stays on your own infrastructure and never touches our servers.

How the extension works

The FuseBox extension runs entirely in your browser. When you toggle a fuse:

• Domain-level blocks use Chrome's declarativeNetRequest API — the browser blocks requests before they're made. The extension never sees the content of blocked pages.
• Feature-level blocks (like hiding YouTube comments) inject a small CSS stylesheet that hides specific elements. No page content is read or transmitted.
• The extension communicates with the FuseBox dashboard website via postMessage to receive configuration updates. This only happens on the FuseBox dashboard page, not on any other website.

Permissions explained

• "Read and change all your data on all websites" — this permission (<all_urls>) is required because FuseBox needs to block any website you choose and hide elements on any site. The extension only uses this to apply your blocking rules — it does not read, collect, or transmit any page content.
• Storage — to save your fuse selections locally.
• declarativeNetRequest — to block website requests at the browser level.

Third-party services

• Cloudflare — hosts the website, API, and database (for sync accounts). Cloudflare's privacy policy.
• Stripe — processes payments if you upgrade to a paid sync plan. We do not store your card details. Stripe's privacy policy.
• Google Fonts — loads the DM Sans typeface on the dashboard website. No fonts are loaded by the extension itself.

Data retention and deletion

You can delete your account at any time from the Settings panel. This immediately and permanently removes all your data from our servers — your encrypted email, hashed password, fuse configuration, device registrations, and sessions. There is no recovery.

If you uninstall the extension without an account, all local data is automatically removed by your browser.

Children

FuseBox does not knowingly collect data from children under 13. The extension can be used by parents to block content on their children's devices using the device lock feature.

Changes to this policy

If we make significant changes to this policy, we'll update the date at the top and note what changed. The extension itself does not collect any additional data beyond what's described here.

Contact

Questions about privacy? Open an issue on GitHub or email privacy@josephpalmer.co.uk.