WeTheNorth's message system is encrypted by the storefront. But every message is decryptable by the storefront itself, which means it is decryptable by anyone who compromises the storefront database.

What layering PGP on top adds

If you encrypt your shipping address to the vendor's PGP key before pasting it into the message system, the storefront sees only ciphertext for the address field. A seized database returns nothing useful.

What to encrypt

Name. Address. Phone number. Tracking number if you exchange one. Any identifier that could link the order back to your real identity.

What you do not need to encrypt

Order coordination questions. Dispute discussion. Generic messages. The storefront-side encryption is fine for anything that does not include an identifier.

How

Import the vendor PGP key. Encrypt with gpg --encrypt --armor -r vendor-key-id. Paste the ciphertext block into the storefront message. Vendor decrypts with their private key.

Two minutes per order

Costs you two minutes. Closes a permanent risk.