Frequently Asked Questions
Can you read my secrets?
No. Your secrets are encrypted in your browser before being sent to our server. We never have access to the encryption keys, which remain in the URL fragment (the part after #). Even if we wanted to, we cannot decrypt your data.
What happens after the secret is viewed?
The encrypted data is immediately and permanently deleted from our database. The link becomes invalid. There is no way to recover the secret after it has been viewed once.
Is this GDPR compliant?
Yes. We do not collect personal data. We do not use tracking cookies or analytics. The only data we temporarily store is encrypted ciphertext that we cannot decrypt, along with expiration timestamps. No IP addresses or user identifiers are logged.
How long are secrets stored?
Secrets are stored until one of two things happens: (1) they are viewed (one-time access), or (2) the TTL (time-to-live) expires. You choose the TTL when creating a secret: 1 hour, 1 day, or 1 week.
What encryption algorithm do you use?
We use AES-256-GCM, a modern authenticated encryption standard. The encryption key is 256 bits (32 bytes) of cryptographically secure random data. Each secret uses a unique 12-byte IV (initialization vector).
Can I use this for large files?
No. This service is designed for small secrets like passwords, API keys, and short messages. The maximum size is 32 KB. For larger files, consider end-to-end encrypted file sharing services.
What if I accidentally close the tab before copying the link?
Unfortunately, the link is only shown once when you create the secret. If you lose it, you'll need to create a new secret. This is a security feature: we don't store enough information to regenerate the link.
Can the recipient view the secret multiple times?
No. The secret is deleted immediately after the first view. If they need to see it again, they should copy it before closing the page.
Is the link logged anywhere?
The server never sees the encryption key (the part after # in the URL), as URL fragments are not sent in HTTP requests. We do not log access attempts, IP addresses, or user agents. Cloudflare may log metadata for DDoS protection, but this does not include the encryption key.
What happens if the server is hacked?
An attacker would only gain access to encrypted ciphertext. Without the encryption keys (which are never sent to or stored on the server), the data cannot be decrypted. This is the core principle of zero-knowledge architecture.
Can I trust this service?
We've designed this service with maximum transparency. The code is open source, and the encryption happens entirely in your browser using standard Web Crypto APIs. You can inspect the source code and verify that no plaintext secrets are sent to the server.
Do you use cookies or tracking?
No. We do not use cookies, analytics, or any third-party tracking scripts. There are no ads. Your privacy is fully respected.
Is this free?
Yes. This service is free to use. There are no paid tiers or hidden costs.
Can I self-host this?
Yes. The code is open source. You can deploy your own instance on your infrastructure. Check the GitHub repository for deployment instructions.
What if I share the link publicly by mistake?
The link will work for the first person who opens it. After that, the secret is deleted. If you realize you shared it with the wrong person, there's no way to revoke access if they've already viewed it. Be careful when sharing.