Secrets

Privacy Policy

Last updated: January 4, 2026

Summary

We do not collect, store, or process personal data. We do not use cookies, analytics, or tracking tools. Your secrets are encrypted client-side and we never have access to the plaintext.

What We Collect

We temporarily store:

  • Encrypted ciphertext: Your secret, encrypted in your browser using AES-256-GCM. We cannot decrypt this data.
  • Expiration timestamp: When the secret should be automatically deleted.
  • Token (identifier): A random UUID used to retrieve the secret.

We explicitly do NOT collect:

  • IP addresses
  • User agents
  • Cookies
  • Browser fingerprints
  • Analytics or behavioral data
  • Encryption keys (these remain in your browser)

How We Use Data

The encrypted ciphertext is stored temporarily to enable one-time retrieval. After retrieval or expiration, the data is permanently deleted. We do not use this data for any other purpose.

Data Retention

  • Secrets are deleted immediately after being viewed (one-time access).
  • Unviewed secrets are deleted when the TTL expires (1 hour, 1 day, or 1 week).
  • We do not keep backups of deleted secrets.

Third-Party Services

We use Cloudflare for DDoS protection and TLS termination. Cloudflare may log metadata (e.g., IP addresses) for security purposes, but this is handled under their privacy policy. The encryption key (URL fragment) is never sent to Cloudflare or our servers.

We do not use:

  • Google Analytics or any analytics platform
  • Advertising networks
  • Social media tracking pixels
  • Third-party cookies

Cookies

We do not use cookies. No cookie banner is required.

GDPR Compliance

This service is GDPR compliant. Since we do not collect personal data, rights such as access, rectification, and erasure do not apply. The encrypted ciphertext we store cannot be linked to any individual and is deleted within the chosen TTL.

Your Rights

You have the right to:

  • Not be tracked: We do not track you.
  • Data deletion: Secrets are automatically deleted after one view or TTL expiration.
  • Transparency: This policy explains exactly what we store (encrypted data only).

Security

All data is transmitted over HTTPS (TLS 1.3). Secrets are encrypted client-side using AES-256-GCM. Our server never has access to plaintext data or encryption keys. For more details, see our Security page.

Children's Privacy

This service does not target children under 16. We do not knowingly collect any data from children.

Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. The "Last updated" date at the top indicates the most recent revision.

Contact

For privacy questions, contact: [email protected]