Privacy Policy
What I know, what I don't, and what happens to both.
The short version
You paste a secret. Your browser encrypts it before it goes anywhere. The encrypted result stays here until it's opened or expires, then gets deleted. I never have the key, so I can't read what you sent.
That's most of what happens here. The rest of this page covers the edges.
What gets collected
Your secret (encrypted)
Your browser encrypts it before sending. The ciphertext is stored temporarily. When the
view limit or expiry is reached, it gets deleted.
Server logs
IP addresses, browser type, timestamps, pages requested. These exist for security and
debugging, and they rotate.
There are no accounts here and no email collection. You don't provide personal information to use this site.
What I can't see
The plaintext of your secret. The decryption key is in the URL fragment, and browsers don't send fragments to servers. This isn't a policy decision — it's how the system is built.
Third parties
Cloudflare handles CDN and storage infrastructure. Requests pass through Cloudflare's systems, which means IP addresses and request metadata are processed there. Cloudflare's own privacy policy governs their handling of that data.
I don't sell data or share it with advertisers.
Where data goes
Cloudflare operates globally, so encrypted data and request metadata may be processed outside your country. Standard contractual clauses cover international transfers where required.
Your rights
Under GDPR, CCPA, and similar laws, you can ask what data I hold about you and request deletion or a copy. In practice, there are no accounts here — the only data tied to you is IP addresses in rotating server logs.
Contact: privacy@secret.broker
Security
Secrets are encrypted in your browser with XChaCha20-Poly1305 before reaching the server. Traffic is encrypted with TLS. Stored data is encrypted at rest.
Changes
This policy may change. Updates will be posted here.