Last updated: January 1, 2025
When you create a secret: your IP address (stored as a binary hash, never as plain text) and the encrypted content. When you view a secret: your IP address, result of the access attempt, and user-agent string — retained for 90 days then deleted. If you create an account: your email address, username, and hashed password.
We do not use cookies for tracking, analytics, or advertising. We do not sell your data. We do not share your data with third parties except as required by law. We do not log request bodies or secret content in plaintext.
All secret content is encrypted with AES-256 before storage. The encryption key is not stored in the database. However, encryption is performed server-side, meaning the server processes plaintext transiently. We do not implement client-side (end-to-end) encryption at this time.
Secrets are deleted automatically based on their configured mode (once viewed, after 7 days, or when deleted by the owner). Account data is deleted within 30 days of account deletion request. Access logs are deleted after 90 days.
For privacy requests, contact: [email protected]