Privacy Policy

Last updated: May 2026

What we store

When you create a secret, we store:

  • An AES-256 encrypted version of your secret content
  • A random unique identifier (GUID)
  • The creation timestamp and expiry time
  • A boolean flag indicating whether the secret has been viewed

We do not store IP addresses, user accounts, email addresses, or any personally identifiable information alongside secrets.

Data deletion

After a secret is viewed, the encrypted content and IV are immediately overwritten with empty strings and the record is retained only temporarily before being purged. Unviewed secrets are automatically deleted when they expire.

Cookies

We use a session cookie required for CSRF protection (anti-forgery tokens). We use Google Analytics to understand aggregate traffic; see Google’s privacy policy for how Google processes data.

Contact form

If you use the Contact page, your name, email address, and message are sent through EmailJS so we can receive your inquiry by email. EmailJS’s handling of that data is described in their policies.

Security

All traffic is served over HTTPS. Secrets are encrypted at rest with AES-256-CBC. The encryption key is stored in Azure Key Vault (production) or application configuration (local). No secret content is written to application logs.