Privacy Policy
In accordance with GDPR / Art. 13 GDPR
1. Data Controller
The data controller within the meaning of the GDPR:
[NAME]
[STREET AND NUMBER]
[POSTCODE CITY]
Email: [EMAIL]
2. What Data We Process
| Data | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Email address | Account authentication | Art. 6(1)(b) GDPR — contract performance | Until account deletion |
| Password hash (bcrypt) | Authentication | Art. 6(1)(b) GDPR | Until account deletion |
| Encrypted secret (ciphertext) | One-time password transfer | Art. 6(1)(b) GDPR | Irrevocably deleted after first retrieval; unread shares after the configured expiry period (default: 30 days) |
| Share description | Identification for sender | Art. 6(1)(b) GDPR | Until manual deletion or expiry (default: 30 days) |
| Timestamps (created, viewed) | Audit trail for sender | Art. 6(1)(f) GDPR — legitimate interest | Until share deletion |
| IP address (nginx logs) | Operational security, abuse prevention | Art. 6(1)(f) GDPR | 7 days (standard nginx log rotation) |
| IP address (rate-limit counter) | Preventing abuse of the anonymous share endpoint (max. 50 requests/hour) | Art. 6(1)(f) GDPR — legitimate interest | Automatically deleted after 1 hour (stored in Redis, not logged) |
Note on the encryption key: The decryption key is contained exclusively in the share URL as a URL fragment (#key).
URL fragments are never transmitted by the browser to the server and do not appear in server logs.
We have no access to the plaintext of stored secrets.
Anonymous shares: Secrets created via the anonymous mode are not linked to any user account. No email address or account data is stored. Only the encrypted ciphertext and a rate-limit counter (IP address, max. 1 hour) are temporarily held.
3. Disclosure to Third Parties
We do not share personal data with third parties unless required to do so by law. No external services (CDN for user data, analytics, tracking) are used. Tailwind CSS is compiled locally at build time — no external CSS CDN requests are made.
4. Your Rights (Art. 15–22 GDPR)
- Access (Art. 15): You may request information about the data stored about you.
- Rectification (Art. 16): You may request correction of inaccurate data.
- Erasure (Art. 17): You may request deletion of your account and all associated data.
- Restriction (Art. 18): You may request restriction of processing.
- Data portability (Art. 20): You may request your data in machine-readable format.
- Objection (Art. 21): You may object to processing based on legitimate interests.
To exercise your rights, contact: [EMAIL]
5. Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. The competent authority depends on your place of residence or the controller's location. For Germany, a list of authorities is available at bfdi.bund.de.
6. Cookies and Local Storage
This application does not use tracking cookies. For authentication, a JWT (JSON Web Token)
is stored in the browser's localStorage. It contains no personal data beyond
the internal user ID and is deleted on sign-out.
7. Last Updated
April 2026. We reserve the right to update this privacy policy when the service changes.