mysecret.now

Send secrets securely

Privacy

mysecret.now is built privacy-first. The application does not require an account and does not collect personal data.

What we store

  • Encrypted ciphertext (AES-GCM) and a random IV.
  • A non-secret Argon2id salt (needed to re-derive the key from the passphrase; not sensitive).
  • An expiry timestamp and a creation timestamp.
  • A ULID as a payload identifier.

That's it. We do not store the decryption passphrase, the plaintext, your email, your IP (beyond transient server logs controlled by your hosting provider), or any metadata tying a secret to an identity.

How long data lives

Records are deleted the first time they are read, or at the latest 15 minutes after their expiry. There is no soft-delete, no backup, no “archive” - the row is hard-deleted from the table.

Cookies & tracking

mysecret.now does not set cookies and does not load third-party scripts. There is no analytics SDK, no advertising pixel, no fingerprinting library. The Referrer-Policy is set to no-referrer so outbound links do not leak your URL.

Server logs

The API logs operational events (startup, cleanup counts, errors) without request bodies. If you self-host, logs are entirely under your control. If you use the hosted version operated by WebF1, standard infrastructure logs may temporarily contain IP addresses for abuse mitigation; they are not associated with secret contents.

Your responsibilities

Use two-channel delivery. Don't paste secrets into the URL bar. Don't forward the decrypted plaintext to anyone you don't trust. Verify you are on the correct domain before entering a passphrase.