Frequently Asked Questions
Security & Privacy
Your notes are encrypted using AES-256-GCM encryption directly in your browser before being sent to our servers. The encryption key never leaves your device and is only stored in the URL fragment (the part after #), which is never transmitted to the server.
Zero-knowledge encryption means that we cannot read your notes, even if we wanted to. The encryption and decryption happen entirely in your browser using the Web Crypto API. We only store encrypted data that is mathematically impossible to decrypt without the key.
No. We do not use cookies, sessions, or any tracking mechanisms. The only data stored locally is your theme preference (dark/light mode) in your browser's LocalStorage. We never store encryption keys or any personal information.
No. Once a note self-destructs (either by reaching its view limit or expiration time), it is permanently deleted from our database. We cannot recover it because: (1) we never had the encryption key, and (2) the encrypted data is completely removed.
Unfortunately, the note cannot be recovered. The encryption key is embedded in the URL fragment (after the # symbol). Without this key, the encrypted content cannot be decrypted by anyone, including us.
Features & Usage
Notes are limited to 50,000 characters. This ensures fast encryption/decryption and reliable delivery across all devices.
Yes! You can attach a single file (up to 250MB) to each note. The file is also encrypted client-side using the same AES-256-GCM encryption as the note content.
You can set how many times a note can be viewed (1-5 times). Each time someone opens the note URL, the view counter increases. When the limit is reached, the note is automatically deleted. If a file is attached, the note content is deleted after the last view, but the file remains available for download one time.
You can set notes to expire after:
- 12 hours
- 1 day
- 3 days
- 7 days
After this time, the note is automatically deleted, regardless of how many times it has been viewed.
Yes! You can optionally add a password to your note. The recipient must enter the correct password to decrypt the content. The password is used to derive an additional encryption key, providing an extra layer of security.
You can choose whether to restore the original filename when downloading. By default, files are downloaded with an encrypted name. If you check "Restore original filename when downloading", the file will be saved with its original name and extension.
Technical Details
We use AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode). This is a modern, authenticated encryption algorithm that provides both confidentiality and integrity. The encryption is performed using the browser's native Web Crypto API.
The encryption key is generated using a cryptographically secure random number generator (crypto.getRandomValues). The key is 256 bits long and is only stored in the URL fragment, never transmitted to the server.
When you set a password, we use PBKDF2 (Password-Based Key Derivation Function 2) with 100,000 iterations to derive a cryptographic key from your password. This key is combined with the main encryption key to provide an additional layer of security.
No. For rate limiting purposes, we create a cryptographic hash (HMAC-SHA256) of your IP address using a secret key. This hash cannot be reversed to reveal your actual IP address. The hash is used only to prevent abuse and is automatically deleted after 60 minutes.
Our application works in all modern browsers that support the Web Crypto API, including:
- Chrome/Edge 60+
- Firefox 57+
- Safari 11+
- Opera 47+
Rate Limiting
Yes. To prevent abuse, we limit note creation to 60 notes per 60 minutes per IP address. This limit resets automatically after the time window.
If you exceed the rate limit, you'll receive an error message indicating when you can create notes again. The rate limit is based on a cryptographic hash of your IP address (not the actual IP), so it's privacy-preserving.
Best Practices
Use a secure communication channel to share the note URL. While the note itself is encrypted, anyone with the URL can access it (unless password-protected). Consider using:
- Encrypted messaging apps (Signal, WhatsApp, etc.)
- Email with additional authentication
- In-person communication
Avoid sharing sensitive note URLs on public forums or social media.
For highly sensitive information, yes. A password adds an extra layer of security. Even if someone intercepts the URL, they cannot decrypt the note without the password.
For one-time sensitive information (like passwords or API keys), use 1 view. For information that may need to be referenced multiple times, choose a higher limit. Remember: lower view limits provide better security.
Our AES-GCM encryption includes authentication, which means any tampering with the encrypted data will be detected during decryption. If someone modifies the encrypted note, the decryption will fail completely.
Troubleshooting
This can happen if:
- The URL was modified or truncated (the part after # is missing)
- The wrong password was entered
- The encrypted data was corrupted
Make sure you're using the complete URL exactly as it was shared, including the # symbol and everything after it.
This means the note has either:
- Reached its view limit
- Exceeded its lifetime
- Never existed (wrong URL)
Deleted notes cannot be recovered.
Make sure:
- You haven't exceeded the note's view limit
- The file hasn't already been downloaded (files can only be downloaded once after the last view)
- Your browser allows downloads from this site