Privacy Policy

Effective date: 9/18/25

Summary

Flashpaper is designed for one-time secret sharing. We store ciphertext only, avoid tracking, and delete logs after a short period. We never store plaintext secrets or passphrases.

  • No plaintext secrets are stored.
  • No passphrases are stored; they are used in memory only.
  • Security logs (IP, coarse geo from IP, HMAC(User-Agent), HMAC(IP)) retained 30 days for abuse prevention and security audits.
  • Secret-revealing endpoints send Cache-Control: no-store, Pragma: no-cache, and Referrer-Policy: no-referrer.

Regional restrictions (GDPR and similar laws)

Flashpaper is operated from the United States. This service is not directed to, and is not intended for use by, individuals located in the European Union (EU), the European Economic Area (EEA), the United Kingdom (UK), or any other jurisdiction with comprehensive data protection laws such as the GDPR.

We do not take steps to ensure compliance with the GDPR or equivalent laws. If you are a resident of these regions, you should not use Flashpaper. By using this service, you represent that you are not located in the EU, EEA, UK, or another jurisdiction with similar regulations.

Why this restriction? Even though we do not track users, display ads, or use third-party analytics, under the GDPR an IP address is considered personal data. Meeting GDPR obligations requires administrative and legal infrastructure that we cannot reasonably provide as a small service. To protect both you and us, we therefore exclude these regions from our intended audience.

What this policy covers

This policy covers visitors and users of Flashpaper’s web app and secret-sharing endpoints, and explains how we handle encrypted secret content, limited operational metadata, and security logs.

What we do not store

  • No plaintext secrets. We never store the unencrypted text or file you upload.
  • No passphrases. If you add a passphrase, it is used to derive an encryption key in memory and is not stored.

What we collect and why

1) Secret content (encrypted)

  • Text secrets: We store ciphertext in the database (max 4 KB)
  • File secrets: We store ciphertext files on disk (max 25 MB); the database stores the path plus basic metadata (filename, size, TTL, burn flag).
  • Purpose: Deliver your one-time secret; enforce expiration and burn-after-read.

2) Security & operations logs (sensitive endpoints)

When you create or view a secret, we log:

  • IP address (raw)
  • Coarse geo region (city/state/country) derived from IP
  • HMAC(User-Agent) — keyed HMAC of the full UA string (non-reversible; used for fingerprinting without storing the raw UA)
  • HMAC(IP) — keyed HMAC of the IP address (non-reversible; used to correlate events without storing the raw IP in all places)

We keep these logs for 30 days and then delete them. They are used for abuse prevention, rate-limiting, debugging, and security investigations.

How we process your data

  • Transport: All data in transit uses TLS.
  • Encryption at rest: We store ciphertext only (text in DB, files on disk).
  • Server-side encryption/decryption: Encryption and decryption occur on the server. Adding a passphrase strengthens confidentiality; the passphrase is never stored.
  • Cache controls: Secret-revealing endpoints send Cache-Control: no-store, Pragma: no-cache, and Referrer-Policy: no-referrer.
  • Burn after reading: When enabled, viewing a secret triggers an atomic claim-and-delete; ciphertext is removed from the database (text) or disk (files).
  • Expiration: Each secret has a TTL and is purged when expired; it cannot be recovered.

Legal bases (where applicable)

  • Contract/performance: Provide the service you request (encrypt, store ciphertext, deliver/burn/expire secrets), including handling file uploads and passphrases (the passphrase is processed transiently in memory and not stored).
  • Legitimate interests: Operate and secure the service (logging IP, coarse geo from IP, HMAC(User-Agent), HMAC(IP)), abuse prevention, rate limiting, debugging, and security investigations. Logs are kept 30 days.
  • Consent (only if we ask): Used solely for optional features like marketing emails or non-essential analytics/cookies. We do not have such features; if we ever add one, we will ask for consent which you can withdraw at any time.

Sharing

  • We do not sell personal information.
  • We share data only with infrastructure providers necessary to run the service (under contract), or where required by law or to protect the security of the service and users.

Your choices & rights

  • Avoid placing PII in secrets. Treat secret URLs like passwords.
  • Deletion: Secrets delete automatically on burn or expiration; we cannot recover them.
  • Logs: Security logs roll off after 30 days. You may request earlier deletion unless needed for an active security investigation or legal requirement.

Data retention

  • Secrets (ciphertext): Until burn-after-read or TTL expiry, then deleted.
  • Security logs: 30 days, then deleted.
  • Operational metadata: Only as long as necessary to operate the service and meet legal obligations.

Security model and limitations

Flashpaper is designed as a best-effort secure system for one-time secret sharing. We use the following measures:

  • Secrets are encrypted in transit (TLS) and at rest (ciphertext only).
  • Plaintext is never written to disk, even temporarily.
  • Database transactions ensure burn-after-read secrets can be read only once.
  • Secret-revealing endpoints send strict cache-control headers.

However, Flashpaper is not an end-to-end encrypted system. While we believe the design provides strong confidentiality for everyday use (and we use it ourselves), there are important limitations:

  • We cannot protect against highly resourced adversaries such as nation-state actors.
  • If an attacker gains privileged access to our servers (e.g., root), they could in theory access secrets that are not additionally protected by a passphrase.
  • Accordingly, Flashpaper should not be relied on for scenarios involving life-or-death risks or nation-state adversaries.

Children

Flashpaper is not directed to children under 13 (or the minimum age in your jurisdiction). Do not use the service if you are under the applicable age.

Changes to this policy

We may update this policy. Material changes will be posted with a new Effective date.

Contact

Questions or requests: support@sturdystatistics.com

Send a secret