FAQ
Everything you need to know about security, privacy, and how we handle your data.
Security
Can you read my secrets?
No. Your secret is encrypted in your browser before it leaves your device. We only ever receive and store an encrypted blob - the decryption key is embedded in the link you share and never reaches our servers. Even if we wanted to read your secret, we could not.
How is this different from sending a password by email?
When you send something sensitive by email or chat, copies linger in sent folders, inboxes, and on servers in between - potentially forever. Disposable Secret is ephemeral by design. Your information exists only until it is viewed once, or for 24 hours if it is never opened, then it is permanently and irreversibly destroyed.
What does zero-knowledge mean?
It means we have zero knowledge of what you are sharing. The encryption happens entirely
in your browser. The key used to encrypt your secret is placed in the URL fragment - the
part after the # symbol - which browsers never send to servers. So we store
only encrypted data we cannot read, and the key never comes to us at all.
You can read the full technical explanation on our Security page.
What does the passphrase option add?
A passphrase adds a second layer. Instead of a random key, your browser derives the encryption key from the passphrase you choose, so the recipient must know it before their browser can decrypt anything. We never see the passphrase - if you forget it, the secret is gone. We would recommend sending the link one way and the passphrase another, by text message or phone for example.
Privacy
Do you store my IP address?
No. When a secret is viewed, we perform a quick local lookup to estimate the viewer's approximate city and country for the notification feature, then discard the IP address immediately. We never log or store it.
Is my email address safe if I use notifications?
If you opt in to view notifications, your email address is encrypted before being stored. It is permanently deleted once the notification is sent, or when the secret expires - whichever comes first. We do not build mailing lists or use it for anything else.
Do you use cookies or tracking?
We use a single session cookie to keep the site secure - for example, to protect forms against tampering. We do not use tracking cookies, advertising pixels, or third-party analytics of any kind.
Using the service
What happens when a secret is viewed?
The encrypted data is permanently deleted from our database the moment the link is opened. The link becomes invalid immediately. We do not keep backups of deleted secrets and there is no way to recover a viewed secret.
What happens if nobody views the link?
The secret automatically expires and deletes itself after 24 hours. Nothing lingers.
Can I delete a secret before it is viewed?
Yes. If you have an account, you can delete any of your active secrets from your account page at any time. When you create a secret you are also shown a delete option on the confirmation page before you leave.
What if I forget my passphrase?
The secret is lost. Because we do not store your passphrase and cannot derive it from what we hold, there is no way to recover it. This is a deliberate security feature - the same property that stops us from reading your secret also stops us from helping you recover it.
Have a question not answered here? Get in touch at [email protected].