SECRETNOTESPRO
Add
Legal

Privacy Policy

Last updated: March 12, 2026

1. Data Controller

The data controller for the processing of personal data through SecretNotes (secretnotes.pro) is the operator of the Service. For data protection inquiries, please contact us via the Contact page or at contact@secretnotes.pro.

2. Zero-Knowledge Architecture

SecretNotes is built on a zero-knowledge architecture. This is the foundational principle of the Service and affects all aspects of data processing:

  • All encryption and decryption happens exclusively in your browser using AES-256-GCM.
  • The encryption key is embedded in the URL fragment (#) and is never transmitted to our servers. The URL fragment is excluded from HTTP requests by the browser specification (RFC 3986).
  • Our servers store only encrypted ciphertext. We have no technical capability to decrypt, read, or modify the content of any note.
  • This architecture means we cannot recover lost encryption keys or assist with content retrieval under any circumstances.

For security-conscious users: you don't have to take our word for it. Open your browser's developer tools and inspect the network traffic while creating a note — you will confirm that only encrypted ciphertext is transmitted to our servers. No plaintext or encryption keys ever leave your browser.

3. Data We Collect

3.1 Note Data (All Users)

When you create a note, the following is stored on our servers:

  • Encrypted data — the AES-256-GCM ciphertext of your note content
  • Initialization vector (IV) — random value used for encryption, required for decryption
  • Access password — 6-character alphanumeric string for server-side access verification
  • Metadata — expiration timestamp, burn-after-read flag, burn delay settings, read count, creation and update timestamps

3.2 Account Data (Registered Users)

If you create an account, we additionally store:

  • Email address — for authentication and email verification
  • Password hash — your password is hashed using bcrypt (12 rounds) before storage. We never store plaintext passwords.
  • Display name — optional, provided during registration
  • Account metadata — account creation date, email verification status, user role

3.3 Google OAuth Data (If Used)

If you sign in via Google, we receive and store:

  • Google account ID (for linking your account)
  • Email address
  • Display name
  • Profile photo URL

We request only the openid email profile scopes. We do not access your Google contacts, files, calendar, or any other Google services.

3.4 Activity Logs

For security monitoring and abuse prevention, we log certain events:

  • Note lifecycle events (creation, access, destruction, lockout)
  • IP address and user agent string associated with events
  • Failed access attempt counts (for brute-force protection)

These logs do not contain any note content (which we cannot access due to encryption).

3.5 Contact Form Submissions

If you use the contact form, we process: your name, email address, selected topic, and message content. This data is sent to our support email and used solely to respond to your inquiry.

3.6 Survey Responses (Optional)

If you voluntarily participate in an in-app survey, we collect: satisfaction rating, feature feedback, pricing preferences, and an optional comment. Survey data is anonymous and used only to improve the Service.

3.7 Encrypted Messenger Data (Registered Users)

If you use the Encrypted Messenger feature, we store:

  • Encrypted message body — AES-256-GCM ciphertext of the message, encrypted in your browser using a key derived via PBKDF2-SHA256 (600,000 iterations). We cannot read or decrypt message content.
  • Initialization vector (IV) — unique random value per message, required for decryption.
  • PBKDF2 salt — random value used during key derivation, stored per conversation.
  • Conversation metadata — participant IDs, creation timestamp, group/direct flag, member roles.
  • Read receipts — which users have read a message, and when.
  • Push notification subscriptions — Web Push endpoints for real-time notifications (no message content is included in push payloads).

The encryption key for conversations is never transmitted to or stored on our servers. It exists only on the devices of conversation participants.

4. Data We Never Collect or Store

  • Encryption keys (exist only in URL fragments, never sent to server)
  • Plaintext note content
  • Advertising or tracking cookies
  • Browser fingerprints
  • Data from third-party data brokers

5. Legal Basis for Processing (GDPR Art. 6)

We process personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)) — processing necessary to provide the Service (account management, note storage, email verification)
  • Legitimate interest (Art. 6(1)(f)) — security monitoring, abuse prevention, rate limiting, brute-force protection
  • Consent (Art. 6(1)(a)) — optional survey participation, contact form submissions

6. Cookies

We use only strictly necessary cookies:

  • Session cookie (session) — contains a JWT token for authentication. HttpOnly, SameSite=Lax, 7-day expiry. Secure flag enabled in production. Set only when you log in.
  • OAuth state cookie (oauth_state) — temporary CSRF protection during Google OAuth flow. HttpOnly, SameSite=Lax, 10-minute expiry. Automatically deleted after authentication completes.
  • Locale cookie — stores your language preference.

Since we use only essential cookies required for the Service to function, no cookie consent banner is needed under GDPR (Recital 30, ePrivacy Directive Art. 5(3)).

7. Third-Party Services

We use a minimal number of third-party services:

  • Google OAuth — optional sign-in method. Subject to Google's Privacy Policy. We only receive basic profile data (email, name, photo).
  • SMTP email provider — used for sending verification codes and contact form submissions. Email content is limited to verification codes and support messages.

We do not share, sell, or transfer your personal data to any other third parties for marketing, advertising, or any purpose unrelated to the operation of the Service.

8. Data Retention

  • Encrypted notes — automatically deleted after the configured expiration period (from 5 minutes to 6 months). Burn-after-read notes are destroyed immediately upon first access.
  • Burned notes — all encrypted content and IV are irrecoverably cleared. Only a burned flag and timestamp remain for audit purposes.
  • User accounts — retained until you request deletion or use the Emergency Wipe feature.
  • Activity logs — automatically deleted after 90 days (data minimization).
  • Contact form submissions — retained only as long as necessary to resolve the inquiry.
  • Abuse reports — notes reported through the abuse process may be immediately and permanently deleted without prior notice. Associated metadata may be retained for legal compliance purposes.

9. Data Location and Security

All data is stored on servers located within the European Union, ensuring full compliance with GDPR data residency requirements. No data is transferred outside the EU/EEA.

Security measures include:

  • Client-side AES-256-GCM encryption (zero-knowledge)
  • bcrypt password hashing (12 rounds)
  • HTTPS/TLS encryption for all data in transit
  • HttpOnly, SameSite cookies for session management
  • Rate limiting and brute-force lockout protection
  • Constant-time password comparison (timing attack prevention)
  • HMAC-SHA256 hashing of access passwords (defense-in-depth)
  • PBKDF2-SHA256 key derivation for messenger encryption (600,000 iterations)
  • CSRF protection via Origin header validation

10. Your Rights Under GDPR

As a user in the European Economic Area, you have the following rights:

  • Right of access (Art. 15) — you can view your account data through the dashboard and download your encrypted notes.
  • Right to rectification (Art. 16) — you can update your account information through your profile settings.
  • Right to erasure (Art. 17) — you can use the Emergency Wipe feature to immediately and irreversibly destroy all your notes and Secure Requests. You can delete your account (including all conversation data, messages, and push subscriptions) via account settings. Full account deletion removes all personal data from our systems.
  • Right to data portability (Art. 20) — you can download your encrypted notes through the Service.
  • Right to restriction of processing (Art. 18) — contact us to request processing restrictions.
  • Right to object (Art. 21) — you may object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)) — where processing is based on consent, you may withdraw it at any time.

Please note that due to our zero-knowledge architecture, we cannot provide access to note content — only you hold the encryption key. The right to erasure applies to encrypted data and account information, not to plaintext content we have never possessed.

To exercise your rights, contact us via the Contact page. You also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence.

11. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Material changes will be communicated through the Service. Continued use of the Service after changes constitutes acceptance of the revised policy.

13. Contact

For privacy-related inquiries, data protection requests, or to exercise your GDPR rights, please visit our Contact page or email us at contact@secretnotes.pro.

Back to Home