Skip to content

Legal

Data Retention Policy

The authoritative schedule for every category of data SecretPNG holds — and the long list of things it never holds at all.

Effective 2026-07-14Last updated 2026-07-14

Draft pending legal review

This document is a draft prepared for launch and requires review by qualified legal counsel before public launch.

Purpose

This policy is the authoritative retention schedule for SecretPNG (secretpng.com), operated by SecretPNG (legal entity to be confirmed before launch). For every category of data that can exist on our systems, it states what the data is, why it exists, and exactly how long it is kept. Where this policy and a summary elsewhere on the site differ, this policy controls.

Guiding principle: retain almost nothing

SecretPNG's architecture minimizes retention by construction rather than by promise. The core tools run in your browser, so the most sensitive material — files, passwords, keys, generated secrets — never reaches us and therefore has no retention period at all: there is nothing to retain. What remains on our side is a short list of narrow categories, each with a defined lifetime.

Data we never hold (no retention period applies)

The following never reach SecretPNG's servers in any form, so no server-side retention, deletion, or disclosure is possible for them:

  • Files processed by the local tools (encryption, vaults, ZIP, metadata removal, redaction, scanning, hashing, QR generation, recovery sheets).
  • Passwords and passphrases you enter or generate.
  • Encryption keys, including keys embedded in secret-link URL fragments.
  • Generated secrets and recovery material.
  • Plaintext of anything shared via secure secret links.
  • Local private notes, which live only in your own browser storage.

One-time secret ciphertext

For a secret link configured for a single view, the encrypted ciphertext is retained until first retrieval, manual burn by the creator, or expiry — whichever happens first. At that moment the ciphertext is deleted and cannot be restored. We hold only ciphertext throughout; the decryption key stays in the URL fragment and never reaches us.

Expiring secret ciphertext

For secret links with a time-based lifetime, the creator chooses an expiration between 10 minutes and a maximum of 7 days. The ciphertext is deleted at expiry, or earlier if the view limit is reached or the creator burns the link. Nothing extends a secret past 7 days.

Secret-link metadata

Alongside ciphertext, the server (Cloudflare Workers with a D1 database) stores a random identifier, the ciphertext size, the expiration time, view limits and counters, and a hashed management token. This metadata exists to operate the feature and is deleted together with the ciphertext when the secret is retrieved, burned, or expires.

Contact form submissions

Name, email address, subject, and message submitted through the contact form (delivered via the Resend email service to our support inbox) are retained for up to 12 months. We keep them this long so we can follow up on support conversations and recognize repeat issues. Threads tied to an unresolved matter or a legal obligation may be kept longer, limited to that specific matter.

Tool feedback

Feedback about the tools is retained for up to 24 months. Feedback often describes bugs or design problems whose fixes span long development cycles, which is why its window is longer than the contact form's. Feedback is deleted at the end of the window.

Rate-limit counters

Rate-limit counters, used to protect the hosted secret-link endpoints from abuse, are keyed to salted hashes of network identifiers — not raw IP addresses — and are retained for up to 24 hours. After that they expire automatically. They are not joined to any other dataset and are not used for analytics.

Infrastructure logs

Cloudflare, our hosting provider, retains standard server logs per its provider defaults — approximately 7 days. Request bodies are never logged, which means secret ciphertext in transit does not appear in logs. We do not extract, copy, or archive these logs into any longer-lived store of our own.

Data on your own device

Local private notes and any tool settings stored in your browser exist only on your device, under your control, for as long as your browser keeps them. We cannot see, delete, back up, or recover them. Clearing your browser's site data for secretpng.com removes them permanently.

Early deletion

Data may be deleted before its maximum retention period ends. Secret-link creators can burn their links at any time using the management link. We may delete hosted ciphertext when abuse indicators are present or a valid legal requirement obliges us to, even though the content is unreadable to us. You may also request deletion of your contact form submissions or feedback by emailing support@secretpng.com; we honor such requests unless a legal obligation requires keeping a specific record.

Legal holds

If a valid legal obligation requires preserving a specific item beyond its normal schedule, we preserve only that item, only for as long as required. A legal hold cannot conjure data we never had: no hold can produce plaintext secrets, decryption keys, or locally processed files.

Retention schedule at a glance

The complete schedule in one list:

  • One-time secret ciphertext: until first retrieval, burn, or expiry.
  • Expiring secret ciphertext: creator-chosen lifetime, 10 minutes to 7 days maximum.
  • Secret-link metadata: deleted with its ciphertext.
  • Contact form submissions: up to 12 months.
  • Tool feedback: up to 24 months.
  • Rate-limit counters (salted hashes of network identifiers): up to 24 hours.
  • Cloudflare server logs: provider default, approximately 7 days; request bodies never logged.
  • Files, passwords, keys, generated secrets, plaintext secrets, local private notes: never held by SecretPNG.

Changes and draft status

If a retention period changes, we will update this policy and its effective date before the change applies, and shorten rather than lengthen periods wherever the service allows. Questions can be sent to support@secretpng.com.

This document is a draft prepared for launch and requires review by qualified legal counsel before public launch.