Privacy Policy
How SecretPNG handles (and mostly avoids handling) your data: what stays in your browser, the one hosted exception, and your rights.
Effective 2026-07-14 · Last updated 2026-07-14
Who we are and what this policy covers
SecretPNG (secretpng.com) is a free, browser-based toolkit for file privacy and security, currently in beta. It is operated by SecretPNG (legal entity to be confirmed before launch). This policy explains what personal data we collect, what we deliberately do not collect, how long we keep what little we do hold, and what rights you have.
This policy is written to describe our actual architecture rather than generic industry practice. The short version: almost everything you do with SecretPNG happens inside your own browser, and the files, passwords, and secrets you work with are never sent to us. Where we do hold data — hosted secret-link ciphertext, contact form messages, feedback, and limited operational records — this policy states exactly what it is and for how long we keep it.
For questions about this policy or your data, contact support@secretpng.com. Until the operating legal entity is confirmed, that address is the contact point for the data controller of any personal data described here.
The local-first model: what never reaches us
SecretPNG's core tools run entirely in your browser using code delivered to your device. This includes file encryption and decryption, encrypted vaults, ZIP creation and extraction, metadata removal, document redaction, file scanning, password and passphrase generators, hashing, QR code generation, recovery sheets, and local private notes.
When you use these tools, your files, passwords, encryption keys, and generated secrets are processed on your device and are never transmitted to or stored by SecretPNG. There is no upload step. We cannot see, copy, scan, recover, or hand over this material because it never exists on our systems.
There are no user accounts at launch. We do not require registration, and we do not build profiles of the people who use the tools.
- Files you encrypt, decrypt, compress, redact, scan, or otherwise process: stay on your device.
- Passwords and passphrases you enter or generate: stay on your device.
- Encryption keys and generated secrets: stay on your device.
- Local private notes: stored only in your own browser storage, never on our servers.
The one exception: secure secret links
One feature involves our servers by design: secure secret links, which let you share a secret through a link that can expire or self-destruct. Before anything leaves your browser, the secret is encrypted on your device. The decryption key is placed in the URL fragment (the part after the '#'), which browsers do not send to servers — so the key never reaches us.
Our server infrastructure (Cloudflare Workers with a D1 database) stores only: the encrypted ciphertext, a random identifier, the ciphertext size, the expiration time, view limits and view counters, and a hashed management token that lets the creator delete the link early. We store no plaintext, no decryption keys, and no account or identity information tied to the secret.
Because of this design, SecretPNG cannot read the secrets shared through secret links. If we are compelled to produce data about a secret link, the most we can produce is unreadable ciphertext and the metadata listed above.
We may delete hosted ciphertext when abuse indicators are present or when a valid legal requirement obliges us to, even though the content is unreadable to us. See the Acceptable Use Policy for what counts as abuse.
Contact form and tool feedback
If you use our contact form, you send us your name, email address, a subject, and a message. That submission is delivered via the Resend email service to SecretPNG's support inbox. We use it only to respond to you and to keep a record of the conversation. Contact form submissions are retained for up to 12 months, after which they are deleted unless an ongoing matter (such as an unresolved support issue or a legal obligation) requires keeping a specific thread longer.
If you submit feedback about a tool, we keep it so we can fix problems and improve the product. Feedback is retained for up to 24 months. Please do not include passwords, secrets, or sensitive personal information in feedback — we do not need it and would rather not hold it.
Rate limiting and abuse prevention
To keep the secret-link service available and to limit automated abuse, we maintain short-lived rate-limit counters. These counters are keyed to salted hashes of network identifiers — not raw IP addresses — and are retained for up to 24 hours before they expire.
We designed this deliberately: hashing with a salt means the counters cannot be casually reversed into a list of visitor IP addresses, and the 24-hour lifetime means they are not a long-term record of who used the service.
Server and infrastructure logs
Our hosted endpoints run on Cloudflare. Cloudflare generates standard server logs as part of operating the platform; those logs are retained per Cloudflare's provider defaults (approximately 7 days). Request bodies — which is where secret ciphertext travels — are never logged.
We do not build our own long-term access logs, visitor databases, or behavioral records on top of the platform logs.
Advertising and analytics on public pages
Our public informational pages (guides, landing pages, and similar content outside the secure workspace) may show Google AdSense advertisements and may use Google Analytics 4 and/or Cloudflare Web Analytics to understand aggregate traffic. Google's tools are loaded only after you consent where consent is required, controlled by the consent banner shown on those pages. Where Google offers non-personalized ad options, we use them.
The secure workspace — every page under /app/* where the actual tools run — never contains ads, analytics, third-party scripts, or marketing pixels. This is a deliberate design commitment, not an oversight: the place where you handle files and secrets is kept free of any third-party code.
See the Cookie Policy and the Advertising & Analytics Disclosure for the full details, including how to change your consent choices.
Cookies and browser storage
We set a first-party cookie or localStorage entry to remember your consent preferences. Google cookies are set only after you consent, and only on public pages. The tools themselves may use your browser's local storage (for example, for local private notes); that data lives on your device and is never transmitted to us.
The Cookie Policy describes each of these in detail and explains how to withdraw consent or clear stored data.
How long we keep data
The Data Retention Policy is the authoritative schedule. In summary:
- One-time secret ciphertext: until first retrieval, burn, or expiry — whichever comes first.
- Expiring secrets: for the lifetime you choose, from 10 minutes up to a maximum of 7 days.
- Contact form submissions: up to 12 months.
- Tool feedback: up to 24 months.
- Rate-limit counters (salted hashes of network identifiers): up to 24 hours.
- Cloudflare server logs: provider default, approximately 7 days; request bodies never logged.
- Local private notes and all local tool data: only in your own browser storage; we never hold them.
International visitors and GDPR-style rights
If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar data protection law, you have rights over the personal data we hold about you: the right to access it, to have it rectified, to have it erased, to receive it in a portable format, and to object to or restrict certain processing.
In practice, the personal data we could hold about you is limited to contact form submissions, feedback you sent, and short-lived operational records. We cannot exercise these rights over your files, passwords, or secrets, because we never receive them — there is nothing on our side to access, correct, or delete. For hosted secret links, we can delete the ciphertext (the creator can also do this at any time with the management link), but we cannot read or export its contents for anyone.
To exercise any of these rights, email support@secretpng.com. We will respond within the timelines required by applicable law. If you believe we have not handled your request properly, you may lodge a complaint with your local supervisory authority.
California residents
If you are a California resident, you have rights under the California Consumer Privacy Act (as amended), including the right to know what personal information we collect, the right to request deletion, the right to correct inaccurate information, and the right to non-discrimination for exercising those rights.
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising beyond what you consent to via the consent banner on public pages. The categories of personal information we collect are limited to: identifiers and message content you voluntarily submit through the contact form or feedback, and short-lived, salted-hash operational records described above.
To exercise your California rights, email support@secretpng.com. We will verify requests using the email address associated with the data in question, since we hold no accounts or other identifiers.
Children
SecretPNG is not directed at children under 13, or under 16 where local law sets a higher threshold. We do not knowingly collect personal data from children. Because the service has no accounts and the tools run locally, we generally collect no personal data from anyone; but if you believe a child has submitted personal information through our contact form or feedback, email support@secretpng.com and we will delete it.
Legal requests: what we can and cannot produce
We review legal demands for user data and respond only to valid, binding requests, narrowing them where we can. It is important to be honest about what a response can contain.
We cannot produce: plaintext secrets shared via secret links (we hold only ciphertext and never the keys), files processed with the local tools, passwords, encryption keys, local private notes, or the identity of a secret link's creator or recipients (we do not record it).
We can produce, where it still exists: secret-link ciphertext and its stored metadata (random ID, size, expiration, view counters, hashed management token), contact form submissions and feedback within their retention windows, and whatever remains in short-lived operational records. Where the law allows, we will notify affected users before disclosure — though for secret links we usually have no way to identify or reach the user at all.
Data security
SecretPNG is in beta and has not yet been independently audited. Our encryption formats are open and documented so they can be inspected by anyone. Hosted data is limited to ciphertext and minimal metadata, which bounds the impact of any server-side incident: an attacker who obtained the entire secret-link database would hold encrypted blobs without keys.
You are responsible for the passwords and keys you create. SecretPNG cannot recover encrypted data if you lose a password — this is a direct consequence of the design, not a support limitation.
Changes to this policy
We may update this policy as the service evolves — for example, when the operating legal entity is confirmed, if we add features that change what data we handle, or to reflect changes in law. When we make material changes, we will update the effective date at the top of this page and post a notice on the site before the changes take effect. We will not weaken the core commitments of the local-first model (no transmission of files, passwords, keys, or generated secrets from the core tools) without clear, prominent advance notice.
Continued use of the service after a change takes effect means the updated policy applies. If you disagree with a change, stop using the service and, if applicable, delete any hosted secret links via their management links.
Contact and draft status
Questions, requests, and complaints about privacy can be sent to support@secretpng.com. Security issues should go to security@secretpng.com (see the Responsible Disclosure Policy).
This document is a draft prepared for launch and requires review by qualified legal counsel before public launch.