Privacy Policy
Last updated: July 13, 2026
Short version:
We can’t read the secrets you seal. The AES key never leaves your browser. We collect the minimum metadata needed to make the service work: an id, a timestamp, an optional label. If you create an account, we also store your email.
What we collect
- Ciphertext — the encrypted secret. We can’t decrypt it (see /source).
- Metadata about each secret — random id, creation time, optional label, view count, expiry, whether a password is set (hashed).
- Account data — email address if you sign up.
- Notification targets — an email or webhook URL you provide to get pinged when a secret is viewed.
- Access logs — request timestamps, IP address (used for rate limiting), and country code. We do not log which secret was viewed by which IP, only aggregates.
- Canary trigger events — if you plant a canary and someone opens it, we record a hash of their IP (salted daily), country code, and user agent, retained for 90 days.
What we do NOT collect
- Your secret’s plaintext content, ever
- Your decryption key (it lives in the URL fragment, browsers never send it)
- Third-party trackers, Meta Pixel, TikTok Pixel, or similar
- Cross-site tracking cookies
- Fingerprinting via canvas/audio/font enumeration
Who we share it with
The bare minimum vendors needed to run the product:
- Supabase — Postgres database + auth (US-East region)
- Vercel — hosting
- Cloudflare — DNS
- Resend — email delivery for view receipts + canary alerts
- Stripe — payment processing for Pro/Business plans
We do not sell data to advertisers, share it with data brokers, or use it to train AI models. Full stop.
How long we keep it
- Sealed secrets: until they burn (viewed) or expire (max 30 days)
- Secret metadata (dashboard history): until you delete your account
- Canary triggers: 90 days
- Access logs: 30 days at Vercel + Supabase, aggregated after
- Account data: until you delete it (contact hello@usesealed.com)
- Payment records: 7 years (US tax requirement)
Your rights
Under GDPR (if you’re in the EU), CCPA (California), and equivalent regimes, you have the right to:
- Request a copy of the data we hold about you
- Ask us to correct or delete it
- Object to processing or withdraw consent
- File a complaint with your local data-protection authority
To exercise any of these: email hello@usesealed.com and we’ll respond within 30 days.
Cookies
We use a small number of first-party cookies:
sb-…-auth-token— Supabase auth sessionsealed-locale— remembers whether you picked EN or ES
No third-party or tracking cookies.
Children
Changes
Contact
Data protection questions: hello@usesealed.com
Security disclosures: security@usesealed.com