Ephemeral

Privacy Policy

Last updated: February 18, 2026

Overview

Ephemeral is designed with privacy as a core principle. We believe in collecting the absolute minimum amount of data necessary to provide our service. This privacy policy explains what information we collect, why we collect it, and how we protect it.

Privacy by Design

We don't have accounts, we don't track users, and we don't store secrets longer than necessary. Your secrets are encrypted and automatically deleted after being viewed or when they expire.

Data We Collect

Information You Provide

  • Secret Content: The text you submit to create a secret. This is encrypted immediately upon receipt and cannot be read by us.
  • Optional Password: If you choose to protect your secret with a password, we store a secure hash of that password (never the password itself).
  • TTL Selection: Your chosen expiration time for the secret.

Automatically Collected Information

  • IP Address (Hashed): We collect a SHA-256 hash of your IP address for rate limiting and abuse prevention. We do not store your actual IP address.
  • Timestamps: When secrets are created and accessed.
  • User Agent (Hashed): A hash of your browser's user agent string for security monitoring.

What We Do NOT Collect

  • Email addresses
  • Names or personal identifiers
  • Location data (beyond IP-based country for compliance)
  • Tracking cookies or analytics
  • Decrypted secret contents

How We Use Your Data

Data Purpose Legal Basis (GDPR)
Encrypted secrets Provide the core service Contract performance
Hashed IP address Rate limiting, abuse prevention Legitimate interest
Timestamps Enforce TTL, security auditing Legitimate interest
Password hash Verify access to protected secrets Contract performance

Data Retention

We follow a strict data minimization approach:

Secrets

Deleted immediately after being viewed, or automatically when TTL expires (maximum 30 days).

Encryption Keys

Deleted together with their associated secrets. Never stored permanently.

Audit Logs

Retained for 30 days for security purposes, then automatically purged.

Data Security

We implement industry-standard security measures to protect your data:

  • Encryption at Rest: All secrets are encrypted using authenticated encryption (AES-256-GCM or XSalsa20-Poly1305).
  • Encryption in Transit: All connections use TLS 1.3 with HTTPS.
  • Key Separation: Encryption keys and encrypted content are stored in separate systems.
  • Zero-Knowledge Architecture: We cannot decrypt your secrets even if compelled to.
  • Automatic Deletion: Secrets self-destruct after viewing or expiration.

For more details, see our Security Policy.

Your Rights

Depending on your location, you may have the following rights regarding your data:

  • Right to Access: Request information about data we hold about you.
  • Right to Deletion: Request deletion of your data (secrets auto-delete by design).
  • Right to Rectification: Correct inaccurate data (not applicable as we don't store personal data).
  • Right to Portability: Receive your data in a portable format.
  • Right to Object: Object to processing based on legitimate interest.
  • Right to Withdraw Consent: Where processing is based on consent.

To exercise any of these rights, please contact us.

GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland:

  • We process your data under Article 6(1)(b) (contract performance) and Article 6(1)(f) (legitimate interests).
  • You have rights under Articles 15-22 of the GDPR as described above.
  • You may lodge a complaint with your local Data Protection Authority.
  • We do not transfer your data outside the EEA without appropriate safeguards.
Data Protection Officer

For GDPR-related inquiries, contact our DPO at: privacy@ephemeral.example.com

CCPA Notice (California Residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: What personal information we collect and how it's used.
  • Right to Delete: Request deletion of your personal information.
  • Right to Opt-Out: Opt out of the sale of personal information.
  • Right to Non-Discrimination: We won't discriminate against you for exercising your rights.
We Do Not Sell Your Data

Ephemeral does not sell, rent, or share your personal information with third parties for their marketing purposes.

Cookies

We use only essential cookies required for the service to function:

Cookie Purpose Duration
PHPSESSID Session management, CSRF protection Session (deleted when browser closes)

We do not use:

  • Analytics cookies (Google Analytics, etc.)
  • Advertising or tracking cookies
  • Third-party cookies

Third Parties

We use the following third-party services:

Service Purpose Data Shared
Infrastructure Provider Server hosting Server logs (IP hashes, timestamps)
CDN (Bootstrap, Icons) Static asset delivery Standard HTTP headers

We do not share your encrypted secrets or decryption keys with any third party.

Children's Privacy

Ephemeral is not intended for use by children under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.

Policy Changes

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

Contact Us

If you have any questions about this Privacy Policy, please contact us: