Legal Document Updated Dec 29, 2025

Privacy Policy

Clear, plain-language privacy policy for a privacy-first, crypto-native platform. Know what we collect, how we secure it, and the rules that keep everyone protected.

Compliance

GDPR · CCPA aware

Security

Encryption-first design

Transparency

Plain-language terms

Support

DMCA & privacy help

Last Updated: December 29, 2025

1. Introduction

This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our encrypted paste service ("Service"). We are committed to transparency and data minimization.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address (required for paid pastes)
  • Username/display name
  • Password (hashed and salted)
  • Account creation timestamp
  • Email verification status

2.2 Paste Content

  • Public pastes: Stored in plaintext in our database
  • Unlisted pastes: Stored in plaintext but not indexed
  • Paid pastes: Encrypted using AES-256-GCM; content keys wrapped with our KEK

2.3 Paste Metadata

  • Title, category, tags
  • Visibility setting
  • Expiration mode and timestamps
  • View count
  • Pricing information (for paid pastes)

2.4 Payment Information

For cryptocurrency payments, we record:

  • Transaction hash
  • Cryptocurrency type (BTC, XMR, USDT)
  • Amount paid
  • Confirmation count
  • Payment timestamp
  • Optional buyer email/Telegram ID (for receipts)

We do NOT store:

  • Private keys or wallet credentials
  • Credit card or banking information

2.5 Technical Information

We automatically collect:

  • IP address
  • User agent and browser type
  • Request timestamps
  • Referrer URLs
  • Error logs

2.6 Notification Preferences

If you configure notifications:

  • Email preferences
  • Telegram account linkage
  • Notification history

3. How We Use Your Information

3.1 Service Delivery

  • Host and deliver paste content
  • Process cryptocurrency payments
  • Issue unlock tokens after confirmations
  • Send notifications about paste activity

3.2 Security and Abuse Prevention

  • Rate limiting and anti-spam measures
  • Detect and prevent abuse, fraud, and illegal activity
  • Enforce our Terms of Service
  • Respond to DMCA and legal requests

3.3 Service Improvement

  • Analyze usage patterns (anonymized)
  • Monitor system health and performance
  • Debug errors and optimize infrastructure

3.4 Communication

  • Send transactional emails (verification, password reset)
  • Respond to support inquiries
  • Notify about Terms or policy updates

4. Legal Basis for Processing (GDPR)

We process your data based on:

  • Contract: To provide the Service you've requested
  • Legitimate Interest: For security, abuse prevention, and service improvement
  • Consent: For optional features like notifications
  • Legal Obligation: To comply with laws and valid legal requests

5. Data Sharing and Disclosure

5.1 We Do NOT Sell Your Data

We never sell, rent, or trade your personal information.

5.2 Service Providers

We may share data with:

  • Hosting providers (for infrastructure)
  • Email service providers (for transactional emails)
  • Payment processors (cryptocurrency nodes/APIs)

All providers are contractually bound to protect your data.

5.3 Legal Requirements

We may disclose information if required by:

  • Valid subpoenas or court orders
  • Law enforcement requests with proper legal authority
  • DMCA takedown notices
  • Emergency situations involving imminent harm

5.4 Business Transfers

If we are acquired or merged, your data may transfer to the new entity, subject to this policy.

6. Data Retention

6.1 Paste Content

  • Expired pastes are permanently deleted during scheduled cleanup
  • "Never expire" pastes may be retained indefinitely but subject to inactivity cleanup
  • Deleted account pastes are queued for deletion within 30 days

6.2 Account Data

  • Active accounts retained until deleted by user or suspended for violations
  • Deleted account data removed within 90 days

6.3 Logs and Metadata

  • Technical logs retained for 90 days
  • Payment records retained for 7 years (for dispute resolution and accounting)
  • Audit logs retained for 2 years

7. Your Rights (GDPR & CCPA)

7.1 Access

You may request a copy of your personal data.

7.2 Correction

You may update inaccurate account information.

7.3 Deletion

You may request deletion of your account and associated data, subject to legal retention requirements.

7.4 Portability

You may request your paste data in a machine-readable format.

7.5 Opt-Out

You may opt out of:

  • Non-essential notifications
  • Telegram linking
  • Future emails (except transactional)

7.6 Do Not Track

We honor Do Not Track (DNT) browser signals for analytics.

To exercise your rights, contact us at: {{ config('mail.from.address') }}

8. Cookies and Tracking

8.1 Essential Cookies

  • Session management (authentication)
  • CSRF protection
  • Captcha validation

8.2 Analytics

We use minimal, privacy-respecting analytics. We do NOT use:

  • Google Analytics
  • Facebook Pixel
  • Third-party advertising trackers

9. Security Measures

9.1 Encryption

  • HTTPS for all connections
  • Bcrypt password hashing
  • AES-256-GCM for paid paste content
  • KEK rotation with versioned wrapping

9.2 Access Controls

  • Role-based access control (RBAC)
  • Multi-factor authentication available
  • Audit logging for administrative actions

9.3 Infrastructure

  • Regular security updates
  • Intrusion detection
  • Automated backups
  • Rate limiting and DDoS protection

Despite our efforts, no system is 100% secure. Use strong passwords and protect your account credentials.

10. Children's Privacy

We do not knowingly collect data from children under 13. If we discover such data, we will delete it promptly. If you believe a child has provided us information, contact us immediately.

11. International Data Transfers

Our servers may be located in jurisdictions different from yours. By using the Service, you consent to international data transfers. We use standard contractual clauses and other safeguards for GDPR compliance.

12. Third-Party Links

Our Service may link to external sites. We are not responsible for their privacy practices. Review their policies before sharing information.

13. Changes to This Policy

We may update this Privacy Policy periodically. Changes are effective upon posting. We will notify users of material changes via email or Service announcement.

Previous version date: N/A (initial version)

14. Contact Us

For privacy questions or to exercise your rights:

  • Email: {{ config('mail.from.address') }}
  • Contact form: {{ route('contact.show') }}

15. Data Protection Officer

For EU users, you may contact our Data Protection Officer at: {{ config('mail.from.address') }}

16. Supervisory Authority

EU users have the right to lodge complaints with their local data protection authority.

Highlights

Privacy-forward defaults for paste creation and payments.

Clear rights, responsibilities, and dispute-handling paths.

Explicit data handling for encryption, billing, and abuse prevention.

Need help?

Questions about this policy

Support

Reach out and we’ll respond with the exact steps you need, whether it’s privacy requests, DMCA notices, or account help.

Contact Us Email Support

Operational posture

All systems operational · Privacy-first architecture