Legal

Privacy Policy

Last updated: July 13, 2026

Short version:

We can’t read the secrets you seal. The AES key never leaves your browser. We collect the minimum metadata needed to make the service work: an id, a timestamp, an optional label. If you create an account, we also store your email.

What we collect

  • Ciphertext — the encrypted secret. We can’t decrypt it (see /source).
  • Metadata about each secret — random id, creation time, optional label, view count, expiry, whether a password is set (hashed).
  • Account data — email address if you sign up.
  • Notification targets — an email or webhook URL you provide to get pinged when a secret is viewed.
  • Access logs — request timestamps, IP address (used for rate limiting), and country code. We do not log which secret was viewed by which IP, only aggregates.
  • Canary trigger events — if you plant a canary and someone opens it, we record a hash of their IP (salted daily), country code, and user agent, retained for 90 days.

What we do NOT collect

  • Your secret’s plaintext content, ever
  • Your decryption key (it lives in the URL fragment, browsers never send it)
  • Third-party trackers, Meta Pixel, TikTok Pixel, or similar
  • Cross-site tracking cookies
  • Fingerprinting via canvas/audio/font enumeration

Who we share it with

The bare minimum vendors needed to run the product:

  • Supabase — Postgres database + auth (US-East region)
  • Vercel — hosting
  • Cloudflare — DNS
  • Resend — email delivery for view receipts + canary alerts
  • Stripe — payment processing for Pro/Business plans

We do not sell data to advertisers, share it with data brokers, or use it to train AI models. Full stop.

How long we keep it

  • Sealed secrets: until they burn (viewed) or expire (max 30 days)
  • Secret metadata (dashboard history): until you delete your account
  • Canary triggers: 90 days
  • Access logs: 30 days at Vercel + Supabase, aggregated after
  • Account data: until you delete it (contact hello@usesealed.com)
  • Payment records: 7 years (US tax requirement)

Your rights

Under GDPR (if you’re in the EU), CCPA (California), and equivalent regimes, you have the right to:

  • Request a copy of the data we hold about you
  • Ask us to correct or delete it
  • Object to processing or withdraw consent
  • File a complaint with your local data-protection authority

To exercise any of these: email hello@usesealed.com and we’ll respond within 30 days.

Cookies

We use a small number of first-party cookies:

  • sb-…-auth-token — Supabase auth session
  • sealed-locale — remembers whether you picked EN or ES

No third-party or tracking cookies.

Children

Sealed is not intended for users under 13. We don’t knowingly collect data from children.

Changes

We may update this policy; the “Last updated” date at the top will change. Material changes get an email notice to account holders.

Contact

Data protection questions: hello@usesealed.com

Security disclosures: security@usesealed.com