1. Overview

textdrop.sh is designed to collect as little information as possible. All new pastes are AES-256-GCM encrypted in your browser before they reach our servers. The decryption key is embedded in the URL fragment (the part after #), which browsers never send in HTTP requests — the server stores only ciphertext and cannot read new paste content. For password-protected pastes, the key is additionally wrapped client-side with a key derived from your password, so the URL alone is not sufficient to decrypt. Pastes from an earlier model stored the data key server-side; those pastes remain readable by the server.

2. Information We Store

Paste data

• Encrypted content — your paste, encrypted in your browser before being stored.
• Wrapped key (password-protected pastes only) — an encrypted form of the decryption key. Your password is never stored or transmitted. The raw key is never sent to the server.
• Metadata — format (plain/markdown/code), language hint for syntax highlighting, expiry TTL, and burn-after-read flag.
• Creation timestamp — used to enforce expiry.

All paste data is stored in an in-memory data store and deleted automatically when the paste expires or is burned.

Abuse reports

When you submit an abuse report from a paste page, we collect the paste URL, the reported paste content, the reason and details you provide, your IP address, and optionally your email address if you choose to include it. This information is used solely to review and act on the report and is retained only as long as necessary to resolve it.

Server logs

Our hosting infrastructure may log standard HTTP request metadata (IP address, User-Agent, timestamp, request path) for a limited retention period for security and abuse prevention purposes. We do not correlate these logs with paste content.

3. Information We Do Not Have

• Your plaintext paste content at rest
• Your password (for password-protected pastes, it never leaves your browser)
• Your name, email address, or account information (except email addresses voluntarily submitted with abuse reports)
• Payment information (the Service is free)

4. Analytics

We use Google Analytics 4 and Vercel Analytics to collect aggregate, anonymized usage data (page views, session counts, referrers, browser and device types). These services may set cookies and collect IP addresses subject to their own privacy policies. We do not use analytics to track individual users across sessions.

Vercel Speed Insights collects Core Web Vitals timing data to help us monitor performance. No personally identifiable information is associated with this data.

5. Error Monitoring

We use a third-party error monitoring service to capture application errors and performance data. When an error occurs, a report is sent containing the stack trace, error message, browser and OS type, and the page URL. We have configured this service to minimize data collection; it does not collect or transmit IP addresses, cookies, or HTTP request headers. Screen recording is disabled to protect your content. Error reports are used solely to diagnose and fix bugs.

6. Cookies

We set a first-party preference cookie to remember whether the home page composer is expanded or collapsed. It does not contain paste content, encryption keys, passwords, or account information. Third-party analytics services (Google Analytics, Vercel Analytics) may set cookies in accordance with their own policies. You can block these cookies via your browser settings or a content blocker; the core Service functions without them.

7. Data Sharing

Empowered Technology LLC does not sell or share your data with third parties for advertising or marketing purposes. We may disclose server logs to law enforcement when required by valid legal process. Because we do not store plaintext paste content. For new pastes, the decryption key lives only in the URL fragment and stored paste bodies are not readable to us. We do not hold the raw data key or password for password-protected pastes. For older pastes created under the previous model, we may hold the raw data key server-side.

8. Data Retention

Paste data is stored only until its configured expiry time (maximum 30 days) or until it is read if burn-after-read is enabled. After expiration the data is automatically purged from our data store. Server logs are retained for a limited period (typically 30–90 days) and then deleted.

9. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has submitted personal data through the Service, contact us and we will delete it.

10. Changes to This Policy

We may update this Policy from time to time. The effective date at the top of this page will reflect the most recent revision. Continued use of the Service after changes are posted constitutes acceptance of the updated Policy.

11. Contact

Privacy questions or requests? privacy@textdrop.sh