Skip to content
VoidNote

Privacy policy

Last updated: 27 February 2026

1. What we collect

Account data. Username, optional email address, PBKDF2 password hash and salt, credit balance, registration date. We never store plaintext passwords.

Notes. The encrypted ciphertext, initialisation vector, optional plaintext title, view count, view limit, and expiry timestamp. We cannot read the content — see How It Works.

Sessions. A signed session token stored in a secure, HTTP-only cookie (vn_session). Sessions expire after 30 days or on logout.

Purchase records. If you buy credits: the bundle chosen, fiat amount, crypto currency, AlchemyPay order reference, and payment status. We do not process or store card or wallet details.

2. What we do not collect

  • • The decryption key for any note — it never leaves your browser
  • • IP addresses beyond what Cloudflare logs at the infrastructure layer
  • • Tracking cookies, analytics pixels, or behavioural data
  • • Any data about note recipients — we have no way to identify who views a note

3. How we use your data

  • • Authenticate you and maintain your session
  • • Track your credit balance and deduct credits when notes are created
  • • Process and reconcile credit purchases
  • • Send email verification or (if registered with email) respond to support requests
  • • Run the scheduled cleanup job that deletes expired notes

We do not sell, rent, or share your data with third parties for marketing.

4. Third-party services

Service Purpose Data shared
Cloudflare CDN, Workers, D1, KV All traffic passes through Cloudflare infrastructure
AlchemyPay Crypto payments Fiat amount, order reference. Their privacy policy governs checkout data.
Resend Email delivery (optional) Email address and content of verification emails, if you provided an email
Google Fonts Typeface loading IP address as part of font request

5. Data retention

  • Notes — deleted on last view or after 24 hours, whichever comes first. No archive.
  • Sessions — deleted on logout or after 30 days.
  • Account data — retained while your account is active and for 30 days after deletion.
  • Purchase records — retained for 7 years for tax and financial compliance.

6. Your rights (GDPR)

If you are in the EEA or UK, you have the right to access, rectify, erase, or port your personal data, and to restrict or object to processing. To exercise these rights, contact us at the address below. We will respond within 30 days.

If you registered without an email, you can only contact us from the registered account — we have no other way to verify identity.

7. Security

Notes are protected by client-side AES-256-GCM encryption. Sessions use post-quantum ML-DSA-65 signatures. Passwords use PBKDF2 with 100,000 iterations. All traffic is served over HTTPS via Cloudflare.

8. Contact

Questions about this policy: privacy@voidnote.net