How to send personal data securely?

To send personal data securely, use a tool that encrypts the content before transmission and does not retain a permanent copy. SecretNote encrypts your message in the browser using AES-256, generates a one-time link, and permanently deletes the note after it is read. Set an expiration timer and enable burn-after-reading. This is significantly more secure than sending data through email or chat, which store message history indefinitely.

Is it safe to send API keys over email?

No. Email is not designed for secret delivery. Messages can be forwarded, indexed by email providers, stored in backups, and accessed by anyone with access to either inbox. API keys sent over email may remain accessible for years. Use SecretNote instead - credentials are encrypted in the browser, the server never sees the plaintext, and the note is permanently destroyed after the recipient opens it.

Should you share your password with anyone?

Ideally, never. If temporary access is unavoidable, rotate the password immediately after use and share it only through a self-destructing encrypted note. Using SecretNote means the password cannot be recovered from a chat log, email thread, or server log after the note is opened and deleted.

Can SecretNote messages be recovered after they are read?

No. When a note is opened, the server permanently deletes the ciphertext. The decryption key exists only in the URL fragment, which is never stored by SecretNote. There is no database backup, server log, or cached version that contains the plaintext. Even the SecretNote team cannot recover a note that has been read and deleted.

What should I avoid putting in normal chat apps?

Avoid passwords, API keys, SSH keys, private keys, recovery codes, identity numbers, and unredacted personal records in normal chat apps. These messages are stored on servers indefinitely and can be accessed if the account or server is compromised. Use SecretNote for this type of data so it does not remain in chat history.

Is SecretNote better than attachments for sensitive files?

For sensitive data, yes. Email attachments are often duplicated across inboxes, mail servers, and backups. The file may persist for years in locations neither sender nor recipient controls. Files shared through SecretNote are encrypted before upload, stored only as ciphertext, and permanently deleted after the recipient downloads them.

How long until a SecretNote is destroyed?

You can set the auto-destruction time for unviewed notes in Options before creating the link. The default is 3 days. Available options range from 1 hour to 30 days. Once a note is viewed with burn-after-reading enabled, it is destroyed immediately regardless of the expiration timer.

What is zero-knowledge encryption?

Zero-knowledge encryption means the service provider never has access to the content of the data they store. SecretNote stores only the encrypted ciphertext of your note. The decryption key is never transmitted to the server - it exists only in the URL fragment, which web browsers exclude from HTTP requests. SecretNote staff and server administrators cannot read the content of any note.

What is AES-256 and why does it matter?

AES-256 (Advanced Encryption Standard with a 256-bit key) is a symmetric encryption algorithm used by governments, banks, and security professionals worldwide to protect sensitive data. A 256-bit key provides 2 to the power of 256 possible combinations, making brute-force attacks computationally infeasible. SecretNote uses AES-256 to encrypt every note directly in the browser before anything is transmitted to the server.

How does the URL fragment keep the encryption key secret?

A URL fragment is the portion of a URL that comes after the # character. Web browsers do not include the URL fragment in HTTP requests sent to the server. When a recipient opens a SecretNote link, the server receives only the note ID - not the decryption key. The key is used entirely within the recipient's browser to decrypt the ciphertext locally. The server never learns the key at any point.

What is burn-after-reading?

Burn-after-reading means a note is permanently deleted from the server the moment it is opened and decrypted by the recipient. The link stops working immediately after first use. It ensures that even if the link is later intercepted, forwarded, or found in a message history, the data it pointed to is already gone and cannot be retrieved.

What is the difference between burn-after-reading and an expiration timer?

An expiration timer deletes a note after a set time period regardless of whether it has been opened. Burn-after-reading deletes the note the moment it is first opened. Both options can be combined: a note set to expire in 1 day with burn-after-reading enabled will be deleted after 1 day if unread, or immediately upon first read - whichever comes first.

Does SecretNote comply with GDPR?

Yes. SecretNote is operated by RapidFoundry LTD, a company based in the European Union, and the service is built with GDPR compliance in mind. Notes are stored as encrypted ciphertext only, with no personally identifiable information linked to the content. Because SecretNote uses zero-knowledge architecture, the service processes no personal data contained within the notes themselves.

Is SecretNote free to use?

Yes, SecretNote is completely free. No subscription, payment, or account registration is required to create or read notes. All core features - AES-256 encryption, self-destructing notes, file attachments, expiration timers, burn-after-reading, and password protection - are available without any cost.

encrypted - self-destructs - no account

End-to-End Encrypted zero-knowledge no account auto-destruct made in the EU 100% free

Share private notes that self-destruct

Send encrypted messages that automatically self-destruct after being read. SecretNote is a free web-based service that lets you share confidential notes and private messages. Generate a secret link to send your encrypted note securely - your sensitive information remains completely private and protected.

file image draft - not sent

0 B / 512 KB

delete after read- 3 days- tap to reveal

01 Duration if nobody opens it, ciphertext self-destructs after this window.

02 Destruct options when does the server forget it ever existed.

03 Directly open and decrypt decrypt automatically when the recipient opens the link, without clicking the confirmation button.

or paste with Ctrl+V Attachment limits loading...

how it stays private

end-to-end encrypted AES-256, in your browser zero-knowledge no account

how it works

How can I send a self-destructing note?

Three simple steps to share confidential notes safely.

01 / WRITE

Type, paste, drop in a file.

Your message is encrypted in the browser with AES-256 before anything touches the network.

the quiet thing you need to send...

→ aes256(•) → ciphertext

02 / SHARE

Send the link.

The URL carries the decryption key after the #, which browsers never send to a server.

https://secretnote.eu/en/a9f2#8f3d...7e1c

03 / GONE

It disappears on read.

Server deletes the ciphertext the moment the link is opened. No backups, logs, or recovery.

ciphertext - a9f2

status: destroyed

why secretnote

Why should you use SecretNote to share private messages?

Your private note is encrypted in the browser and disappears after it is read.

Zero-Knowledge Architecture

AES-256 encryption runs entirely in your browser before anything leaves it. The decryption key is embedded in the URL fragment, the part after the #, which browsers never transmit in HTTP requests. Our server only ever stores ciphertext it has no key for.

Self-Destructing Messages

When the recipient opens the link, the ciphertext is fetched, decrypted locally, and immediately deleted from the server. No backup, no log, no cached copy. If the same link is opened twice, the second visitor finds nothing.

Completely Anonymous

No account, no email, no personal information. The only things stored server-side are the encrypted ciphertext, a random note ID, and an expiration timestamp, none of which are tied to any identity. No tracking pixels, no fingerprinting, no persistent IDs.

data protection

How SecretNote protects your data

A step-by-step explanation of what happens to your message.

Encryption happens in the browser

When you click Encrypt, your message is encrypted using AES-256 inside your browser tab. A random 256-bit encryption key is generated locally for each note. Neither the plaintext message nor the encryption key is ever transmitted to the server.

Only ciphertext reaches the server

The server stores a meaningless block of encrypted bytes under a random ID, and holds it until read or expired.

The key lives in the URL fragment

After the # in the link. Browsers never transmit the fragment to a server, so the key stays between sender and recipient.

Permanent deletion after first read

The recipient decrypts locally; the server destroys the ciphertext immediately. There is no recovery. Not by us, not by them.

what people use it for

What people share with SecretNote

Anything you would not want to leave a trace of, in a place that does not keep one.

Passwords & Credentials

Share login details, API keys, and access tokens without leaving them in chat logs or email threads.

Sensitive Documents

Send financial data, contracts, or personal information that should not persist in digital channels.

DevOps & IT Secrets

Transmit SSH keys, database credentials, and configuration secrets safely between team members.

Private Messages

Send confidential notes that vanish, for moments that deserve true privacy.

a quick comparison

SecretNote vs other ways to share sensitive data

Email and chat apps were not built for one-time secrets. Here is what changes when you use a tool that is.

Feature

SecretNote

Chat Apps

End-to-end encrypted

Message deleted after reading

Server never sees plaintext

No account required

Leaves no message history

Expiration timer

Free, no registration

frequently asked

Frequently asked questions

Answers about encrypted notes, zero-knowledge security, and safe data sharing.

No. Encryption and decryption happen in the browser. The server only ever holds an opaque block of ciphertext it has no key for, and deletes it the moment it is read.

A random 256-bit AES key is generated in your browser, used to encrypt the note locally, and then embedded in the link after the # symbol. Browsers never transmit the part after # to a server, so only the sender and recipient ever see the key.

Whoever opens the link first reads the note. The ciphertext is then destroyed, so anyone who follows finds an empty shell. Share the link through a channel you trust, and prefer the delete-after-read option for sensitive content.

No. There is no backup, log, or recovery. This is by design. Once the recipient opens the link, the ciphertext is erased permanently.

You choose an expiry from 1 hour up to 30 days when you encrypt the note. If nobody reads it by then, it is deleted automatically.

Text notes are capped at 512 KB. For larger content, use SecretFile, which supports files up to 100 MB.

No account, no email, no tracking. You open the page, write a note, share the link. That is the whole thing.

In the European Union. We are subject to the GDPR and store only minimal metadata (the ciphertext and its expiry) that is deleted as soon as the note is read or expires.

same idea, other shapes

SecretFile