Back to AdaptoSecret

Privacy Policy

Last updated: April 2026

The Short Version

We cannot read your secrets. We do not use cookies for tracking. We collect minimal analytics about page views. Your encrypted data is deleted within 24 hours of being viewed or expiring. That is our entire privacy story.

What We Collect

Analytics (Vercel Analytics)

We use Vercel Analytics to understand how many people use AdaptoSecret and which pages they visit. This collects:

  • Page views (which pages were visited)
  • Approximate geographic region (country/region level)
  • Browser and device type
  • Referrer (how you found us)

Vercel Analytics does not use cookies and does not collect personally identifiable information. It does not track individual users across sessions.

Rate-Limit Data

To prevent abuse, we temporarily store hashed IP address prefixes in our rate-limit system. This data expires automatically after 60 seconds. We cannot reverse these hashes to identify you.

Application Logs

Our servers generate logs for debugging and security monitoring. These logs contain hashed record identifiers and hashed IP prefixes. They do not contain your secrets, the share URLs, or any plaintext content. Logs are retained for 90 days.

What We Do NOT Have

  • Your plaintext secrets: All encryption happens in your browser. We only receive and store encrypted data.
  • The encryption keys: Keys live in the URL fragment (the part after the #), which browsers never send to servers.
  • The full share URLs: We do not log or store the complete URLs that contain encryption keys.
  • Tracking cookies: We do not set any cookies for tracking purposes. Vercel may set technical cookies for security purposes (like bot detection), but these do not track your behavior.
  • User accounts or email addresses: AdaptoSecret does not require registration.

How We Handle Encrypted Data

When you create a secret, your browser encrypts it before sending anything to us. We store:

  • The encrypted ciphertext (we cannot decrypt this)
  • A random record ID
  • Creation and expiration timestamps
  • View count
  • For passphrase-protected secrets: additional cryptographic parameters (also encrypted or hashed)

This data is deleted immediately when the secret is consumed (viewed the maximum number of times) or expires. Metadata rows are purged within 24 hours after that.

Third-Party Processors

We use the following services to operate AdaptoSecret. Each only receives the minimum data necessary for their function:

  • Vercel (hosting and analytics): Hosts our application, provides analytics, and handles TLS termination. SOC 2 Type II certified.
  • Neon (database): Stores encrypted ciphertext and metadata. Cannot decrypt your secrets. SOC 2 Type II certified.
  • Upstash (rate limiting): Stores temporary rate-limit counters only. Never receives secret content. SOC 2 Type II certified.

We do not sell your data. We do not share data with advertisers or data brokers.

Your Rights

Because we collect minimal data and cannot identify individual users, many traditional data-subject rights are either automatic or inapplicable:

  • Right to deletion: Automatic. Your encrypted data is deleted when consumed or expired.
  • Right to access: We cannot identify which secrets belong to you. We also cannot decrypt any secrets to show you their contents.
  • Right to portability: Not applicable given our zero-knowledge architecture.

If you have questions about your data, contact us at privacy@adaptoit.com.

Changes to This Policy

We may update this Privacy Policy from time to time. We will post any changes on this page with an updated revision date. For significant changes, we may provide additional notice on our homepage.

Contact

Privacy questions or concerns? Contact us at privacy@adaptoit.com.

AdapToIT, LLC
California, USA