Security & Privacy

No accounts, no logins

encrypt.click does not have user accounts, logins, or profiles. You do not need to register or provide any personal information to use the tools.

100% client-side tools

All cryptographic operations are performed in your browser using the Web Crypto API and other local APIs. For the core tools, inputs (text, files, passwords, keys) are never sent to any backend controlled by encrypt.click.

For the Dead Drop tool specifically: the payload is compressed and encrypted locally and stored in the URL fragment (the part after #). URL fragments are not sent to encrypt.click servers during normal page requests.

Some tools may fetch public data or randomness from third-party APIs that you explicitly invoke (for example, the Drand randomness beacon for the Time Capsule). These calls never include your plaintext secrets or passwords.

Optional URL shortening

If you choose to shorten a link (for example from the Dead Drop page), your browser calls /api/shorten on encrypt.click. The encrypt.click backend then makes a server-side request to the shortener you selected.

The shortener will receive the full URL you are shortening. For Dead Drop links, that includes the URL fragment containing the encrypted payload. The payload is encrypted, but it can still be a unique identifier and may be considered sensitive metadata. If you want maximum privacy, do not use third-party shorteners for Dead Drop links.

When you share a shortened link from encrypt.click, the URL you share is still on the encrypt.click domain. When someone clicks it, their browser talks to encrypt.click first. encrypt.click then contacts the shortener on their behalf and follows the redirect server-side before redirecting the visitor back to an encrypt.click URL. This design means the shortener sees requests from encrypt.click infrastructure, not directly from the visitor's IP address, although the shortener can still log that a given encrypted link was used.

Cookies and local storage

The site does not set tracking or analytics cookies, and does not use third-party trackers or ad pixels. Your browser may use localStorage only to remember your preferred light/dark theme. This value does not contain personal data.

Cloudflare (our hosting provider) may set cookies for security and abuse prevention depending on traffic patterns and your browser settings, under Cloudflare's own policies.

Network and transport security

• All traffic is served over HTTPS with modern TLS configuration.
• HTTP Strict Transport Security (HSTS) is enabled with includeSubDomains; preload.
• Content Security Policy (CSP) restricts scripts, styles, fonts, and connections to trusted origins only.
• Framing is disabled via frame-ancestors 'none' and X-Frame-Options: DENY.

Third-party infrastructure

encrypt.click is hosted on Cloudflare Pages. Cloudflare, as a reverse proxy and CDN, may log standard HTTP metadata (such as IP address and user agent) for security and operational purposes, according to their own privacy policy.

The application itself does not maintain its own server-side logs of your tool inputs. For abuse prevention, encrypt.click applies rate limiting on API endpoints (such as the Drand proxy and URL shortener). Rate limiting uses a one-way hash of your IP address (salted SHA-256, truncated) stored only in memory for a short window (about 60 seconds) and is not written to a database by the application.

Responsible disclosure

If you believe you have found a security or privacy issue in encrypt.click, please contact security@encrypt.click. Include enough detail to reproduce the issue and avoid testing that could impact other users.

Non-legal summary

This page is a human-readable summary of how encrypt.click is designed to handle your data. It is not a contract and not a full legal terms-of-use document. By using the site, you accept that no guarantee of perfect security can be made and that you use the tools at your own risk.