Frequently Asked Questions

Creating an encrypted note takes just three simple steps:

1. Enter your message in the note editor
2. Choose your security settings (expiration time and view limit or custom password)
3. Click "Create Encrypted Note"

You'll receive two pieces of information:

• A shareable link to your note
• A decryption key (in Secure Mode)

Share the link through any communication channel. In Secure Mode, share the decryption key through a different channel for maximum security.

If you've received an EncryptedNote link:

1. Click the link to open the note page
2. If it's a Secure Mode note, you'll be asking for the decryption key
3. Enter the key and click "Decrypt Note" or "View Note Content" if it's a Simple Mode note
4. The note contents will be decrypted directly in your browser

Remember that viewing a note may trigger its self-destruct mechanism depending on the sender's settings.

When you view a note, several things may happen depending on how the creator configured it:

• If set to "one-time view," the note is permanently deleted from our servers
• If set with a view limit (e.g., 5 views), the counter decreases by one
• If the view limit reaches zero, the note is permanently deleted
• If a time-based expiration was set, the note remains available until that time

Once a note is deleted, it cannot be recovered by anyone—including our teams.

EncryptedNote implements several layers of security to protect your data:

1. Client-side encryption: Your note is encrypted in your browser before being sent to our servers, using XChaCha20-Poly1305, a state-of-the-art encryption algorithm
2. Zero-knowledge architecture: We never receive or store the unencrypted content or decryption keys
3. Separate key transmission: The decryption key is never transmitted to our servers
4. Minimal data storage: We only store the encrypted content and metadata (creation time, expiration settings)
5. Self-destructing data: Notes are permanently deleted after being viewed or reaching expiration

This security model protects your data from various threats, including server breaches, man-in-the-middle attacks, and internal access attempts.

XChaCha20-Poly1305 is a modern, high-security encryption algorithm that provides:

• Authenticated encryption: Ensures both confidentiality (encryption) and integrity (authentication)
• Extended nonce length: Uses a 24-byte nonce compared to the 12-byte nonce in ChaCha20, making it suitable for a broader range of applications
• High performance: Excellent speed on all devices, especially mobile, without requiring hardware acceleration
• Strong security margins: Designed with conservative security parameters that resist known attack methods

This algorithm is trusted and used by many security-focused applications and services globally, including secure messaging platforms and VPN providers.

No. We've intentionally designed EncryptedNote so that we cannot access your note contents. Here's why:

1. All encryption and decryption happens directly in your browser (client-side)
2. The encryption keys never leave your device
3. We only store the already-encrypted content on our servers

This zero-knowledge approach means that even if compelled by a legal order, we would be technically unable to provide the contents of any notes stored in our system. We can only provide the encrypted data, which is meaningless without the decryption key.

We store the minimum amount of data necessary to provide the service:

• Encrypted note content (not the unencrypted version)
• Creation timestamp
• Expiration settings (view count limit and/or expiration time)
• View counter (how many times the note has been accessed)

We do not store:

• Decryption keys
• IP addresses of creators or viewers
• User identification information
• Browser fingerprints or tracking cookies

All stored data is permanently deleted once a note expires or reaches its view limit.

Client-side encryption provides significant security advantages:

1. Data never exists unencrypted on our servers: Your note is encrypted in your browser before transmission
2. Protection against server breaches: Even if our servers were compromised, attackers would only find encrypted data
3. No trust required: You don't need to trust us with your sensitive information
4. Protection against man-in-the-middle attacks: Since decryption happens in the recipient's browser using a separately shared key, intercepted traffic remains secure
5. Resistance to internal threats: Our own administrators and employees cannot access your data

This approach shifts the security model from "trust us with your data" to "you don't have to trust us at all."

Absolutely not. We've designed EncryptedNote specifically to prevent us from accessing note contents:

1. All encryption happens in your browser before transmission
2. We never receive the decryption keys
3. The encrypted content is meaningless without the key
4. Our system architecture makes it technically impossible for us to read your notes

We cannot—and do not want to—analyze the content of your notes for any purpose, including advertising, product improvement, or data mining.

We use minimal, privacy-focused analytics that collect only:

• Aggregate page views (without personal identifiers)
• Basic browser and device information (type, not unique identifiers)
• Feature usage statistics (which modes and expiration options are popular)
• Performance metrics (load times, error rates)

We explicitly do not collect:

• IP addresses
• Unique device identifiers
• Browsing history or behavior
• Note contents (encrypted or otherwise)
• Personal information of any kind

All analytics data is anonymized and used solely to improve the service and identify technical issues.

Our data retention policy is simple and privacy-focused:

• Encrypted note content: Stored only until the note expires (based on view count or time limit), then permanently deleted
• Metadata: Deleted along with the note content upon expiration
• Analytics data: Retained in aggregate, anonymized form for up to 90 days
• Server logs: Automatically purged after 7 days
• Error reports: Retained for 30 days to resolve technical issues

We do not maintain backups of expired notes, meaning once a note is deleted, it's gone forever. This "forget by default" approach ensures minimal data retention and maximum privacy.

Basic Mode is ideal for:

• Sharing moderately sensitive information
• Situations where simplicity and convenience are priorities
• When you're already communicating through a secure channel
• Quick, ephemeral information sharing

Secure Mode is recommended for:

• Highly sensitive information (passwords, financial details, personal data)
• Situations requiring maximum security
• When you need verification that only the intended recipient can access the note
• Professional or business contexts with compliance requirements

Both modes use client-side encryption, but Secure Mode adds an additional layer of protection by requiring a separate decryption key.

Yes, EncryptedNote is well-suited for sharing passwords, particularly in Secure Mode. Here's why:

• Passwords are encrypted before leaving your device
• The decryption key can be shared through a different channel than the note link
• Self-destruct functionality ensures the password doesn't remain accessible indefinitely
• No logs or backups are kept that could expose the shared password

For maximum security when sharing passwords:

1. Use Secure Mode with a strong decryption key
2. Set the note to self-destruct after a single view
3. Share the link and decryption key through different communication channels
4. Ask the recipient to confirm when they've used the password and accessed the account

EncryptedNote implements robust security measures aligned with international standards for protecting sensitive healthcare data:

• Client-side XChaCha20-Poly1305 encryption ensuring data is encrypted before leaving your device
• Zero-knowledge architecture preventing us from accessing your unencrypted information
• HTTPS transmission with perfect forward secrecy
• Automatic data destruction based on your specified parameters
• No server-side access to encryption keys or unencrypted content

For healthcare organizations considering EncryptedNote:

United States (HIPAA) Considerations:

EncryptedNote's technical security features align with many HIPAA Security Rule requirements. However, formal HIPAA compliance requires additional administrative measures:

• Business Associate Agreement (available with our Business tier)
• Comprehensive access logging and audit trails (available with our Business tier)
• Inclusion in your organization's HIPAA compliance documentation

European/German Considerations:

Our technical architecture supports compliance with GDPR and German healthcare data protection requirements through:

• Data minimization (we collect only what's necessary for functionality)
• Processing transparency (detailed in our Privacy Policy)
• Built-in automatic data deletion
• No transfer of unencrypted data

We recommend consulting with your compliance officer to determine if EncryptedNote meets your specific regulatory requirements.

Absolutely. EncryptedNote is suitable for various business and professional contexts:

• Legal professionals: Share confidential client information
• Financial advisors: Transmit account details or financial advice
• Healthcare providers: Exchange patient information securely
• HR departments: Share sensitive employee data
• IT teams: Distribute temporary credentials or access information
• Executives: Communicate confidential business strategies

Our Business tier (coming soon) will offer additional features designed specifically for professional use, including team management, audit logs, and compliance documentation.

Yes, EncryptedNote is fully optimized for mobile devices. Our responsive design ensures a seamless experience whether you're using a smartphone, tablet, or desktop computer.

Mobile-specific features include:

• Touch-friendly interface elements
• Optimized layout for smaller screens
• Efficient bandwidth usage
• QR code sharing for easy mobile-to-mobile transfers
• Compatible with all major mobile browsers

There's no app to install—simply visit EncryptedNote in your mobile browser to create or view encrypted notes.

EncryptedNote works with all modern browsers that support the Web Crypto API, including:

• Chrome (version 60+)
• Firefox (version 55+)
• Safari (version 11+)
• Edge (version 79+)
• Opera (version 47+)

Mobile browsers are also fully supported, including:

• Safari on iOS (version 11+)
• Chrome on Android (version 60+)
• Samsung Internet (version 8.2+)
• Firefox for Mobile (version 55+)

For the best security and performance, we recommend keeping your browser updated to the latest version.

If you close your browser immediately after creating a note but before copying the link and decryption key, unfortunately, that specific note cannot be recovered.

To prevent this situation:

1. The note creation success page remains accessible in your browser until you close the tab
2. We recommend copying both the link and decryption key before closing your browser

In a future update, we plan to add temporary local storage of recently created note links (encrypted, of course) to help recover from accidental closures.

Yes, EncryptedNote is fully optimized for mobile devices. Our responsive design ensures a seamless experience whether you're using a smartphone, tablet, or desktop computer.

Mobile-specific features include:

• Touch-friendly interface elements
• Optimized layout for smaller screens
• Efficient bandwidth usage
• QR code sharing for easy mobile-to-mobile transfers
• Compatible with all major mobile browsers

There's no app to install—simply visit EncryptedNote in your mobile browser to create or view encrypted notes.

EncryptedNote works with all modern browsers that support the Web Crypto API, including:

• Chrome (version 60+)
• Firefox (version 55+)
• Safari (version 11+)
• Edge (version 79+)
• Opera (version 47+)

Mobile browsers are also fully supported, including:

• Safari on iOS (version 11+)
• Chrome on Android (version 60+)
• Samsung Internet (version 8.2+)
• Firefox for Mobile (version 55+)

For the best security and performance, we recommend keeping your browser updated to the latest version.

If you close your browser immediately after creating a note but before copying the link and decryption key, unfortunately, that specific note cannot be recovered.

To prevent this situation:

1. The note creation success page remains accessible in your browser until you close the tab
2. We recommend copying both the link and decryption key before closing your browser

In a future update, we plan to add temporary local storage of recently created note links (encrypted, of course) to help recover from accidental closures.