Privacy Policy (Australia)
Effective: 2025-09-17
This policy explains how we handle personal information in Australia in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) for the SecSend service.
What We Collect
Service data: we store only encrypted ciphertext and minimal metadata (secret ID, TTL/expiry, views remaining, created time, size, and a hashed delete token). We never store plaintext or the decryption key.
Technical data: IP address and headers used for rate limiting and security; a SameSite CSRF cookie; user agent; and, if enabled, a Cloudflare Turnstile token. We do not use analytics by default.
How We Collect and Hold It
Information is collected automatically via your browser when using the app and is held in memory or a data store with per‑secret expiry. In development we may use an in‑memory store; in production we typically use Redis with time‑based deletion.
Why We Collect It
To operate the service (create, reveal, delete secrets), prevent abuse (rate limiting, CSRF), ensure security, and comply with legal obligations. We do not sell personal information or use it for direct marketing.
Storage, Security and Retention
Zero‑knowledge: encryption happens in your browser and keys never leave your device. Secrets auto‑expire and are deleted after the configured TTL or when views are exhausted. We do not keep backups of ciphertext beyond expiry. Operational logs are minimal and time‑limited.
Disclosure and Overseas Recipients
We may use infrastructure providers (e.g., hosting/CDN/Redis). Depending on your configuration these services may be located in Australia or overseas. If a third‑party Redis provider is used (e.g., Upstash), data location depends on the selected region. Contact us for current locations if applicable.
Access and Correction
We generally hold very limited personal information (mainly technical data). You may request access to, or correction of, your personal information. Identification may be required. Because service data is ephemeral and encrypted, we may be unable to retrieve records after expiry.
Anonymity
You may use the service without creating an account. Some technical data (e.g., IP address) is still processed to operate the service securely.
Complaints
If you have a privacy complaint, contact us first and we will respond within a reasonable time. If you are not satisfied, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
Contact
Email: [email protected]
Changes to This Policy
We may update this policy. The latest version is posted on this page and is effective from the date above.