SecretNote - Share private notes that self-destruct

To send personal data securely, use a tool that encrypts the content before transmission and does not retain a permanent copy. SecretNote encrypts your message in the browser using AES-256, generates a one-time link, and permanently deletes the note after it is read. Send the link through any channel, set an expiration timer, and enable burn-after-reading. This is significantly more secure than sending data through email or chat, which store message history indefinitely.

No. Email is not designed for secret delivery. Messages can be forwarded, indexed by email providers, stored in backups, and accessed by anyone with access to either inbox. API keys sent over email may remain accessible for years. Use SecretNote instead - credentials are encrypted in the browser, the server never sees the plaintext, and the note is permanently destroyed after the recipient opens it.

Ideally, never. If temporary access is unavoidable, rotate the password immediately after use and share it only through a self-destructing encrypted note. Using SecretNote means the password cannot be recovered from a chat log, email thread, or server log after the note is opened and deleted.

No. When a note is opened, the server permanently deletes the ciphertext. The decryption key exists only in the URL fragment, which is never stored by SecretNote. There is no database backup, server log, or cached version that contains the plaintext. Even the SecretNote team cannot recover a note that has been read and deleted. This is the defining property of the zero-knowledge, burn-after-reading design.

Avoid passwords, API keys, SSH keys, private keys, recovery codes, identity numbers, tax IDs, and unredacted personal records in normal chat apps. These messages are stored on servers indefinitely and can be accessed if the account or server is compromised. Use SecretNote for this type of data so it does not remain in chat history.

For sensitive data, yes. Email attachments are often duplicated across inboxes, mail servers, and backups. The file may persist for years in locations neither sender nor recipient controls. Files shared through SecretNote are encrypted before upload, stored only as ciphertext, and permanently deleted after the recipient downloads them.

You can set the auto-destruction time for unviewed notes in Options before creating the link. The default is 3 days. Available options range from 1 hour to 30 days. Once a note is viewed with burn-after-reading enabled, it is destroyed immediately regardless of the expiration timer. A note that is never opened is deleted when the timer expires.

Zero-knowledge encryption means the service provider never has access to the content of the data they store. In the context of SecretNote, the server stores only the encrypted ciphertext of your note. The decryption key is never transmitted to the server - it exists only in the URL fragment, which web browsers exclude from HTTP requests. The result is that SecretNote staff, server administrators, or anyone with access to the server infrastructure cannot read the content of any note.

AES-256 (Advanced Encryption Standard with a 256-bit key) is a symmetric encryption algorithm used by governments, banks, and security professionals worldwide to protect sensitive data. A 256-bit key provides 2 to the power of 256 possible combinations, making brute-force attacks computationally infeasible with current or foreseeable computing technology. SecretNote uses AES-256 to encrypt every note directly in the browser before anything is transmitted to the server.

A URL fragment is the portion of a URL that comes after the # character. For example, in a SecretNote link, the fragment contains the decryption key. Web browsers do not include the URL fragment in HTTP requests sent to the server. This means when a recipient opens a SecretNote link, the server receives only the note ID - not the decryption key. The key is used entirely within the recipient's browser to decrypt the ciphertext locally. The server never learns the key at any point.

Burn-after-reading means a note is permanently deleted from the server the moment it is opened and decrypted by the recipient. The link stops working immediately after first use. This is the default behavior for SecretNote. It ensures that even if the link is later intercepted, forwarded, or found in a message history, the data it pointed to is already gone and cannot be retrieved.

An expiration timer deletes a note after a set time period regardless of whether it has been opened. For example, a note set to expire in 1 hour will be deleted after 1 hour even if nobody read it. Burn-after-reading deletes the note the moment it is first opened. Both options can be combined in SecretNote: a note set to expire in 1 day with burn-after-reading enabled will be deleted after 1 day if unread, or immediately upon first read - whichever comes first.

Yes. SecretNote is operated by RapidFoundry LTD, a company based in the European Union, and the service is built with GDPR compliance in mind. Notes are stored as encrypted ciphertext only, with no personally identifiable information linked to the content. Because SecretNote uses zero-knowledge architecture, the service processes no personal data contained within the notes themselves. A privacy policy and terms of service are available on the website.

Yes, SecretNote is completely free. No subscription, payment, or account registration is required to create or read notes. All core features - AES-256 encryption, self-destructing notes, file attachments, expiration timers, burn-after-reading, and password protection - are available without any cost.