Privacy Policy

The short version

BytesBit does not track you. We don't use analytics cookies, tracking pixels, or fingerprinting. Your data is encrypted in your browser and we cannot read it.

What we collect

Zero-knowledge architecture

Secure Share uses client-side encryption via the Web Crypto API. Your message is encrypted with AES-256-GCM in your browser before any data reaches our server. The decryption key is embedded in the URL fragment (#), which browsers never send to servers per RFC 3986 §3.5.

We cannot read your secrets. Even if our database were compromised, an attacker would only obtain encrypted ciphertext with no way to decrypt it.

Cookies

BytesBit uses a single localStorage key to remember your theme preference (light/dark). We do not use cookies. No third-party cookies, no tracking cookies, no session cookies.

Third-party services

We use Supabase for encrypted data storage and Vercel for hosting. Neither service has access to your encryption keys or plaintext data.

Data retention

• Read messages: Permanently deleted immediately upon first read (atomic database deletion).
• Unread messages: Automatically deleted when the TTL expires (30 minutes to 7 days).
• Cleanup schedule: A background job runs every 15 minutes to purge expired messages.

Open source

Our encryption source code is publicly available for audit. You can review the exact cryptographic implementation, database schema, and API layer on GitHub.

Changes to this policy

We will update this page if our privacy practices change. Material changes will be noted with an updated “Last updated” date at the top.

Contact

Questions about this policy? Email privacy@bytesbit.app.