Security at ClicksLeft
What we encrypt, what we store and what we cannot see.
End-to-End Encryption
Only for Secret Text
When you create a secret message, the following happens:
- 1.Your browser generates a random 256-bit key
- 2.The text is locally encrypted with AES-256-GCM
- 3.Only the encrypted text is sent to our server
- 4.The key is appended to your URL (after the # symbol)
- 5.The # fragment is never sent to servers – that's how the web works
Result: Our database only contains unreadable text. Without the key from your URL, we – or an attacker – cannot decrypt anything.
Important: This encryption only applies to Secret Text. URLs for Tracker and Limited links must be readable to us so we can perform the redirect.
What We Store
| Data | How stored | Can we read? |
|---|---|---|
| Secret Text | AES-256 encrypted | |
| Account Password | bcrypt Hash | |
| Link Password | bcrypt Hash | |
| IP Addresses | SHA-256 Hash | |
| Target URLs | Plain text | (Required for redirect) |
| File Names | Plain text | (Required for download) |
Plain text | (Required for account) | |
| Analytics | Aggregated | (Country, device, time) |
GDPR & Your Rights
As an EU citizen, you have the following rights, which we fully implement:
You can export all your data as JSON
You can completely delete your account
Export in machine-readable format
You can disable tracking per link
You can find all these features in your account settings.
Technical Security Measures
What We Cannot Guarantee
Honesty is important to us:
- •We cannot guarantee we'll never be hacked (nobody can)
- •But: Even in a breach, Secret texts would be protected by E2E encryption
- •URLs and file names would be readable – so don't use highly sensitive info as URL/file name
Recommendation: For maximum sensitive data, protect Secret text with an additional password.