Privacy Policy

Last updated: March 22, 2026

The short version

1time.io is built on a zero-knowledge architecture. Your secrets are encrypted in your browser before they reach our server. We cannot read them. We do not track you. We do not use cookies. We do not run analytics.

What we store

  • Encrypted secret data: When you create a one-time link, your browser encrypts the secret with AES-256-GCM before sending it to our server. We store only the encrypted ciphertext. The decryption key stays in the URL fragment (#), which is never sent to the server. We cannot decrypt your secrets.
  • Automatic deletion: Encrypted data is permanently deleted after the link is opened once, or after the expiry period you choose (1–30 days), whichever comes first.
  • Server logs: Standard web server logs (IP address, timestamp, URL path, user agent) may be retained for up to 14 days for security and abuse prevention. These logs never contain secret content or decryption keys.

What we do not collect

  • No accounts or personal information — the service works without sign-up
  • No cookies — not even a session cookie
  • No analytics or tracking scripts — no Google Analytics, no pixels, no fingerprinting
  • No third-party requests — no CDNs, ad networks, or external resources
  • No plaintext secrets — encryption happens client-side before transmission

Password and key generators

The password generator, passphrase generator, API key generator, and WiFi password generator run entirely in your browser using the Web Crypto API. Generated values are never sent to our server.

CLI

The 1time CLI performs encryption locally on your machine before sending data to the server. The same zero-knowledge guarantees apply — the server never sees plaintext or keys.

Self-hosting

1time.io is open source. You can run your own instance and control your data entirely. When self-hosted, no data is sent to 1time.io or any third party.

Infrastructure

The hosted service at 1time.io runs on infrastructure located in Europe. All connections are encrypted with TLS. The server stores only encrypted blobs in Redis with automatic expiration.

Changes to this policy

If this policy changes, the update date at the top of the page will be revised. Because 1time.io collects virtually no data, meaningful changes are unlikely.

Contact

Questions about privacy? Open an issue on GitHub or reach us through the repository.