// privacy policy
We can't read your pastes. That's the whole policy.
Most privacy policies promise not to misuse your data. h4Bin is built so the question never arises: your data never reaches us. What follows explains precisely what exists, where, and for whom.
TL;DR: No accounts. No cookies. No analytics. No database. Pastes are encrypted on your device and live only inside the links you create. We could not hand your data to anyone — including ourselves — if we tried.
What h4Bin collects
Nothing. The application has no server-side component:
- No user accounts and no sign-in of any kind.
- No cookies — the site sets none, first- or third-party.
- No analytics, telemetry, crash reporting, or fingerprinting scripts.
- No logging of paste content, titles, passwords, or keys — these never leave your device.
Where your pastes actually live
When you mint a link, your text is compressed and encrypted with AES-256-GCM
inside your browser tab. The ciphertext and its key are placed in the URL
fragment — the part after #. Per the HTTP standard, browsers
never transmit fragments in requests, so neither the paste nor the key can appear in any
server's logs, including ours. The paste exists exactly in one kind of place: the links
held by you and the people you share them with.
What the hosting layer sees
The static files (HTML, CSS, JavaScript, fonts) are served by
Vercel. Like any web
host, Vercel's infrastructure processes standard request metadata — your IP address, user
agent, and the path of the file requested (e.g. /index.html) — to deliver the
page and mitigate abuse. That metadata never includes the fragment, so it never includes
your paste, your key, or your password. If you consider request metadata sensitive, access
the site through Tor or a VPN; nothing in h4Bin will fight you on that.
What stays in your browser
-
localStorage["h4bin-theme"]— a single value,darkorlight, if you toggle the theme. That is the only thing h4Bin persists. - Editor content is not auto-saved anywhere. Close the tab before minting and it is gone.
- Like every URL you visit, paste links can appear in your own browser history. Use a private window if that matters for your situation.
Third parties
There are none at runtime. Fonts and all scripts are bundled and served from this origin.
The site's Content-Security-Policy (connect-src 'none') instructs your browser
to block any network call the application might ever attempt — a guarantee you can verify
in your DevTools network tab.
Your responsibilities
The link is the secret. Whoever holds it (plus the password, if set) can read the paste. Share links over channels appropriate to the sensitivity of the content, and remember that messengers, browsers and proxies may retain URLs in their own histories and logs — that part of the world is outside any pastebin's control.
Changes to this policy
Any change lands as a public commit in the open-source repository — the git history is the changelog. Material changes will be noted on this page.
Contact
Questions or concerns: open an issue on GitHub. For security reports, see the security page.
last updated: 2026-07-10