[h4·bin]

// privacy policy

We can't read your pastes. That's the whole policy.

Most privacy policies promise not to misuse your data. h4Bin is built so the question never arises: your data never reaches us. What follows explains precisely what exists, where, and for whom.

TL;DR: No accounts. No cookies. No analytics. No database. Pastes are encrypted on your device and live only inside the links you create. We could not hand your data to anyone — including ourselves — if we tried.

What h4Bin collects

Nothing. The application has no server-side component:

Where your pastes actually live

When you mint a link, your text is compressed and encrypted with AES-256-GCM inside your browser tab. The ciphertext and its key are placed in the URL fragment — the part after #. Per the HTTP standard, browsers never transmit fragments in requests, so neither the paste nor the key can appear in any server's logs, including ours. The paste exists exactly in one kind of place: the links held by you and the people you share them with.

What the hosting layer sees

The static files (HTML, CSS, JavaScript, fonts) are served by Vercel. Like any web host, Vercel's infrastructure processes standard request metadata — your IP address, user agent, and the path of the file requested (e.g. /index.html) — to deliver the page and mitigate abuse. That metadata never includes the fragment, so it never includes your paste, your key, or your password. If you consider request metadata sensitive, access the site through Tor or a VPN; nothing in h4Bin will fight you on that.

What stays in your browser

Third parties

There are none at runtime. Fonts and all scripts are bundled and served from this origin. The site's Content-Security-Policy (connect-src 'none') instructs your browser to block any network call the application might ever attempt — a guarantee you can verify in your DevTools network tab.

Your responsibilities

The link is the secret. Whoever holds it (plus the password, if set) can read the paste. Share links over channels appropriate to the sensitivity of the content, and remember that messengers, browsers and proxies may retain URLs in their own histories and logs — that part of the world is outside any pastebin's control.

Changes to this policy

Any change lands as a public commit in the open-source repository — the git history is the changelog. Material changes will be noted on this page.

Contact

Questions or concerns: open an issue on GitHub. For security reports, see the security page.

last updated: 2026-07-10