A shareable link with as many locks as your secret deserves — passwords, biometrics, USB hardware keys, NDAs, geographic limits, single-device binding. Every view watermarked, signed, and recorded.
The stack
A casual link works for a wifi password. A signed NDA gated by a face-match and a USB key works for the term sheet. Same product, same audit log, two very different gates.
Bcrypt-hashed and used as part of the encryption key derivation. Without it, the content is mathematically inaccessible.
AWS Rekognition matches the viewer against an enrolled reference image, with quality and basic anti-spoof checks.
Bind a secret to a specific USB device via WebUSB. The device must be physically present at access time.
Require a signed click-through or a drawn signature before content reveals. Signatures are hashed against the document.
Allow only specific countries. IP-based, fail-closed when the lookup is uncertain.
The first viewer's browser fingerprint becomes the only one that can ever open this link.
Race-safe one-shot reveal. After the first view the link is gone — no replay, no second window.
Per-recipient verification with 6-digit codes. Audit who proved their identity, not just who clicked.
Every reveal carries a unique watermark tied to the access log row. Leaks become forensically attributable.
How it works
Write or upload your secret in a familiar editor. Pick the protection layers it needs from a checklist.
Send a link. Optionally name recipients so each one gets a personalised link with verification baked in.
Every view, every signature, every failed attempt is logged. Download a tamper-evident certificate per signature.
Everyday
Most secret-sharing isn't dramatic. It's a wifi code, a Netflix password, a crypto seed phrase, a copy of your passport. Send a link instead, pick the gates that match the stakes, walk away.
Wifi password for the houseguest
Single-use · 1-day expiry
Crypto seed phrase to yourself
Password · Single-device
Tax documents to your accountant
Email-verified recipient · 7-day expiry
Door code to a short-stay guest
Geographic · Time-windowed
Bank login to your partner
Password · Single-device
Medical results to a family member
Email + SMS · Watermarked
API keys to a freelancer
Password · Single-use
Streaming password for the kids
No gates · 30-day expiry
A one-off file your accountant lost
Single-use · Watermarked
When stakes are higher
Term sheets, NDAs, due-diligence packets. Force a signature, capture identity, log every view with a hash of the document version that was actually shown.
API keys, root passwords, recovery codes. Combine a password gate with single-use and single-device so even a forwarded link is dead on arrival.
Pre-public news to a named board list. Email + SMS verification proves who saw it before any public release; watermarks make leaks attributable.
Geographic limits, biometric verification, full audit trails. The guarantees compliance teams ask for, without an enterprise sales cycle.
Philosophy
A short list of things we hold to. If any of them ever stop being true, the whole product is broken.
Content is encrypted with a key derived from your team's root + the secret's unique id + (optionally) your password. Without all three, the bytes on disk are noise. Our database alone is not enough to decrypt anything.
One lock for trivia, ten for treasure. Each protection layer composes with the others — every step is a server-side gate, not a client-side suggestion. Skip the dramatic ones when you don't need them.
A link that lives forever is a link that gets forwarded, screenshotted, indexed. Most things you share have a short useful life. We make the short option the easy one.
Timestamps, IP, country, signed identity if you required one, a unique watermark embedded in the rendered content. If something leaks, the leak has a name attached.
Screenshots happen. Compromised endpoints happen. We can't stop someone's phone from photographing the screen. We tell you what the gates protect against — and what they don't.
Pricing
Start free. Upgrade when the gates you need go past the basics.
For the wifi password and the houseguest.
For the small team with real things to send.
For compliance teams and regulated workloads.
Pricing is finalised at launch. The Personal tier will stay free — everything that protects everyday secrets shouldn't be paywalled.
No. Content is encrypted with a key derived from your team's root secret, the link's unique id, and (optionally) your password. We never see those combined inputs and we cannot reconstruct them from the database alone. If we lost APP_KEY tomorrow, the bytes on disk would still be unreadable.
The content is gone. The password is part of the encryption key derivation; without it, no one — including us — can decrypt. That is the design, not a bug. Use a password manager.
Technically yes — a link is a URL, and URLs travel. But you can stack gates that defeat forwarding: single-use (link dies on first view), single-device (only the first browser fingerprint can ever open it), named recipients with email/SMS verification (the forwarder isn't in the recipient list), or face match (the forwarder isn't the right face).
Yes, on every secret access. They form part of the audit trail you can download as a signature certificate. They are retained for the period your plan specifies (30 days on Personal, 1 year on Team, configurable on Enterprise) and then purged.
In the EU region of AWS — Frankfurt by default. Sub-processors are listed in the privacy policy. We do not transfer personal data outside the EU/EEA without a valid legal basis (standard contractual clauses or equivalent).
They are evidence — in many jurisdictions they meet the bar for "simple electronic signatures" under eIDAS, FADP, or equivalent. We are not a Qualified Electronic Signature (QES) provider; if you need QES for a specific document, pair us with a specialist provider for that document.
Up to your plan's per-secret limit (configured at launch). Large media (videos, design files) work but very large files take longer to encrypt at upload time.
White-label / custom domain support is on the Enterprise tier. Talk to us if it's on your must-have list before you sign up.
Not yet at launch. The shape of an API depends on your use case — automated secret distribution looks very different from automated audit retrieval. If you have a use case in mind, tell us; the design is open.
Profile → Delete Account. We confirm with your password and your 2FA factor, then erase your data within 30 days. Audit-relevant data may persist longer where law requires it.
The first secret you send is free. Every secret after that is too.