Privacy

Draft — last updated 2026-05-12.

pste is built to know as little about you as possible. This page describes exactly what we store, why, and for how long.

What we store about a paste

  • The content you submit, as bytes.
  • A short ID, the byte size, creation time, expiry, language label, and burn-after-read flag.
  • A SHA-256 hash of the content (non-E2E pastes only) — used solely for the abuse blocklist.
  • A random delete token shown to you once at creation.

End-to-end encrypted pastes

When you toggle private (E2E) mode, your browser generates a key, encrypts the content with AES-GCM, and uploads the ciphertext. The key is placed in the URL fragment (after #), which browsers never send to the server. We store ciphertext only; we cannot read your paste. Deleting an E2E paste removes our copy. We cannot recall copies others have already viewed.

What we store about you

  • Your IP address is used in-memory for rate-limiting paste creation, burn-after-read claims, abuse reports, and admin login attempts. It is also recorded on abuse reports so we can investigate patterns. We do not keep general access logs of IPs that read pastes.
  • Standard request logs (timestamp, path, status code) may be kept for short periods for operational debugging. These do not contain paste contents.
  • We do not run analytics on paste content.
  • We do not embed third-party trackers, fingerprinters, or ad networks.

Cookies

The public site sets no cookies. The /admin review interface sets one strictly necessary session cookie after the operator signs in with a shared secret. No tracking cookies exist anywhere.

Retention

  • Pastes are deleted on or before their stated expiry. Anonymous expiry maxes out at 30 days.
  • Burn-after-read pastes are destroyed the moment they're viewed.
  • Abuse reports are retained while their associated paste is under review, then archived.
  • Content-hash blocklist entries are retained indefinitely.

Third parties

pste runs on a single VPS we operate. We do not share paste content with third parties. We will respond to lawful legal process, but for E2E pastes there is nothing readable to hand over.

Your rights

If you are in the EU, you have rights under the GDPR (access, deletion, complaint). For pastes you created anonymously the most reliable way to exercise the right to deletion is to use the delete token shown at creation. For anything else, contact privacy@pste.dev.

Contact

Operator: see the about page. Privacy questions: privacy@pste.dev.