Gnomit is a burn-after-read secret link tool operated by Gnomad Studio. This policy explains what data passes through our servers and what never does.
1. Zero-Knowledge Design
- Your secret is encrypted in your browser with AES-256-GCM before any network request.
- The decryption key lives only in the URL fragment (#) — browsers do not send fragments to the server.
- We store only ciphertext and an IV in Redis; we cannot decrypt your message.
- After one successful read, the ciphertext is deleted (burn-after-read). Unread secrets expire after 24 hours.
2. Data We Temporarily Process
- Encrypted payload (base64 ciphertext + 12-byte IV) — stored in Redis with a random UUID.
- Client IP address — used only for rate limiting and abuse prevention; not sold or profiled.
- Request timestamps — minimal operational logging; no plaintext secrets are logged.
3. Data We Do Not Collect
- No user accounts or email addresses required to create a link.
- No analytics or advertising trackers in the Gnomit web app.
- No sale of personal data.
4. Third Parties
When you self-host or use a Gnomad-operated instance, traffic is served over HTTPS. If you use a cloud LLM or paste service elsewhere, that is separate from Gnomit.
5. Your Responsibilities
- Anyone with the full link (including #key) can decrypt until burn or expiry.
- Links in browser history, screenshots, or chat logs can expose secrets.
- Gnomit cannot recover a lost decryption key.
Contact Us
If you have any questions about this privacy policy, please contact us at:
- Email: support@gnomadstudio.org
- Website: https://gnomadstudio.org