Home | Security | File Encryption | Browser Extensions | FAQ's | Privacy | About Us

Privacy & Terms — OneTimeMessage.com

Effective: March 2024 · This page explains how we handle privacy and the terms under which you use the service.

Privacy Policy (Zero-Tracking, Zero-Log)

No personal data collection. We don’t collect names, emails, phone numbers, or any persistent identifiers.

No IP storage or fingerprinting. We don’t retain IP addresses or use browser fingerprinting for analytics or tracking.

No long-term tracking. We don’t use third-party analytics beacons, retargeting pixels, or cross-site tracking.

Minimal operational metrics only. We keep aggregate counters (e.g., messages/files processed, success/error counts) to keep the site healthy. And yes, we log “no errors ever”… until an error happens—then we fix it fast.

No message contents retained after use. Message links are designed to be single-use. When a message is viewed, it’s deleted.

Cookies. If set at all, they’re strictly necessary (e.g., CSRF/session defense). No tracking cookies.

Encryption first. Messages/files are encrypted at rest and in transit. Only the one-time URL and (optional) user password can decrypt them.

Ultra Encrypt (client-side). An optional layer that encrypts in your browser before upload, using your password. We never see the plaintext.

Children’s privacy. The service is for adults. Do not use if you are under the age of digital consent in your region.

Security Notes

Double encryption. We apply strong server-side encryption. With Ultra Encrypt enabled, your browser also does AES-256-GCM before upload.

Password-protected content. If you add a password, only someone with both the unique one-time URL and the password can decrypt.

IP Lock (optional). You can bind a message to a recipient IP. Only requests from that IP will succeed—ideal for targeted sharing.

Key handling. Decryption needs the unique URL token; when a message is already viewed/expired, the ciphertext is removed.

What We Log (Briefly)

  • Aggregate counts: messages and files processed, totals by day/week/month.
  • Operational errors: short-lived logs for diagnosing incidents (we joke that we never have any—but if we do, we fix them).
  • No content analytics: we don’t profile or mine your data.

Terms of Service

Use at your own risk. The service is provided “as is” and “as available,” without warranties of any kind (express or implied).

No warranty of fitness. We make no guarantees that the service meets your requirements or is error-free, uninterrupted, or secure against every threat.

Acceptable use. Don’t use OneTimeMessage.com for illegal content, abuse, malware distribution, or anything that violates applicable law.

Availability. We may change, suspend, or discontinue parts of the service without notice. We try hard to keep it humming.

Encryption caveats. If you forget your password or lose the unique URL, we can’t help you recover content. That’s by design.

No liability. To the maximum extent permitted by law, OneTimeMessage.com is not liable for any indirect, incidental, or consequential damages.

Indemnification. You agree to hold us harmless from claims arising from your use of the service or your violation of these terms.

Changes to terms. We may update these terms. Continued use means you accept the latest version (we keep this page current).

Governing law. These terms are governed by applicable law in our jurisdiction; venue and forum provisions apply accordingly.

Ultra Encrypt & One-Time Links

Ultra Encrypt (client-side AES-256-GCM). Your message/file is encrypted in your browser using your password before it reaches our servers. We only store ciphertext.

One-time URL. Each message gets a unique, unguessable URL token. When it’s viewed, the ciphertext is deleted—link reuse fails.

Password secrecy. We never know your password; without it, ciphertext is useless to us or anyone else—even with server access.

OTM Secure Message — Browser Extension Privacy Policy

Last updated: August 21, 2025

This Privacy Policy explains how the OTM Secure Message browser extension (“the Extension”) handles your data, this policy covers:

  • Google Chrome Extension
  • Microsoft Edge Extension
  • Mozilla Firefox Extension
  • Opera Extension

    • It is designed to help you create a one-time, self-destructing share link for a short message (and optionally the current page URL) with optional password protection. This notice covers only the Extension. For our website’s full privacy & terms, please see OneTimeMessage.com Privacy & Terms .

    Summary

    • No tracking: The Extension does not track you or profile your browsing.
    • No third-party analytics: We do not use third-party trackers or analytics in the Extension.
    • User-initiated only: Data leaves your browser only when you press “Generate Secure Message.”
    • Encryption: Messages are protected using our server-side process (AES-256-GCM) and optional user password.

    What the Extension Does

    When you click “Generate Secure Message,” the Extension:

    1. Optionally reads the current tab’s URL (only if you choose “Share URL”).
    2. Sends your typed message (max 1,000 characters), optional password, and optional URL via HTTPS to our API at browser.onetimemessage.com.
    3. Receives a one-time share URL (JSON) and displays it for you to copy.

    Data the Extension Processes

    • Message text: Up to 1,000 characters that you type.
    • Optional password: Only if you choose to set one for extra protection.
    • Optional page URL: Only if you leave “Share URL” checked; otherwise it is not sent.

    These items are transmitted only when you explicitly submit. Outside of submission, the Extension does not send data anywhere.

    What the Extension Does Not Collect

    • No background browsing history.
    • No keystroke logging or form scraping.
    • No third-party analytics beacons.
    • No selling or sharing of personal data.

    Clipboard Use

    If you click “Copy,” the Extension places the one-time share link (or decrypted text, when applicable) onto your clipboard so you can paste it elsewhere. We do not read your clipboard contents.

    Permissions

    • activeTab — lets you include the current page URL only when you choose “Share URL.”
    • clipboardWrite — lets you copy the generated link (or decrypted text) to your clipboard when you press “Copy.”
    • host permissions — limited to our domain(s) so the Extension can call our API over HTTPS.

    Where Your Data Goes

    On submission, the Extension makes a single HTTPS POST to our API (e.g., https://browser.onetimemessage.com/api/msg_encrypt_ext.php). We return a one-time share URL. The Extension does not execute any remote code; it only receives JSON data.

    Security

    • All communication with our API uses HTTPS.
    • Our standard cipher is AES-256-GCM (AEAD) on the server.
    • If you set a password, decryption requires that same password and is not feasible without it.
    • The Extension includes a static header key to gate legitimate extension traffic on our server.

    Retention

    The Extension does not persist your message, password, or URLs to browser storage by default. Data lives in memory while the popup is open. On the server side, your encrypted message is stored only long enough to enable the one-time access workflow (self-destructing link model). We may keep minimal, non-identifying operational counters for reliability and abuse prevention (e.g., count of messages processed per interval). We do not use these for tracking individuals.

    Children

    The Extension is not directed to children under 13 and should not be used by them.

    Changes to This Policy

    We may update this notice from time to time. Material changes will be reflected by updating the “Last updated” date and publishing the revised text. Continued use after changes constitutes acceptance.

    Contact

    Questions? Visit OneTimeMessage.com and use the contact information provided there, or refer to our Privacy & Terms .