Security at NopeNotes

At NopeNotes, security isn't an afterthought — it's the foundation. Our platform is designed from the ground up to minimize risk, eliminate long-term data storage, and protect users through simplicity and strong cryptography.

We believe in zero trust, end-to-end confidentiality, and giving users full control of their information.

How Your Note Stays Secure

When you create a note in NopeNotes, here's what happens under the hood:

  • 🔒 Local Encryption: Your message is encrypted in your browser before it ever touches our servers. We never see or store the plain text.
  • 🔑 Unique Link Generation: The encryption key is embedded in the URL fragment (after the #), which means it's never sent to our servers.
  • 👁️ One-Time Access: Once someone opens the link, the note is flagged as viewed and is no longer accessible.
  • ⏰ Self-Destruction Timer: If not viewed within 7 days, the note is automatically deleted.
  • 🗑️ No Recovery: There are no backups. If a note is lost or deleted, it's unrecoverable — by design.

Encryption Details

We use AES-GCM 256-bit encryption — a standard trusted by banks, government agencies, and security professionals. Here's how it's applied:

  • AES-GCM provides both confidentiality and integrity — it encrypts the message and verifies that it hasn't been tampered with.
  • Key derivation is handled via the browser's crypto.subtle API, using secure random values for keys and initialization vectors (IVs).
  • No encryption key ever touches the server. All cryptographic operations are client-side.

Why Browser-Based Encryption Matters

Unlike most web apps that transmit and decrypt messages on the server, NopeNotes performs all encryption and decryption directly in your browser. This limits exposure and reduces the risk of server compromise or interception.

Even if our infrastructure were breached, no attacker could access note contents — because we never had the keys.

No Logs. No Metadata. No Accounts.

We intentionally avoid collecting:

  • 📧 Email addresses
  • 🌐 IP addresses
  • ⏱️ Timestamps tied to user identities
  • 📊 Analytics trackers
  • 🍪 Persistent cookies

We log only the minimal, ephemeral data required to deliver and expire your note securely. There is no user profile, no historical data, and no centralized user database.

Threat Model: What NopeNotes Protects You From

NopeNotes is ideal for scenarios where you want to send short-lived, private messages without leaving a trail.

We protect against:

  • Interception by intermediaries (ISPs, proxies, compromised networks)
  • Server-side data leaks
  • Long-term storage of sensitive info
  • Mass surveillance and data aggregation

But we don't (and can't) protect against:

  • Compromised recipient devices
  • Users screenshotting or copying message content
  • Reused links if shared after viewing
  • Poor user security practices

Security Best Practices for Users

  • Treat the link like a password — it is the key.
  • Use private/incognito mode when viewing or sending highly sensitive data.

NopeNotes is secure by default, but smart habits multiply your protection.

Responsible Disclosure

If you discover a security issue with NopeNotes, we want to hear about it — responsibly.

Please email hi@nopenotes.com with detailed information. We aim to acknowledge and address serious vulnerabilities promptly.

Security FAQs

Can NopeNotes staff see my messages?

Nope! All notes are encrypted before they reach us, and we never see the content or the key.

What happens if someone intercepts the link?

If someone gets access to the link before it's viewed, they can read the note. That's why we recommend sharing links only through trusted channels.

Is this safer than sending something via email or SMS?

In many cases, yes. NopeNotes avoids storing messages on centralized servers and doesn't transmit data in plain text — unlike many legacy systems.

Can I see a NopeNote after seven days?

Nope! It's built for short-term, one-time messaging only.

What if I sent my NopeNote to the wrong person?

Just view the NopeNote yourself. If you're the first to read it, you'll also be the last to read it since reading a note automatically deletes the note from our database.

Your Privacy, Your Power

Security doesn't have to be complicated. With NopeNotes, you get a secure message delivery system that's simple, transparent, and privacy-respecting — without needing to understand cryptography or trust big tech.

This is security that works the way you do: quick, intentional, and gone when it's done.