Navigation
Preferences

© 2025 All rights reserved.

Privacy Policy & Security Features

Last Updated: November 2025

1. Overview

eyeBlink is a privacy-first ephemeral communication platform designed to protect your data through automatic deletion and strong encryption. All content—notes, chat messages, and files—is stored temporarily with strict expiration times and automatically deleted when expired or when usage limits are reached. We never store your data permanently, and we never share it with third parties. Your privacy is our fundamental principle.

2. Data Collection and Use

2.1. What Data We Collect

User-Provided Content:

Content you create is voluntarily provided and may include text, files, or chat messages.

Ephemeral Session Information:

We generate unique identifiers to manage session lifespans.

Technical Data:

We collect non-personal technical info (IP, browser, device) to ensure performance and security.

2.2. How We Use Your Data

  • Transient Storage: Your content is stored temporarily and deleted based on set expiration.
  • Functionality: We use your content solely to provide and manage our services.
  • No Third-Party Sharing: We never sell or share your data with third parties.

3. Data Retention and Deletion

We leave no trace; unused data is automatically deleted:

Ephemeral Notes:

Notes are encrypted using AES-256-CBC and automatically deleted after their configured expiration time (default: 60 minutes, maximum: 3 days) or when the maximum view count is reached. You can set a custom maximum number of views (0 = unlimited) and expiration time up to 3 days.

Ephemeral Chat Rooms:

Chat rooms are end-to-end encrypted using AES-256-GCM with ECDH key exchange (prime256v1 curve). Rooms expire after their configured expiration time (default: 15 minutes, maximum: 3 days) and are immediately purged. Users can join multiple rooms simultaneously, and message history is available to all participants. Features include typing indicators, read receipts, message reactions, and user nicknames. All message data is automatically deleted upon expiration.

Ephemeral Files:

Files (images, documents, archives, media, code files - max 1GB) are encrypted using AES-256-CBC and stored temporarily in S3-compatible storage (DigitalOcean Spaces) for secure, scalable, multi-region access. Files are automatically deleted after their configured expiration time (default: 60 minutes, maximum: 3 days) or when the maximum download count is reached. You can set a custom maximum number of downloads (0 = unlimited) and expiration time up to 3 days.

4. Security Measures

4.3. Encryption at Rest

Note Encryption:

Ephemeral notes are encrypted using AES-256-CBC encryption before storage. Each note uses a unique initialization vector (IV) for enhanced security.

Chat Encryption:

Chat messages are end-to-end encrypted using AES-256-GCM. Room keys are exchanged using ECDH key exchange (prime256v1 curve), ensuring that only participants can decrypt messages.

File Encryption:

All uploaded files are encrypted using AES-256-CBC encryption before storage in S3-compatible storage (DigitalOcean Spaces). Each file uses a unique initialization vector (IV) for enhanced security. Files are automatically decrypted upon download.

4.1. Data Transmission Security

  • HTTPS and SSL/TLS: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS protocols. This ensures that data in transit cannot be intercepted or modified by third parties.

4.2. Application Security

CSRF Protection: We implement Cross-Site Request Forgery (CSRF) protection using cookie-based tokens. All state-changing operations (note creation, file uploads, chat room creation) require valid CSRF tokens to prevent unauthorized requests.
Rate Limiting: API endpoints are rate-limited to 100 requests per 15-minute window per IP address. This prevents abuse, automated attacks, and ensures fair usage for all users.
Input Sanitization: All user inputs are sanitized using validator.escape() to mitigate cross-site scripting (XSS) and other injection attacks. Content is escaped before storage and display.
Content Security Policy (CSP): We implement strict Content Security Policy headers using Helmet.js. Scripts are executed only with nonce-based tokens, and resources are loaded exclusively from trusted sources (self and jsDelivr CDN).

4.4. Ephemeral Storage and Deletion

  • Secure Storage: Data is stored temporarily in Redis (with TLS support) or in-memory storage with strict time-to-live (TTL) values. Files are stored in S3-compatible storage (DigitalOcean Spaces) for multi-region access and scalability. All data is automatically deleted upon expiration or when manually removed.
  • File Security: Uploaded files are encrypted using AES-256-CBC before storage in S3-compatible storage (DigitalOcean Spaces) and automatically deleted after their configured expiration time or when the maximum download count is reached. Files are decrypted on-the-fly during download. Files are stored securely in cloud storage for multi-region access and scalability. You can set a custom maximum number of downloads (0 = unlimited).
  • Automatic Cleanup: Expired data is automatically cleaned up via Redis TTL expiration or periodic cron jobs (every minute) for in-memory storage. This ensures no expired data persists in our systems.

4.5. Logging and Monitoring

  • Winston Logging: We use Winston for secure logging of system events. Logs contain no sensitive user data, personal information, or encryption keys. Only system events, errors, and metadata are logged.
  • Security Practices: We follow industry-standard security practices including regular code reviews, dependency updates, and security-focused implementation patterns.

5. User Rights and Data Control

No Registration Required:

No account is needed, minimizing personal data collection.

Full Control:

You decide the lifetime of your content.

Transparency:

Data is processed in real time and fully deleted after expiration.

6. Limitations and Disclaimer

While we implement industry-standard security measures including AES-256 encryption, E2EE for chat, CSRF protection, rate limiting, and automatic data deletion, no system is completely foolproof. Use our service responsibly and do not share highly sensitive information that requires absolute guarantees. We are not responsible for unauthorized access that may occur despite our security measures.

7. Contact Us

For any questions about our privacy practices, contact us:

Email:

contact@eyeblink.fr

Address:

82 Allées Jean Jaurès, 31000, Toulouse-France.