Privacy Policy

Last updated: June 1, 2026

Jotary is a free, no-signup pastebin operated by Vividengine. We built it to collect as little about you as possible. There are no accounts, no advertising, and no third-party tracking. This page explains the little we do handle.

What we collect

• The content you submit. The text/code of each jot and its metadata (chosen syntax, size, timestamps, expiration, view limit, public/unlisted setting). This is the whole point of the Service — we store it so we can serve it back at its URL.
• Owner tokens and API keys. When you create a jot you receive a one-time owner token; you may also request an API key. We store only a hash of these secrets to verify edit/management requests — we don’t keep the secrets themselves. One narrow exception: if you send an Idempotency-Key when creating a jot, we cache that creation response (which includes the jot’s one-time owner token) for up to about 24 hours so a retried request returns the same result; the cached copy is then deleted.
• Passwords (only if you set one). If you password-protect a jot, your password is sent to us to set or check it; we store only a salted hash (PBKDF2), never the plaintext. Password protection is an access gate, not content encryption — the jot’s content itself is not encrypted at rest.
• IP address. We use your IP address transiently (in memory) to enforce rate limits, and it may appear in short-lived edge logs. If you request an API key, we store a one-way cryptographic hash of your IP — never the raw address — alongside that key to help prevent abuse. We don’t use your IP to build a profile of you.
• Abuse reports. If you report a jot, we receive the jot’s id, your stated reason, and any optional details you add, and we log the id and reason so we can act on abuse.
• Functional cookies only. We set two host-only cookies strictly to make features work: one holds your owner token so you can edit/delete your jot (it lasts up to the jot’s lifetime, or up to ~1 year for never-expiring jots), and one records that you unlocked a password-protected jot (about 24 hours). Both are HttpOnly, Secure, and SameSite=Lax. No advertising or analytics cookies.
• Email you send us. If you email our abuse, privacy, or copyright addresses, we receive your email address and whatever you include in your message.

What stays on your device

The jot “history” shown under My Jots lives only in your browser’s localStorage and is never sent to us. It can include each jot’s id, when you created it, and — for jots you created — that jot’s owner token, so note that a secret may be stored on your device. Your theme preference is stored the same way. Clearing your browser storage clears all of it; we have no copy.

What we don’t do

• We don’t require or ask for your name, email, or any account.
• We don’t sell, rent, or trade your data, and we don’t use it for advertising.
• We don’t serve ads or embed third-party trackers or analytics.

Retention

Jots live only as long as they’re meant to: they’re removed when they expire, when a view-limited jot is burned, or when their owner deletes them. The jot’s content is deleted at that point and is not recoverable. Limited metadata (and small “tombstone” records that mark a jot as gone or removed) may remain briefly and are cleared by routine maintenance; a consumed never-expiring keyed jot may keep a small tombstone until its owner deletes it. Operational logs are kept for a limited period for security and abuse prevention and are then discarded.

Sharing and disclosure

We don’t sell or trade your data. The Service runs on Cloudflare’s infrastructure, which processes and routes requests (and keeps its own limited logs) on our behalf so we can deliver and protect the Service, under Cloudflare’s policies. Beyond that, we may preserve, disclose, remove, or report content and data when we reasonably believe it is necessary to comply with the law or legal process, to enforce our Terms, to prevent fraud or abuse, or to protect the rights, safety, or security of our users, the public, or us.

Security

We hash owner tokens, API keys, and passwords, gate password-protected jots server-side, and serve everything over HTTPS. No service can be perfectly secure, though — please don’t put passwords, credentials, secrets, or sensitive or regulated information (for example health, financial, or government data) in a jot.

Children

The Service is not directed to children and is not intended for use by anyone under the age required by their local law to consent.

Changes

We may update this policy; changes take effect when posted here, and the “last updated” date will reflect the revision.

Contact

Questions about privacy? Email privacy@fast.io (note that emailing us shares your address and message with us). See also our Terms of Service.