Privacy Policy

Scope and operator

This Privacy Policy explains how pastebin.ca collects, uses, discloses, retains, and protects personal information. pastebin.ca is a free, web-based service for creating, sharing, viewing, and managing plain-text snippets called pastes. Plaintext, public, unlisted, end-to-end encrypted, and recipient-encrypted modes are supported, along with a CLI client and REST API.

The service is personally operated by slepp as a solo project. There is no corporate entity. The service runs on Cloudflare infrastructure.

This policy is intended to reflect the Personal Information Protection and Electronic Documents Act (PIPEDA) and Alberta's Personal Information Protection Act (PIPA) where they apply to the service.

What the service collects

You can use the service anonymously. If you create an account, the service stores your chosen display name, handle slug, and authentication records.

Passkey accounts store passkey credential metadata required for WebAuthn authentication. GitHub OAuth accounts store the GitHub account identifier and email address if GitHub provides one. Email addresses are not displayed publicly.

The service processes IP addresses for abuse prevention and rate limiting. Rate-limit and abuse IP fingerprint hashes are retained for 30 days.

The service stores session records for authenticated use. Sessions expire after 30 days of inactivity.

Paste content

Paste content is stored as authored. Non-encrypted pastes are stored server-side as plaintext. Encrypted pastes are stored as ciphertext.

For end-to-end encrypted and recipient-encrypted pastes, the operator cannot decrypt the content because the server does not receive the decryption key.

Do not place information in a paste unless you have the right to store and share it under the chosen visibility and expiry settings.

Cookies and local storage

The service uses the HttpOnly SameSite=Lax session cookie `pbca_sess`, the locale cookie `pbca-locale`, the theme preference cookie `pbca-theme`, and bot-challenge cookies set by Cloudflare Turnstile.

The browser may store `pbca-auth-hint` for up to 7 days as an optimistic authentication hint. Per-tab draft autosave data is stored locally until the tab or site data is cleared. Drafts are not uploaded until you publish them.

Infrastructure and processors

Cloudflare provides Workers compute, D1 relational storage, R2 blob storage, KV cache, Turnstile bot challenges, and Cloudflare Web Analytics traffic counts.

The service does not use Google Analytics, advertising networks, or third-party trackers.

Use and disclosure

Personal information is used to provide the service, authenticate accounts, secure sessions, prevent abuse, enforce rate limits, respond to reports, and operate the infrastructure.

Public pastes are published to anyone who accesses them. Unlisted pastes are available to anyone with the URL. Encrypted pastes remain ciphertext to the service.

Information is disclosed to Cloudflare as necessary for hosting and security. Information is disclosed when required by Canadian law or valid legal process.

Retention

Anonymous pastes expire according to the user-selected TTL, from 10 minutes to 90 days, with a default of 1 week. Authenticated pastes expire according to the user-selected TTL or can be set to never expire.

Burn-after-read pastes are deleted immediately after the first read. Revoked pastes are immediately marked deleted, and the blob is purged within 24 hours by a cron sweep.

Users can delete authenticated pastes on request through the service controls. Abuse reports and moderation logs are retained for 1 year.

Session records expire after 30 days of inactivity. Rate-limit and abuse IP fingerprint hashes are retained for 30 days.

Abuse moderation

The service uses automated content checks, including simhash deduplication, CSAM URL pattern lists, and malware regular expressions. User reports can receive human review by the operator.

Banned content and account bans are logged. The operator removes content and bans accounts at the operator's sole discretion.

Encrypted pastes cannot be decrypted or content-moderated by the operator. Reporter-attested simhash can be used when a reporter submits a hash of cleartext they decrypted.

Privacy rights and requests

Subject to legal limits, you can request access to, correction of, or deletion of personal information associated with your account.

The operator verifies requests before acting on account information. Some records are retained where required for security, abuse prevention, legal compliance, or dispute handling.

Send privacy requests to privacy@pastebin.ca.

Security

The service uses Cloudflare infrastructure, HTTPS, HttpOnly session cookies, passkey support, and rate-limit controls to protect the service.

No Internet service can guarantee perfect security. Users should not publish secrets, credentials, private keys, or other sensitive information unless they understand the chosen encryption mode and sharing risk.

Children

pastebin.ca is not directed at children under 13. By using the service, you confirm you are 13 or older. Authenticated accounts require confirmation that you are 13 or older; users under the age of majority in their jurisdiction require parent or guardian consent.

Changes to this policy

Material changes are posted with an effective date. Continued use after the effective date means acceptance of the updated policy.

Contact

Privacy requests: privacy@pastebin.ca. Abuse and takedown reports: abuse@pastebin.ca.