Privacy Policy

Scope and operator

This Privacy Policy explains how pastebin.ca collects, uses, discloses, retains, and protects information. pastebin.ca is a free, web-based service for creating, sharing, viewing, and managing plain-text snippets called pastes. Public, unlisted, encrypted (end-to-end and recipient-addressed), expiring, and burn-after-reading modes are supported, along with a CLI client and a REST/MCP API.

The service is personally operated by slepp as a solo project from Alberta, Canada. There is no corporate entity behind it. Production infrastructure runs on Cloudflare.

If you do not agree with how the service handles information as described here, do not use the service.

Public means public

Public pastes are public. They may be viewed, copied, indexed by search engines, downloaded, cached, archived, embedded, or redistributed by third parties. Deleting, revoking, expiring, or moderating a paste on pastebin.ca does not remove copies that may already exist elsewhere.

Public pastes are also available through alternate representations of the same paste resource, including the canonical view page, the raw body endpoint, the JSON/API endpoint, and download or embed variants where supported. All representations expose the same content.

Once a public paste leaves the service, the operator has no ability to retrieve, recall, or compel deletion of copies held by third parties.

Unlisted is not private

Unlisted paste URLs are bearer links. Anyone with the complete URL can access the paste unless it has expired, been revoked, been removed, or requires client-side decryption.

Unlisted pastes are not intentionally listed in public feeds, but the service cannot prevent recipients, crawlers, logs, browser history, browser extensions, intermediate proxies, or third parties from storing or sharing a URL once it has been disclosed.

Encrypted pastes

For non-encrypted pastes, content is stored server-side as plaintext. For end-to-end and recipient-addressed encrypted pastes, the service stores ciphertext and does not receive the decryption key — keys live in the URL fragment (after the `#`) or in the recipient's key material and are never sent to the server.

The service may still process and retain metadata for encrypted pastes — including the paste ID, creation time, syntax hint, visibility mode, expiry setting, version/root lineage, owner/account association where applicable, report and moderation metadata, and access-related metadata such as request counts.

Encrypted content cannot generally be inspected by the operator, but encrypted paste metadata, access patterns, abuse reports, reporter-provided plaintext or hashes, and legal notices may be used for moderation, security, and enforcement.

Do not paste secrets or sensitive data

Do not publish passwords, API keys, private keys, access tokens, session cookies, personal information, health information, financial records, credential dumps, private logs, confidential source code, or other sensitive material unless you have the right to do so and you understand the selected visibility and encryption mode. Once published, content may have been read, copied, or cached by others before you can revoke or delete it.

What the service collects

You can use the service anonymously. If you create an account, the service stores your chosen display name, handle slug, and authentication records.

Passkey accounts store the passkey credential metadata required for WebAuthn authentication. GitHub OAuth accounts store the GitHub account identifier and the email address GitHub provides, if any. Email addresses are not displayed publicly.

The service processes IP addresses for abuse prevention, rate limiting, security logging, and infrastructure operation. Rate-limit and abuse IP fingerprint hashes are retained for 30 days.

Session records are stored for authenticated use and expire after 30 days of inactivity. API keys you create are stored as salted hashes; the plaintext key is shown only once when issued.

Cookies and local storage

The service uses the HttpOnly SameSite=Lax session cookie `pbca_sess`, the locale cookie `pbca-locale`, the theme preference cookie `pbca-theme`, and bot-challenge cookies set by Cloudflare Turnstile.

The browser may store `pbca-auth-hint` for up to 7 days as an optimistic authentication hint. Per-tab draft autosave data is stored locally until the tab or site data is cleared. Drafts are not uploaded until you publish them.

Infrastructure and processors

Cloudflare provides Workers compute, D1 relational storage, R2 blob storage, KV cache, Turnstile bot challenges, and Cloudflare Web Analytics traffic counts. Requests routed through Cloudflare are subject to Cloudflare's processing for delivery, security, and abuse handling.

The service does not use Google Analytics, advertising networks, or third-party trackers.

Use and disclosure

Personal information is used to provide the service, authenticate accounts, secure sessions, prevent abuse, enforce rate limits, respond to reports, operate and debug the infrastructure, and enforce the Terms of Use.

Public pastes are published to anyone who accesses them. Unlisted pastes are available to anyone who holds the URL. Encrypted paste content remains ciphertext to the service; encrypted paste metadata is processed as described above.

Information is disclosed to Cloudflare as necessary for hosting, delivery, and security. Other disclosures are described in the legal disclosure section below.

Retention, deletion, expiry, and caches

Anonymous pastes expire according to the user-selected TTL, from 10 minutes to 90 days, with a default of 1 week. Authenticated pastes expire according to the user-selected TTL or can be set to never expire. Burn-after-reading pastes are removed from active service access after the first successful read.

Revoked or deleted pastes are immediately marked as removed in active service storage and return 410 Gone or 404 to viewers. The underlying blob is purged within 24 hours by a cleanup sweep when its reference count reaches zero.

Expired, revoked, deleted, or moderated pastes are removed from active service access on the stated schedule. Residual copies may persist briefly in caches, logs, backups, infrastructure-level recovery systems, or third-party systems (including search engine caches, archive services, and copies made by viewers) before aging out. The service cannot guarantee that every copy of a public or unlisted paste is removed from every system everywhere.

Accounts and deletion requests

You may request access to, correction of, or deletion of personal information associated with your account. Requests are verified before they are acted on. Some records are retained where required for security, abuse prevention, legal compliance, or dispute handling.

When an account is deleted, the operator removes or disables the account record and authentication credentials. Pastes created under that account may be deleted, anonymized, revoked, expired, or retained depending on the product setting in effect, abuse or legal obligations, and the user's request. Pastes that have been made public may continue to be reachable through third-party caches and copies as described above.

Send privacy and deletion requests to privacy@pastebin.ca.

Abuse moderation

The service uses a mix of automated content checks (including simhash near-duplicate detection, URL pattern lists, and pattern-based secret and malware scans), user reports, and operator review. Review is not exhaustive, real-time, or guaranteed.

Banned content, removed pastes, account bans, and report dispositions are logged for enforcement, abuse prevention, and accountability. The operator may remove, restrict, expire, revoke, quarantine, rate-limit, block, or report content, accounts, or API keys at the operator's sole discretion.

Encrypted paste content cannot generally be decrypted by the operator. Moderation of encrypted pastes may rely on reporter-attested plaintext, reporter-attested simhash, metadata, access patterns, legal notices, or other abuse signals.

Your privacy rights

Subject to legal limits, you may request access to, correction of, or deletion of personal information the service holds about you. Reasonable verification is required before the operator acts on a request.

Public pastes you have authored remain subject to the public-means-public reality described above; a deletion request can remove the paste from active service access but cannot retrieve third-party copies.

Send privacy requests to privacy@pastebin.ca. Abuse and takedown reports go to abuse@pastebin.ca or via the in-product report button on each paste.

Legal process and emergency disclosure

The operator may preserve or disclose information when required by valid legal process, or when the operator reasonably believes disclosure is necessary to prevent imminent harm, investigate abuse, protect users, protect the service, enforce the Terms of Use, or comply with applicable law.

Legal process is generally evaluated under Canadian law. Law enforcement and legal contact information is on the abuse page.

Security

The service uses HTTPS, HttpOnly session cookies, passkey-based authentication, rate-limit controls, and Cloudflare infrastructure protections.

No Internet service can guarantee perfect security. You are responsible for safeguarding your account credentials, passkeys, API keys, and any encryption keys you choose to share out of band.

Privacy law posture

The service is operated from Alberta, Canada, and is intended to follow Canadian privacy principles — including limiting collection, limiting retention, safeguarding information, and providing access, correction, and deletion mechanisms where applicable. The operator has not obtained or claimed any third-party privacy compliance certification.

Children

pastebin.ca is not directed at children under 13. By using the service, you confirm you are 13 or older. If you are under the age of majority in your jurisdiction, a parent or guardian must consent to your use of the service.

Changes to this policy

Material changes are posted with an effective date. Continued use after the effective date means acceptance of the updated policy.

Contact

Privacy requests: privacy@pastebin.ca. Abuse and takedown reports: abuse@pastebin.ca. See the abuse page for reporting guidance, copyright notices, and law enforcement requests.