Privacy Policy

Core privacy principles

The Secret Shards website was designed with privacy at its core. Unlike with most web services these days, your personal data stays completely private.

100% Local Processing

All data is processed entirely within your browser. Nothing about your secrets is ever transmitted to any servers.

No personal data collection

The website does not collect or transmit any personal data or any other tracking data. Your secrets remain entirely under your control at all times.

Browser Extension Warning

Be cautious when using browser extensions (password managers, form fillers, translation tools, etc.) as they may have access to read data from text fields and could potentially leak your secrets. For maximum security, consider using a private/incognito window and disabling extensions when working with sensitive data.

How is the data encrypted?

Plain-language explanation

Shamir's Secret Sharing secures your data by splitting it into multiple parts, or "shares". Unlike a puzzle piece which shows part of the picture, a single share reveals nothing about your secret.

To restore the secret, you need a specific number of shares (the threshold). Any group of shares that meets this threshold can unlock the secret; anything less cannot.

Handling large files & integrity:
Pure Shamir's Secret Sharing has two limitations: it creates shares as large as the original data, and it cannot detect if a share has been tampered with. To solve both, this tool uses a hybrid approach:

  • Your data is encrypted with a unique, random 256-bit key (AES-GCM) generated locally in your browser. This adds data integrity, ensuring that if any share is modified, the restored secret will be invalid.
  • Only that key is then split into shares using Shamir's algorithm, which results in much smaller shares, also making it possible to encrypt larger files with this tool.

Important disclaimer: This website was built by a hobbyist for personal use and is not a professional service created by cryptographic experts. It is provided "as is" without any warranties, express or implied. Use it at your own risk and ensure it meets your security requirements.

Technical specifics

  • Key generation and encryption of the data is handled via the Web Crypto API
  • Key splitting is performed using Shamir’s Secret Sharing (GF(2^8)) via the shamir-secret-sharing library.
  • The Shamir implementation in the library is independently audited, with reports available from Cure53 and Zellic.

Scanner Mode

The Scanner Mode is a special feature designed for treasure hunts and physical scavenger games. Using your device's camera, you can scan QR codes placed at different locations to collect secret shares. Once you've gathered enough shares from various physical spots, the original secret can be reconstructed and revealed.

Local storage only

The Geocache Scanner feature uses your browser's local storage to persist scanned shares and data chunks across browser sessions. This allows you to:

  • Close your browser and return later without losing progress
  • Move between physical locations while collecting secret shares
  • Keep your scanned data until you explicitly clear it

Important: All data remains on your device. Nothing is transmitted to any server. Clearing your browser data or starting a new session will delete stored geocache sessions.

Legal Requirements

1. General information and mandatory information

Data Controller Information

Address

Paul-Vincent Roll

Gürtelstraße 13

13088 Berlin

Germany

The responsible party is the natural or legal person who alone or jointly with others decides on the purposes and means of processing personal data.

2. Data collection

2.1. Server log files

When you access the website, certain technical data is automatically collected and stored in server log files. This helps ensure the security, stability, and proper functioning of the service.

These log files include:
  • IP address of the device making the request
  • Host name of the requesting device
  • Timestamp and duration of the request
  • Request line indicating the requested resource
  • HTTP status code returned by the server
  • Amount of data transmitted during the request
  • User agent string (including browser type and version, operating system)
  • Referrer URL (the webpage that linked to the resource)

This data may also be used to detect and prevent malicious activity, such as abuse or unauthorized access attempts, including implementing rate limiting on IP addresses to protect the service from overload or attacks.

The processing of this data is based on Article 6(1)(f) GDPR (legitimate interests), aimed at ensuring service security, stability, and abuse prevention.

Log files are retained for a maximum of fourteen (14) days and are not linked with any other personal data.

3. Data Processing by Third-Party Providers

phasedrei

This website uses phasedrei, Richard-Wagner-Ring 2E, 67227 Frankenthal (Pfalz) as the hosting provider.

The collected data mentioned in Section 2 is processed and stored on servers operated by phasedrei.

A data processing agreement is in place with phasedrei, ensuring full compliance with the strict requirements of German data protection authorities.

The privacy policy of phasedrei can be found at: https://phasedrei.de/datenschutz/

The use of phasedrei is based on a legitimate interest (Art. 6 (1)(f) GDPR) in ensuring the secure and reliable hosting of this service.

Back to Secret Shards