Most tools that do this encrypt your secret and then keep the key next to it. We built ours so that we cannot read what you send, even if we wanted to, even if someone made us.
Your browser generates a random key and encrypts the secret with it. Only the locked result is sent to us. The plaintext never crosses the wire.
It goes in the part after the #, which browsers are not allowed to send to a server. It reaches your recipient without ever reaching us.
Once the last view is spent, the record is deleted. If nobody opens it, it expires on its own. Either way it does not sit in a thread forever.
That is the ordinary way to build this, and it works right up until somebody gets into the database, or a court asks the operator to hand something over. The operator can comply, because they can read it. We cannot.
One read by default. Raise it to ten when a whole team needs the same credential.
An hour, a day or a week. The clock runs whether or not anybody opens the link, so nothing lingers.
Tell the recipient what they are looking at. It is encrypted with the secret, so we cannot read it either.
Give the secret a private name only you can read. Encrypted with your password, in your browser, before it is sent.
Split the secret across two channels. Send the link by email and say the passphrase over the phone.
Burn it the moment you are done, from either end, instead of waiting for the timer to run out.
Nothing we can do. We do not have the key, so we cannot open your secret and we cannot email you a copy. Send a new one. That is a feature, not a gap.
No, and not by policy but by maths. The key never reaches our servers, so there is no button anyone here could press, and nothing useful to hand over if we were compelled to.
No. Opening the link only shows a holding page. The secret is not fetched until a human clicks reveal, so scanners and previewers cannot spend the view for you.
Yes, and that is deliberate. Security here comes from the key, not from hiding how the lock is built. Any system that depends on you not reading its source is already broken.