Don't trust us. Verify.

Open your browser's developer tools. Go to the Network tab. Create a note with the text "test secret". Watch every request that leaves your browser.

You will see a POST to /api/v1/note. Click it. Look at the request body. You'll find a field called ciphertext — a blob of random-looking bytes. You will not find the words "test secret" anywhere. Not in the request body, not in the headers, not in cookies, not in query parameters.

This isn't a setting we can toggle. It's how the HTTP protocol works. URL fragments are stripped by the browser before any network request is made. RFC 3986 §3.5 — this has been the standard since 2005.

AES-256-GCM is the same encryption standard used by governments, banks, and military systems worldwide. Without the key, the ciphertext is computationally indistinguishable from random noise. There is no backdoor. There is no master key. We didn't invent this — we're using a standard that has been publicly analysed by thousands of cryptographers for over two decades.

If AES-256 had a weakness, the problem would be vastly larger than VoidNote. Every bank, every government, every VPN, and every encrypted messaging app on earth would be compromised.

Every SDK is open source. The encryption logic is short and readable — no obfuscation, no magic.

If you can read code at all, you can verify the entire encryption flow in under five minutes. There is no server component to the encryption — it happens entirely in the client before any network request is made.

If our entire database were leaked tomorrow, the attacker would have a collection of random-looking byte blobs and token IDs. No secrets, no keys, no way to decrypt anything.

Let's say the worst happens. Someone gets full access to our Cloudflare D1 database, our KV store, and our R2 bucket. Here's what they find:

Contrast this with most "secure" messaging services: if their database leaks, every message is readable because the server held the keys. With VoidNote, a breach is a non-event for your data.

A subpoena produces the same result: ciphertext and metadata. We cannot comply with a request to produce plaintext because we do not have the capability to decrypt it.

VoidNote is built and operated by Quantum Encoding Europe Limited, a company registered in Ireland (Company No. 807205), with a registered office at The Black Church, St. Mary's Place, Dublin, D07 P4AX.

We're a real company with real filings, subject to Irish and EU law including GDPR. Our corporate registration is publicly verifiable on the Irish Companies Registration Office.

We also maintain Quantum Encoding Ltd in the United Kingdom. Both entities are legitimate, tax-filing businesses — not a throwaway domain with a contact form.

When a product is free, you're usually the product. VoidNote has a free tier (credit-based), but the business runs on paid subscriptions: Void Pro at $10/month and Void Unlimited at $20/month.

We also sell credit bundles for pay-as-you-go usage. Payments are processed by Stripe (card) and direct crypto payments (USDT, USDC, ETH, BTC, TRX). We don't handle card numbers ourselves.

We have zero incentive to harvest secrets. We can't read them anyway — but even if we could, selling subscriptions is a better business than trying to monetise fragments of other people's passwords. The incentive structure and the cryptography both point in the same direction.

View the page source. There is no Google Analytics. No Facebook Pixel. No Hotjar. No Mixpanel. No tracking scripts of any kind. We don't fingerprint your browser. We don't set third-party cookies.

Our website scores an A+ carbon rating (cleaner than 97% of the web) partly because we don't load dozens of third-party tracking scripts that most sites do.

You can verify this yourself: open DevTools → Network tab → reload the page → filter by third-party domains. You'll find nothing phoning home.

VoidNote runs entirely on Cloudflare's infrastructure — Workers for compute, D1 for the database, KV for sessions and rate limiting, R2 for vault storage. There's no hidden server in a cupboard.

Cloudflare Workers execute in a sandboxed V8 isolate with no persistent filesystem. The worker processes encrypted blobs — it receives ciphertext, stores ciphertext, returns ciphertext. At no point in the server-side code is there a decryption function, because there is no key available to decrypt with.

The domain is protected by Cloudflare's DDoS protection, and all connections use TLS 1.3. DNS is managed through Cloudflare with DNSSEC enabled.

If you don't trust the website at all, don't use it. Use the SDK or CLI instead. The encryption happens in your code, on your machine. You can read every line of the SDK before you run it. The server only ever sees the ciphertext that your local code produces.

The web interface, the SDK, and the CLI all produce identical ciphertext using the same protocol. The website is a convenience — the trust model doesn't depend on it.