Trust, privacy, status, and support in one place.
OBSCURA is built for zero-knowledge file transfer: files encrypt in your browser, the server stores ciphertext only, and shares expire or burn after the configured limit. This page collects the operational proof, data policy, security posture, and support links people need before trusting it with anything sensitive.
what OBSCURA stores
- Ciphertext. Stored in Cloudflare R2 under a random 16-hex-character ID until expiry, burn, or download exhaustion.
- Per-share metadata. Stored in KV: expiry time, remaining downloads, total ciphertext size, and created timestamp.
- Aggregate counters. Daily totals for created, burned, expired, and exhausted shares. No identifiers.
what OBSCURA does not store
- Plaintext. Encryption and decryption happen in the browser.
- Encryption keys. Normal-mode keys live in URL fragments; passphrase mode wraps the data key client-side.
- Application access logs. The Worker does not write per-request logs for upload, download, or burn routes.
Cloudflare can still retain platform analytics and security events. A Cloudflare account administrator could correlate IPs to share IDs inside Cloudflare's own retention window, even though the app does not log that itself. Full canonical policy: PRIVACY.md.
Report vulnerabilities to security@obscr.app. Scope and response expectations are documented in SECURITY.md. Abuse reports go to abuse@obscr.app.