Privacy Policy
We built MagicBin on the principle that the least data collected is the best data policy. Here's exactly what that means.
MagicBin is a zero-knowledge encrypted pastebin. By design, we are technically incapable of reading the content you share. This privacy policy explains what limited data we do handle, how it is used, and your rights under Canadian law.
This policy applies to all users of MagicBin and covers data processed through our web interface at this domain.
Because of our zero-knowledge architecture, our data collection is extremely limited:
-
Encrypted ciphertextYour paste content, encrypted in your browser before it reaches us. We cannot read it.
-
Initialisation vector (IV)A random value required for AES-256-GCM decryption. Not secret, not personally identifiable.
-
Paste metadataLanguage hint, creation timestamp, expiry time, view count, and burn-after-read flag. No personally identifiable information.
The data we hold is used for exactly one purpose: serving the encrypted paste back to whoever has the correct link. Nothing else.
We do not use your data for advertising, profiling, analytics, or any secondary purpose. Under PIPEDA's purpose limitation principle, we are legally bound to this.
All pastes are temporary by design. Every record is automatically and permanently deleted — no manual intervention, no archive, no backups of expired content.
| Trigger | What happens | When |
|---|---|---|
| Expiry reached | Paste permanently deleted from database | 30 min · 1 h · 24 h · 5 d · 7 d after creation |
| Burn after read | Paste deleted immediately on first retrieval | Upon the first successful fetch |
| View limit hit | Paste deleted when the cap is reached | After the final allowed view |
| localStorage (theme) | Stored in your browser only, never sent to us | Cleared when you clear browser storage |
| DNS/proxy provider logs | IP, request path, headers — held by provider per their policy | Per the provider's data retention policy |
| Hosting provider logs | Infrastructure access logs — held by hosting provider | Per hosting provider's data retention policy |
MagicBin runs on infrastructure operated by third-party providers. While MagicBin's application code does not log or retain IP addresses, these providers collect data automatically as part of standard network operations — outside our direct control.
-
DNS & Proxy Provider All traffic passes through a third-party DNS and proxy provider before reaching our servers. This provider collects IP addresses, request headers, geolocation estimates, timestamps, and request paths for DDoS protection, caching, and performance. Their data practices are governed by their own privacy policy. Data may be processed on servers outside Canada.
-
Hosting Provider (Canada) Our origin servers are hosted on Canadian soil. The hosting provider automatically collects infrastructure-level data as part of standard operations:
- ·IP addresses — source IP of each request
- ·Timestamps — date and time of each request
- ·HTTP request metadata — method, path, response code, bytes transferred
- ·Retention — governed by the provider's own policy; data remains within Canadian jurisdiction
MagicBin is operated from Canada and hosted on Canadian soil. Encrypted paste data is processed and stored within Canada. Your rights as a user are governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law.
However, because traffic passes through a US-based DNS and proxy provider before reaching our servers, traffic metadata (IP addresses, request headers) may be subject to US law, including potential law enforcement data requests.
Canadian federal law (PIPEDA) governs MagicBin's data practices and supersedes provincial legislation, providing consistent protection for all users regardless of province.
For questions or concerns about how your information is handled, you may also contact the Office of the Privacy Commissioner of Canada.
Because MagicBin is zero-knowledge, we cannot decrypt your pastes even in response to a valid legal order. We have never possessed your decryption key — it exists only in the URL you share.
In response to a lawful request, the maximum we can provide is confirmation of whether a specific paste ID existed and its metadata (expiry, language hint, view count). We cannot produce paste contents.
The EU General Data Protection Regulation (GDPR) may apply to MagicBin if you are accessing the service from the European Economic Area. GDPR has extraterritorial reach — it applies to any service used by EU residents regardless of where the service is hosted.
MagicBin's zero-knowledge design means we process very little personal data in the first place. The encrypted blob we store is not personal data in any meaningful sense — it cannot be attributed to you without the key, which we have never held.
-
Legal basis for processingProcessing is carried out on the basis of performance of a service — you submit content to be stored and retrieved, and we store only the encrypted result necessary to fulfil that purpose.
-
Right to erasurePastes are automatically and permanently deleted on expiry or burn — no request needed. There is no account, no profile, and no data tied to your identity for us to delete.
-
Right to portability & accessThe only data tied to a paste is the encrypted ciphertext and its metadata. You already have full access to this — it is embedded in the link you hold.
-
No profiling or automated decision-makingWe perform no profiling, behavioural tracking, or automated decisions about users. There are no user accounts or identifiers on our end.
-
International data transfersEncrypted paste data is stored in Canada. However, traffic metadata passes through a US-based DNS and proxy provider, constituting a transfer outside the EEA governed by that provider's own GDPR obligations.
If you have questions about this privacy policy or how your data is handled, please refer to the About page for further context on our architecture and Canadian data law obligations.