Privacy by Design

Name: HexBurn
Rating: 4.8 (1247 reviews)
Author: HexBurn

Our privacy promises aren't marketing claims—they're architectural guarantees enforced by code. It's technically impossible for us to collect your data.

100% Static Site - Zero Backend

HexBurn is a purely static website. There is no server-side code, no backend, no database. The entire application is delivered as static HTML, CSS, and JavaScript files.

// astro.config.mjs
export default defineConfig({
  output: 'static',  // Static Site Generation
  site: 'https://hexburn.com',
});

Why this matters: Without a backend, there's nowhere to send or store user data. Every interaction happens locally in your browser.

No Analytics, No Tracking Scripts

Inspect our HTML source code. You won't find Google Analytics, Facebook Pixel, or any tracking scripts.

// BaseLayout.astro - Complete <head> section
<head>
  <meta charset="UTF-8" />
  <title>{title}</title>
  <meta name="description" content={description} />
  <link rel="icon" href="/logo.svg" />

  {/* NO Google Analytics */}
  {/* NO Facebook Pixel */}
  {/* NO Tracking Scripts */}
  {/* NO Third-Party CDNs */}
</head>

Verify yourself: Open DevTools → Network tab. All requests stay on hexburn.com. No external tracking domains.

Zero Cookies Policy

We don't use cookies. Period. Not even "technically necessary" ones.

// Verify in DevTools:
// Application → Cookies → hexburn.com
// Result: Empty

document.cookie  // Returns: ""

GDPR Impact: No cookies = no cookie banner needed = no tracking consent required.

Client-Side Encryption Only

All encryption happens in your browser using the Web Crypto API. Your data never exists in plaintext on any server.

// src/utils/crypto.ts
export async function encrypt(text: string, password: string) {
  // Derives key locally in browser
  const key = await deriveKey(password);

  // Encrypts using Web Crypto API (AES-256-GCM)
  const encrypted = await crypto.subtle.encrypt(
    { name: 'AES-GCM', iv },
    key,
    encoder.encode(text)
  );

  // Returns encrypted data for URL fragment
  return encryptedData;  // Never sent to server
}

Technical guarantee: Encryption keys are derived from your password and never leave your device. We couldn't decrypt your messages even if we wanted to.

URL Fragment Storage (Never Sent to Server)

Encrypted messages are stored in the URL hash fragment (#), which is never transmitted to servers.

// Example URL:
https://hexburn.com/view#eyJlbmMiOiJBRVMt...

// The part after '#' is ONLY accessible by client-side JS
// Browser spec: Fragment is never sent in HTTP requests
// Server logs: Only see "GET /view" (no fragment data)

RFC 3986 Guarantee: URL fragments are explicitly excluded from HTTP requests. Your message data never reaches our servers—not even in access logs.

No External Dependencies for Core Features

We use only Web Standard APIs—no external services that could track you.

// Core features use only native browser APIs:
- Web Crypto API (crypto.subtle)
- File API (FileReader, Blob)
- Canvas API (for QR codes)
- Web Workers (for performance)
- IndexedDB (optional, local only)

// NO external API calls for:
// ❌ Encryption services
// ❌ File storage services
// ❌ Analytics services
// ❌ CDN-hosted libraries (self-hosted only)

Security Headers Enforce Privacy

Our security headers make it technically impossible to inject tracking scripts.

// public/_headers
/*
  Strict-Transport-Security: max-age=63072000
  X-Frame-Options: DENY
  X-Content-Type-Options: nosniff
  Referrer-Policy: strict-origin-when-cross-origin
  Permissions-Policy: interest-cohort=()
  Content-Security-Policy:
    default-src 'self';
    connect-src 'self';  // Blocks external API calls
    frame-ancestors 'none';  // Prevents embedding

Enforcement: Even if someone compromised our deployment, CSP headers prevent loading external tracking scripts.

How to Verify

Open Browser DevTools (F12)

Network tab: Verify all requests stay on hexburn.com domain

Check Application Storage

Application tab: Confirm zero cookies, no tracking localStorage

Inspect Page Source (Ctrl+U)

Search for common trackers: "google-analytics", "gtag", "fbq", "analytics" → 0 results

Test Offline Mode

Disconnect internet after page load → Core encryption features still work (proof it's client-side)

Use Privacy Analysis Tools

Run with tools like: uBlock Origin, Privacy Badger, Blacklight by The Markup

This is Privacy by Design

We don't ask you to trust our privacy policy. We've built our architecture so that collecting your data is technically impossible. The code is the proof. The browser is the enforcer.

GDPR/DSGVO Compliant by Architecture