Acceptable Use Policy
What you may not do with SecretPNG's tools and hosted secret links, how we enforce it, and the honest limits of what we can monitor.
Effective 2026-07-14 · Last updated 2026-07-14
Purpose and scope
This policy sets the rules for using SecretPNG (secretpng.com), operated by SecretPNG (legal entity to be confirmed before launch). It applies to everything the service offers: the local, in-browser tools and the hosted secure secret-link feature. It is part of the Terms of Use.
SecretPNG exists to give people practical privacy and file-security tools. The same properties that protect legitimate users could be attractive to abusers, so this policy is explicit about what is prohibited — and honest about what we can and cannot see.
An honest note on what we can monitor
The core tools run entirely in your browser. Files, passwords, keys, and generated secrets never reach our servers, so we do not and cannot monitor, scan, or review what you process with the local tools. For hosted secret links, we store only ciphertext we cannot decrypt, so we cannot review that content either.
The prohibitions below are therefore obligations on you, enforced through the signals we do have (abuse reports, traffic patterns, rate-limit data, and hosted-item metadata), not through content inspection we are incapable of performing.
Prohibited: malware and harmful code
You may not use the service to create, package, conceal, distribute, or facilitate the distribution of malware, ransomware, spyware, or any other harmful code. This includes using encryption, ZIP creation, or secret links to deliver malicious payloads to victims, and storing harmful payloads in any hosted feature.
Prohibited: phishing and credential theft
You may not use the service in phishing operations or credential theft — for example, using secret links to deliver fake login pages or lure text, using QR code generation to direct victims to credential-harvesting sites, or using any tool to package stolen credentials for sale or exchange.
Prohibited: harassment and extortion
You may not use the service to harass, stalk, threaten, or intimidate any person, or to facilitate extortion, blackmail, or sextortion — including using self-destructing secret links to deliver threats or ransom demands while evading evidence collection.
Prohibited: illegal content
You may not use the service to store, share, or distribute content that is illegal in the applicable jurisdiction, including child sexual abuse material (CSAM), content that violates sanctions or export controls, or content whose possession or distribution is otherwise unlawful. Where we become aware of apparent CSAM in connection with hosted features, we will act as required by law, including making required reports.
Prohibited: copyright and other IP infringement
You may not use the service to infringe copyrights, trademarks, trade secrets, or other intellectual property rights — for example, using secret links to distribute pirated software or media. Rights holders may report suspected infringement involving hosted items to support@secretpng.com; note that we cannot inspect ciphertext, but we can remove hosted items and act on the metadata and patterns available to us.
Prohibited: abuse of secret links
The secret-link feature is for sharing individual secrets between people. You may not:
- Create secret links in automated bulk (mass creation by scripts, bots, or similar means).
- Use the service as general-purpose file hosting, a content-delivery mechanism, or a dead-drop network for the prohibited activities in this policy.
- Circumvent, probe, or overwhelm rate limits, view limits, expiration mechanics, or size limits.
- Enumerate, guess, or scrape secret-link identifiers, or attempt to retrieve secrets not intended for you.
- Resell or wrap the hosted feature in another commercial service without our written permission.
Prohibited: circumventing lawful access controls
You may not use the service to circumvent lawful access controls — for example, cracking passwords or keys protecting systems or data you are not authorized to access, defeating digital rights management, or bypassing another service's security measures. The hashing, generator, and encryption tools are for protecting your own data and data you are authorized to handle.
Prohibited: attacks on the service
You may not engage in denial-of-service activity against SecretPNG or use SecretPNG's infrastructure in attacks on others. This includes flooding endpoints, resource-exhaustion attacks, and disruptive automated traffic. Good-faith security research is welcome within the rules of the Responsible Disclosure Policy, which is the sanctioned path for testing.
General conduct
You may not misrepresent your affiliation with SecretPNG, imply that we endorse your content, remove or falsify legal notices, or use the service in any way that violates applicable law. You are responsible for ensuring your use is legal where you are.
Enforcement
When we detect abuse indicators or receive credible reports, we may: delete hosted ciphertext (even though we cannot read it), block or rate-limit network identifiers, disable specific hosted items or features, and report to law enforcement where required by law. Because there are no user accounts, enforcement is item- and network-level rather than account-level.
We apply enforcement judgment in good faith, but we are not obligated to give advance notice before removing hosted content that appears to violate this policy.
Reporting abuse
To report abuse of the service — including a secret link being used for phishing, malware delivery, harassment, or infringement — email support@secretpng.com with the link identifier if you have it (do not forward the full link with its fragment unless you intend for us to be able to pass it to law enforcement; we cannot decrypt it either way, but the ID alone is enough for us to remove the item). Security vulnerabilities should go to security@secretpng.com instead.
Changes to this policy
We may update this policy as new abuse patterns emerge or the service changes. Updates will be posted with a new effective date. Continued use after the effective date constitutes acceptance.
Draft status
This document is a draft prepared for launch and requires review by qualified legal counsel before public launch.