Skip to content
SecretPNG

How SecretPNG Handles Advertising and Secure Workspaces

SecretPNG is free and ad-supported, which raises a fair question: how do ads coexist with a privacy tool? The answer is strict separation, and you can verify it yourself.

By SecretPNG TeamReviewed by SecretPNG Security TeamPublished 2026-07-14Updated 2026-07-14

A privacy toolkit funded by advertising sounds like a contradiction, so it deserves a direct explanation rather than a footnote. SecretPNG's tools are free to use, with no account and no upload, and the project is sustained by ads and analytics on its public informational pages. The entire design question is where those third-party scripts are allowed to exist, and the answer is a hard line: never where your files are.

Two zones with different rules

The site is split into two zones. Public pages, such as the homepage, guides like this one, and tool landing pages, are ordinary web content: they may load consent-gated analytics and advertising, and they handle none of your data. The secure workspace, everything under /app/*, is where files are actually opened, encrypted, redacted, hashed, and scanned. That zone loads no advertising, no analytics, no fonts from third-party CDNs, and no third-party scripts of any kind, ever.

This is not a promise enforced by policy alone. The workspace pages are served with a strict Content Security Policy that whitelists nothing beyond the application's own origin, so a stray ad tag would be refused by your browser even if one were somehow introduced. The codebase is structured so ad and analytics components cannot be imported into workspace routes, and automated tests fail the build if any /app/* page makes a third-party network request.

What advertisers can and cannot see

It is worth being precise about what an ad network on a public page can observe: that a browser visited a public page, plus the standard signals any third-party script sees, subject to your consent choice and your browser's protections. What no ad network can see, under any consent state, is anything about your use of the tools: not your files, not filenames, not passwords, not the contents of secret links. Those never leave your device in the first place, so there is nothing on any server to hand over, sell, or leak.

Secret links deserve a specific note: the decryption key travels in the URL fragment, which browsers do not send to servers, and the pages that create and open secrets live in the ad-free workspace zone.

Verify it, do not take our word

The separation is checkable from your own browser in under a minute. Open your browser's developer tools, switch to the Network tab, and load any tool under /app/*. Every request shown will go to the site's own origin. Compare that with a typical ad-supported page elsewhere on the web, and the difference is immediately visible. Tools like EFF's Cover Your Tracks can also show you how trackers behave on the open web generally, which makes a useful baseline for comparison.

We publish this design in our documentation and test suite rather than only in marketing copy, because a separation you can verify is worth more than one you are asked to believe.

Why this model

Alternatives all have costs: paid subscriptions exclude people who need privacy tools most, donations are unreliable, and selling data is disqualifying for a privacy product. Consent-gated ads confined to public pages fund development while keeping the workspace as clean as a fully offline tool. If that balance ever changes, this page and the project's documentation will change with it, visibly.

Limitations to keep in mind

  • Public pages, where ads may load after consent, follow the ordinary web advertising model; use the workspace zone for anything sensitive.
  • Consent-gated scripts on public pages can still observe standard web signals for visitors who accept them; declining keeps those scripts unloaded.
  • The isolation described here is enforced by CSP and automated tests, but SecretPNG is in beta and this enforcement has not been independently audited.

Sources