obfus.link
obfus.link · operated by Subether Labs, LLC

Privacy Policy

Last updated: 2026-05-17

What we collect

obfus.link is a developer utility grid. The data we retain depends on which tool you use and which surface (web UI, MCP, MAIO) you call it on.

  • Pure transform tools (JSON-to-Zod, regex verifier, base64 codec, etc.): inputs are processed in-memory and not persisted. No record of the values you paste is stored.
  • Link Obfuscator (the only tool that creates persistent state): we store the encrypted destination URL, a short code, an initialisation vector, an authentication tag, optional TTL / max-click metadata, and an optional scrypt hash of any passphrase you set. The plaintext destination URL is never written to disk in plaintext. We do not log who created which link.
  • Rate-limit buckets (web UI + MCP): we hash IP addresses (SHA-256, truncated to 16 hex chars) into two kinds of counter buckets — daily per-tool buckets for the web UI (key format web:{ip_hash}:{slug}:{date}, expires at end of day) and a lifetime per-IP counter for the MCP free tier (free:{ip_hash}:lifetime). The hashes are not linked to identity.
  • Stripe billing data (MCP / Day Pass only): when an agent provides a Shared Payment Token or a human purchases a Day Pass, Stripe processes the payment and we receive a customer ID and meter event records via Stripe's standard webhook flow. We do not receive or store card details. See Stripe's privacy policy for their processing terms.
  • Server access logs: Vercel may retain standard request logs (IP, user agent, status code) for 24 hours per their infrastructure policy. obfus.link does not retain copies of these logs.

Cookies

obfus.link uses up to two cookies, both narrowly scoped:

  • obfus_gate_<code> — set only when you unlock a passphrase-gated obfuscated link. Contains the passphrase you typed, is httpOnly (not readable from JavaScript), sameSite=lax, scoped to the specific link's path, expires after 5 minutes. A leaked cookie for one link cannot unlock any other link.
  • obfus_day_pass — set only when you purchase a $1 Day Pass to bypass web UI rate limits. Contains a signed expiry timestamp (HMAC-SHA256), is httpOnly, sameSite=lax, secure in production, scoped to the root path, expires after 24 hours. No identity information is stored in the cookie value.

Stripe Checkout itself sets cookies on stripe.com (not on obfus.link) for the duration of the payment flow. Those are governed by Stripe's privacy policy, not ours.

AdSense

obfus.link ships with Google AdSense integration disabled by default. The operator-controlled adsenseEnabled flag in SiteSettings determines whether any AdSense markup reaches the page. When disabled, no AdSense script loads and no advertising cookies are set by our site.

If and when AdSense is enabled, Google may set cookies and use other tracking technologies on the pages where ads render (homepage, tool pages, category pages, articles). MCP routes (/mcp), API routes (/api/*), Payload admin (/admin/*), and the link redirect chain (/x/*) are explicitly excluded from ad placement. See Google's advertising privacy controls for details on opting out of personalised ads. This policy will be updated to reflect the live state if AdSense is enabled on production.

What we don't do

  • No third-party analytics scripts on tool pages (no Google Analytics, no Plausible, etc.).
  • No selling or sharing of any data with third parties beyond what is necessary to operate the service (Stripe for billing, Vercel for hosting, Supabase for the database).
  • No reading, scanning, or storing of destination URLs after they are encrypted by the Link Obfuscator.
  • No retention of tool input values from pure-transform tools — every paste is in-memory only.

Encryption details (Link Obfuscator)

Destination URLs are encrypted with AES-256-GCM using a 96-bit (12-byte) random initialisation vector per link. The encryption key for each link is derived from a server-side master key via HKDF-SHA-256 with the short code as salt. This means a database compromise alone does not expose any link without the master key. The master key is held in the deployment environment and rotated by the operator. Rotating the master key invalidates all existing links.

Passphrases (when set) are hashed with scrypt (Node built-in, default parameters: N=16384, r=8, p=1, per-link 16-byte salt). The plaintext passphrase is never written to disk and is verified server-side with a timing-safe comparison.

Link expiry and deletion

Links with a TTL or max-click budget auto-expire server-side; their database row remains but returns HTTP 410 Gone on resolution. Permanent links can be removed by emailing abuse@obfus.link with the short code and a brief justification.

Reporting abuse

obfus.link rejects destination URLs pointing at private IP ranges, loopback, link-local addresses (including cloud-metadata endpoints), and non-network schemes (javascript:, data:, file:). We also act on reports of phishing, malware distribution, or other abusive use. Submit reports at /report-abuse or email abuse@obfus.link.

Contact

Privacy questions: privacy@obfus.link. Billing questions: billing@obfus.link. Abuse reports: abuse@obfus.link. Operator: Subether Labs, LLC.

A Subether Labs Infrastructure Project