general terms
cobalt’s privacy policy is simple: we don’t collect or store anything about you. what you do is solely your business, not ours or anyone else’s.
these terms are applicable only when using the official cobalt instance. in other cases, you may need to contact the hoster for accurate info.
on-device processing
tools that use on-device processing work offline, locally, and never send any data anywhere. they are explicitly marked as such whenever applicable.
saving
when using saving functionality, in some cases cobalt will encrypt & temporarily store information needed for tunneling. it’s stored in processing server’s RAM for 90 seconds and irreversibly purged afterwards. no one has access to it, even instance owners, as long as they don’t modify the official cobalt image.
processed/tunneled files are never cached anywhere. everything is tunneled live. cobalt’s saving functionality is essentially a fancy proxy service.
encryption
temporarily stored tunnel data is encrypted using the AES-256 standard. decryption keys are only included in the access link and never logged/cached/stored anywhere. only the end user has access to the link & encryption keys. keys are generated uniquely for each requested tunnel.
web privacy & security
we use cloudflare services for ddos & bot protection. we also use cloudflare pages for deploying & hosting the static web app. all of these are required to provide the best experience for everyone. it’s the most private & reliable provider that we know of.
cloudflare is fully compliant with GDPR and HIPAA.