Privacy Policy

Last updated: June 2, 2026

Clipcroft ("we", "our", or "the service") is a real-time clipboard tool that lets you share text and files between devices without creating an account. This policy explains what data is involved when you use the service and how it is handled.

The short version: there is no account, Clipcroft runs no analytics or tracking scripts of its own, file content is never stored on our servers, and your IP address is never stored in our logs. The service is free and supported by advertising — ads are served by Adsterra, which may use cookies or similar technologies to serve and measure ads (see Sections 5 and 7). The longer version follows.

1. No Account Required

Clipcroft does not require registration. We do not collect your name, email address, or any other personal identifier. There is no user profile and no login.

2. How Your Data Flows

When you use a clipboard, four things move:

• Text you send is transmitted to other devices connected to the same clipboard via our SignalR server and stored in each recipient device's browser localStorage. Our server relays the message but never writes it to disk or any database — it is discarded from memory immediately after delivery. If you set a password on a clipboard, the text is encrypted with AES-256-GCM in your browser before it reaches the server; only devices that know the password can decrypt it.
• Files are transferred browser-to-browser using WebRTC peer-to-peer connections, encrypted on the wire by DTLS (the standard WebRTC encryption). File data is never stored on our servers. When a direct peer-to-peer connection cannot be established (typically because of a restrictive NAT or firewall on at least one side), the encrypted data stream is relayed through a TURN server we operate (see Section 5); the TURN server forwards the encrypted bytes without being able to read them.
• Error reports. If something goes wrong in the app (an unhandled JavaScript error, a Blazor render failure, a transfer hitting one of our internal limits), a short technical report is sent same-origin to /api/error-report on our server. The browser passes through a redaction filter that strips email addresses, URLs, file extensions, and clipboard identifiers before the report leaves your device; the server runs the same redaction filter a second time before forwarding the report to Application Insights (see Section 5). The report contains the browser type and a short, redacted description of the error; it does not include a stack trace, clipboard content, file data, or personal identifiers.
• Clipboard IDs. Each clipboard has a short, human-readable identifier (for example, coolfox07). Anyone who knows a clipboard's identifier can join it and read any content that is not password-protected. For sensitive material, set a password — its contents are then end-to-end encrypted in your browser, and anyone who joins without the password cannot read them.

3. Data Stored on Your Device

All clipboard content is stored locally in your own browser:

• Text and file metadata are stored in localStorage under a key namespaced to your clipboard identifier. For password-protected clipboards, the stored entry is encrypted with AES-256-GCM; only your browser holds the derived key.
• File binaries are stored in IndexedDB.
• A small number of preference keys (your selected interface language, your selected theme, and your advertising consent choice) are also stored in localStorage. None of these are sent to our servers.

Locally stored content is auto-deleted after seven days by default; you can change this period — or clear all locally stored data immediately — from the Settings panel inside the app. We have no ability to access or delete data stored in your browser.

4. Server-Side Data

Our server holds only transient connection state (which browser connections currently belong to which clipboard). This state exists in memory only and is lost when a connection ends or the server restarts. No clipboard content is ever written to server storage or a database.

Request metadata (path, HTTP status, timing) is recorded to Application Insights for operational monitoring (see Section 5). The client IP address is replaced with the placeholder value 0.0.0.0 by Application Insights at ingestion time before any record is written to storage; the country / city / region are derived from the IP just before that masking step, so geographic analytics still work without retaining the raw IP. We do not retain raw IP addresses in any of our application logs.

5. Third-Party Services

Clipcroft uses the following third-party services. The app's own fonts, icons, and JavaScript libraries are all self-hosted — we load them from no external content-delivery network. The only third-party resource that loads in your browser is the Adsterra advertising unit, described below.

• Microsoft Azure — our hosting provider and the operator of Application Insights, the telemetry system that records server-side request and error data. Azure App Service sets a session-affinity cookie (ARRAffinity) for technical load-balancing; it contains no personal data and is not used for tracking. Application Insights receives the data described in Sections 2 and 4 above; the client IP is removed before any record is written to storage, but Application Insights derives an approximate country from the IP for operational analytics (for example, "transfer latency in Spain over the last week"). The country lookup runs on Microsoft's servers — your IP is not shared with any third party for this purpose. Microsoft's privacy policy.
• OVHcloud — operator of the TURN relay servers turn-fr.clipcroft.com (France) and turn-us-east.clipcroft.com (United States). These relay encrypted WebRTC traffic when a direct peer-to-peer connection cannot be established. OVHcloud sees your IP address and the encrypted byte stream during a relayed transfer; it cannot read the encrypted content. OVHcloud personal data protection.
• Contabo — operator of the TURN relay server turn-sg.clipcroft.com (Singapore), with the same role and the same visibility as the OVHcloud relays above. Contabo privacy policy.
• Adsterra — our advertising provider. Clipcroft is free and supported by ads served by Adsterra, which may use cookies or similar technologies to serve and measure ads. For visitors in the EU, UK, or EEA, no Adsterra resource (script, iframe, or cookie) is loaded until you have given consent (see Section 7). Adsterra privacy policy.

Our only advertising provider is Adsterra. We do not use Google Analytics, Google AdSense, Facebook Pixel, or any other analytics or advertising service.

6. Cookies and Similar Storage

Clipcroft does not set any first-party cookies for tracking or analytics. The following cookies and similar browser-storage entries may be present:

• ARRAffinity — set by Azure App Service for technical load-balancing. No personal data, not used for tracking.
• clipcroft.lang — set in cookie storage (and mirrored to localStorage) when you choose an interface language from the language menu. It exists only to remember your language preference between visits. It contains a two-letter language code (en or es) and nothing else.
• localStorage and IndexedDB entries — described in Section 3. These are browser storage, not cookies, and they are not transmitted to any server.
• Adsterra cookies — Adsterra may set cookies or use similar technologies to serve and measure ads. For visitors in the EU, UK, or EEA, these are set only after you have given consent (see Section 7).

7. Analytics and Advertising

Error tracking

Unhandled JavaScript and Blazor errors are sent to our own server at /api/error-report over the same connection as the rest of the app — no third-party telemetry script runs in your browser. The server forwards a redacted copy to Microsoft Application Insights for our debugging use. The redaction filter strips email addresses, URLs, file extensions, and clipboard identifiers; the server runs the same filter a second time before forwarding. Error reports do not include clipboard content, file data, or personal identifiers, and the client IP is removed before any record is written to storage.

Country detection (for EU/UK consent only)

To know whether to show an advertising consent notice (see below), the app needs to know whether you are likely in the EU, UK, or EEA. It does this entirely inside your browser by reading your operating system's configured time zone (for example, Europe/Madrid) and matching it against a list of EU/UK/EEA zones. Your IP address is never sent to any third party for this purpose. The time-zone check runs on every visit and is not cached.

Advertising

Clipcroft is free and supported by advertising. Ads are served by Adsterra, which may use cookies or similar technologies to serve and measure ads. We use no other advertising service and no separate analytics tracker.

Ads are shown inside an iframe served by Adsterra. For visitors in the EU, UK, or EEA, no Adsterra resource — script, iframe, or cookie — is loaded until you have given consent, and you can withdraw that consent at any time.

8. Your Rights (GDPR and UK GDPR)

If you are in the EU, UK, or EEA, the following applies:

• Access and erasure: Clipcroft does not hold personal data on our servers — there is no profile or content of yours to access or erase. Data stored in your browser (localStorage, IndexedDB) is under your direct control through your browser settings and the in-app Settings panel.
• Consent for advertising: If you are in the EU, UK, or EEA, you are asked for explicit consent before any advertising resource is loaded, and you can withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
• Right to object: You can object to advertising processing by declining the consent notice when it appears, or by withdrawing your consent at any time afterwards.
• How we detect that you are in scope: entirely from your browser's time-zone setting, not from your IP address (see Section 7). If your time zone is set to a location outside the EU/UK/EEA the consent notice will not appear; if it is set to a location inside, it will.

For questions or concerns about how your data is handled, contact us at privacy@clipcroft.com.

9. Children

Clipcroft is not directed at children under 13. We do not knowingly collect information from children.

10. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top of this page will reflect any change. Continued use of the service after changes constitutes acceptance of the updated policy. Substantive changes (for example, adding a new sub-processor or changing how ads are served) will be called out in the introduction.

11. Contact

Questions about this privacy policy: privacy@clipcroft.com