Guide

No Logs for Secure Notes — What It Means and Why It Matters

Burn Note · 5 min read

Privacy services love the phrase "no logs." VPNs plaster it across their marketing. Secure messaging apps claim it. Note-sharing tools use it. But "no logs" is one of the most abused claims in the privacy space — because logging is not binary. A service can claim no logs while still recording quite a lot.

Here's what logging actually means in the context of secure notes, what responsible services do and don't record, and how to think about it when choosing a tool.

What can a secure note service log?

When you create or read a secure note, a surprising amount of data touches the server. Any of the following could theoretically be logged:

Your IP address at the time of creation
Your IP address at the time of reading
The timestamp of each action
Your browser's user agent string
The size of the note
The expiry settings you chose
The encrypted content itself (stored until deletion)
Whether a password was set
Referrer information (where you came from)

Note what's not on this list: the actual content of your note. If encryption is done properly client-side, the server never sees plaintext. The content is encrypted before it leaves your device. But everything else above is metadata — and metadata can be remarkably revealing.

What "no logs" actually means

A responsible "no logs" claim for a secure note service should mean:

IP addresses are not stored beyond what's required for the immediate request
No persistent activity logs tied to individual users or notes
Encrypted note content is deleted immediately after serving
No third-party analytics that track user behavior across sessions

It does not and cannot mean that your IP address never touched a server — it did, because you made a network request. What matters is whether that address was logged and retained.

Client-side vs. server-side encryption

The single most important technical distinction in secure note services is where encryption happens.

Factor	Client-side encryption	Server-side encryption
Who encrypts	Your browser	The server
Who holds the key	You (in the URL)	The service
Can service read content	No	Yes
Vulnerable to server breach	No	Yes
Vulnerable to legal request	No (nothing to hand over)	Yes

With client-side encryption, the service genuinely cannot read your note — not because they choose not to, but because they mathematically cannot. The decryption key never leaves your browser and never touches their server.

The URL fragment trick

One elegant solution used by privacy-conscious note services involves putting the decryption key in the URL fragment — the part of a URL after the # symbol.

URL fragments are a browser-only construct. By design, they are never included in HTTP requests sent to servers. When you visit https://example.com/note/#decryption-key-here, the server receives a request for /note/ — it never sees the fragment. This means the decryption key is technically impossible for the server to log, even if it wanted to.

What Burn Note logs

Burn Note uses Cloudflare's infrastructure, which processes requests at the network level. At the application level, Burn Note stores only the encrypted note content in Cloudflare KV storage until it expires or is read — at which point it's permanently deleted. No IP addresses, no user agents, no activity logs are stored by the application.

Burn Note does use Google Analytics (via GTM) for aggregate traffic data — page views, general location, device type. This is standard web analytics and is separate from note content or activity. If you want to avoid even this, use a browser extension that blocks GA.

See it for yourself

Create a note on Burn Note — client-side AES-256, no account, burns on read.

Write a secure note →