mangocontact
Sign inSign up

Data policy.

Last updated: 9 May 2026 · A clearer answer than most companies will give you.

Two different kinds of data

It helps to separate the two things going on:

  1. The contact info you put inside a session. This is what you came here to share — names, phone, email, a note. We never store this.
  2. Site visit data. Like every modern website, we use third-party services for analytics, security, and advertising. These services collect basic browsing data so the site can work, stay safe, and stay free.

The two are kept on entirely separate paths. Ad and analytics scripts have no access to anything you type inside a session.

Session contents — what gets stored

Nothing on disk. Nothing in a database. When you start a session, the details you've filled in sit in our server's working memory — encrypted — for as long as the session lasts. There is no database table, no log file, no backup, no object storage, no replica.

The exact lifecycle of one session

  1. Start — you click Start session. We generate a random 6-digit code and pick a random emoji. We encrypt your fields with a key that's derived only when needed and hold the encrypted blob in memory with a time-to-live equal to your chosen duration (15, 30, or 60 minutes).
  2. Live — while the session is open, every change you make (toggling a field, typing a note, editing a value) is re-encrypted and replaces the previous encrypted snapshot. Updates push to the viewer in real time. None of this hits a disk.
  3. Unlock — when the viewer enters the right code and emoji, the one-time code is destroyed and the data is re-keyed. The viewer's screen now mirrors yours live.
  4. End — the session ends in one of four ways: you click End session, the timer expires, both sides go silent for a few minutes, or there are 3 wrong emoji attempts. In every case, the encrypted blob is purged from memory and we emit a "session ended" signal so any open viewer screen clears within about a second.

What lives in our servers (and for how long)

What Lifetime
Encrypted snapshot of your fields, visibility toggles, and notes 15 / 30 / 60 min (your choice)
Lookup from your 6-digit code to the session, used until first unlock 5 min
Counter of wrong emoji attempts (resets when session ends) 5 min
Rate limit counters tied to your IP for abuse prevention 10 min

Memory is capped and configured so nothing survives a restart. There is no persistence enabled for session data.

What never touches our session storage

  • Your IP address (used briefly in process memory only, for rate limiting)
  • A browser fingerprint (we don't generate one for sessions)
  • The unencrypted contents of your fields — only the encrypted snapshot is held

Site visit data — what third parties see

To run the site we use a small number of standard third-party services. Each is described in our privacy policy; in summary:

  • Cloudflare — sits in front of the site for speed and protection. Sees IP addresses and request metadata so it can route, cache, and block bad traffic.
  • Google Analytics — measures aggregate site usage (page views, country, device type). Sets analytics cookies on your device.
  • Google AdSense (and partner ad networks) — serves the ads that keep the site free, sets advertising cookies, and may personalise ads based on your interests.
  • Google Fonts — delivers the typeface used on the site.

These services collect browsing data (what page you're on, your IP, basic device info, cookies they set themselves). They do not have access to the contact info you put inside a session, which is encrypted on a separate path.

Backups

There are no backups of the contact info you share — by design. The only thing on the server's persistent disk is the application code itself.

Security incidents

If our infrastructure were compromised, what could an attacker actually get?

  • Sessions currently in memory — encrypted snapshots only. Decrypting them requires secrets that aren't stored on disk.
  • Past sessions — none. They're already gone.
  • User accounts, passwords, emails — none exist.
  • Browsing analytics — held by our third-party providers under their own security models, not by us.

If we ever experience a verifiable incident, we'll post a public note on the homepage.

If you want a session destroyed right now

Click End session on the share screen. The session is deleted and the viewer's screen clears within about a second. There's nothing else for us to do — there's nothing left.

Read the privacy policy →