about

general terms

cobalt’s privacy policy is simple: we don’t collect or store anything about you. what you do is solely your business, not ours or anyone else’s.

these terms are applicable only to this specific cobalt instance.

local processing

tools that use on-device processing work offline, locally, and never send any processed data anywhere. they are explicitly marked as such whenever applicable.

saving

when using saving functionality, cobalt may need to proxy or remux/transcode files. if that’s the case, then a temporary tunnel is created for this purpose and minimal required information about the media is stored for 90 seconds.

on this cobalt instance, all tunnel data is encrypted with a key that only the end user has access to.

encrypted tunnel data may include:

  • origin service’s name.
  • original URLs for media files.
  • internal arguments needed to differentiate between types of processing.
  • minimal file metadata (generated filename, title, author, creation year, copyright info).
  • minimal information about the original request that may be used in case of an URL failure during the tunnelling process.

this data is irreversibly purged from server’s RAM after 90 seconds. no one has access to cached tunnel data, even instance owners, as long as cobalt’s source code is not modified.

media data from tunnels is never stored/cached anywhere. everything is processed live, even during remuxing and transcoding. cobalt tunnels function like an anonymous proxy.

if your device supports local processing, then encrypted tunnel info includes way less info, because it’s returned to client instead.

see the related source code on github to learn more about how it works.

encryption

temporarily stored tunnel data is encrypted using the AES-256 standard. decryption keys are only included in the access link and never logged/cached/stored anywhere. only the end user has access to the link & encryption keys. keys are generated uniquely for each requested tunnel.

web privacy & security

this instance uses bunny.net for:

  • ddos & abuse protection (waf).
  • hosting the statically rendered web app (cdn).
  • name servers (dns).

bunny.net is a fast, reliable, EU-based, GDPR-compliant provider for the above mentioned services. all request and ip address logging options have been turned off, as well as any caching or storing of api requests and tunnels.

learn more about bunny.net’s commitment to privacy.

additionally, we use cloudflare turnstile for bot protection. learn more about privacy at cloudflare.