Pasting text into an online tool raises legitimate questions. What happens to your data? Who can see it? How long is it stored? This guide answers all of it, specifically about how Online Clipboard protects your information.
Whenever you paste text into an online tool, you're trusting that tool with your data. Most of the time this is fine — you're moving a URL or a phone number and don't think twice about it. But sometimes you're moving something more sensitive: a password, a private note, an API key, or an address.
The honest answer to "is an online clipboard safe?" is: it depends on the tool. Some online clipboard tools log every clip. Some have no auto-deletion. Some use unencrypted databases. Some display ads that are served alongside your content, creating the potential for third-party tracking.
This guide focuses on Online Clipboard specifically — what it does, what it doesn't do, how the data is stored, and where the limits of its security model are. We'll also cover general principles for using any online clipboard tool safely.
Every clip is automatically and permanently deleted from the database 5 minutes after creation — enforced server-side.
No email, phone, name, or any personal identifier is required or collected. Your clip is anonymous by design.
All traffic between your browser and Firebase is encrypted via TLS (HTTPS). No plain-text transmission.
The app doesn't log clip content, access patterns, or IP addresses. Firebase Analytics is not enabled for clip data.
For everyday use — URLs, addresses, code snippets, short notes — Online Clipboard is safe. Data is encrypted in transit, stored ephemerally, and deleted automatically. No account, no tracking of clip content.
Online Clipboard uses Google Firebase Realtime Database as its backend. Firebase is a production-grade database platform used by millions of applications including Fortune 500 companies. Understanding how it's configured helps you understand what actually happens to your data.
Clip text is stored at path /clips/{code} in Firebase RTDB. Firebase stores data in Google's data centers with encryption at rest.
Firebase security rules enforce: (1) a clip can only be created if that code doesn't already exist, and (2) clips can be read by anyone with the correct 4-digit code. No admin read access to bulk-read all clips.
A Firebase Cloud Function runs on a schedule (every 5 minutes) and deletes all clips where the creation timestamp is older than 5 minutes. This is server-side enforcement — it runs even if you close the browser.
Firebase SDK communicates over WebSockets (wss://) with TLS encryption. All data in transit is protected by the same encryption used in online banking.
Firebase RTDB is hosted in the United States (us-central1). Data is subject to Google's privacy and security policies for Firebase.
Firebase's security and compliance certifications include ISO 27001, SOC 1/2/3, and PCI DSS. Your data is stored on infrastructure trusted by enterprises worldwide.
The 4-digit code is the key to your clip. Anyone who knows the code can retrieve the clip during the 5-minute window. Understanding how the code is generated clarifies the security model.
Codes are generated randomly using JavaScript's Math.random() function combined with timestamp entropy, producing a number between 1000 and 9999. This means codes are not sequential — knowing that clip 4821 was just created tells you nothing about what clip 4822 is, or whether it exists.
With 9,000 possible 4-digit codes and a 5-minute window, there are at most a few thousand active clips at any moment. In theory, a determined attacker could enumerate all codes. This is a known limitation of short codes.
Why this is acceptable for most uses: Clip content is ephemeral (5 minutes), no personal data is stored, and the use case is quick text transfer — not long-term secure document storage.
Note: Do not share passwords, private keys, SSNs, or other highly sensitive data via a 4-digit code. The code space is small enough that motivated enumeration is possible. For sensitive transfers, use a dedicated encrypted tool like 1Password's "Sharing" feature or Bitwarden's secure send.
The 5-minute auto-deletion is not just a convenience feature — it's the most important privacy protection the tool has.
Most online tools that store user content do so indefinitely. Pastes on Pastebin stay forever by default. Notes in Google Keep stay until you delete them. Emails you send yourself live in your inbox for years. This creates a long-term risk: if a service is ever hacked, those historical records could be exposed.
By deleting all clips after 5 minutes, Online Clipboard ensures there's nothing to breach. There's no archive of past clips. A server compromise would yield only clips created in the last 5 minutes.
createdAt < (now - 5 minutes)After deletion, the 4-digit code is freed up and can be reused for a completely different clip. This is why codes aren't unique over time — they're recycled from a small space to keep them memorable.
| Tool | Auto-Delete | No Account | Encrypted Transit | No Ads/Tracking |
|---|---|---|---|---|
| Online Clipboard | 5 min | Yes | TLS/WSS | Yes |
| Pastebin | Never (default) | Yes | TLS | Has ads |
| Email (Gmail) | Never | Account required | TLS | Scanned for ads |
| Google Keep | Manual only | Google account | TLS | Some tracking |
| AirDrop | Never stored | Yes | Encrypted P2P | Yes |
The raw text is stored in Firebase, so technically it could be read by anyone with Firebase admin access. However, clips are deleted within 5 minutes, no logging occurs, and the developer has committed to no reading or selling of clip data. This is a trust model — like trusting your email provider not to read your emails.
Firebase logs may capture IPs at the infrastructure level (as any server does), but Online Clipboard's application layer does not deliberately store or expose IP addresses. No IP-to-clip associations are maintained.
In theory, yes. With 9,000 possible codes and no rate limiting on the database reads, automated enumeration is possible. In practice, you'd have to enumerate all codes within a 5-minute window, and a clip with a random code is unlikely to be targeted. For sensitive data, use a longer-code or end-to-end-encrypted tool.
Yes. After a clip expires (5 minutes), its code is freed up and can be assigned to a future clip. This is by design — with only 9,000 possible codes, recycling is necessary to keep codes available.
The app does not use tracking cookies or analytics pixels on clip content. Firebase SDK communicates with Google's servers and Firebase may use session cookies for authentication state, but no ad tracking or behavioral analytics are implemented.
The application is not currently open-sourced. If security transparency is important for your use case, you should audit the network requests in your browser's developer tools to observe what data is sent and received.
Try Online Clipboard — data deleted in 5 minutes, no account, no tracking.
Open Online Clipboard →