Content is encrypted in your browser with AES-256-GCM before being sent to the server. The key lives only in the URL fragment (#…) — never transmitted to or stored on the server. Even a full server compromise cannot recover your plaintext.