Confide
Open source · AGPL licensed
collect. encrypt. forget.

Forms without footprints.

Create an account View on GitHub
response.json 
"id": "resp_9f3a...",
"encrypted_payload": "U2FsdGVkX1+mK9...",
"submitted_at": "2026-04-15T22:00:00Z",
// No IP. No identity. No trace.

The problem with
form providers

Most form builders are built to extract, not protect. They log IP addresses that can reveal a respondent’s location. Use device fingerprinting to re-identify anonymous users. Embed third-party trackers that monetize behavior. And store responses in plaintext, accessible to insiders or through legal requests.

How is
Confide different?

Confide is a zero-knowledge form builder. We don't log IP addresses, fingerprint devices, or use third party tracking scripts. Responses are encrypted in the respondent's browser before they hit submit. We mathematically cannot access your data.

How it works

01

You create a form

Your browser generates encryption keys. They stay on your device. We never see them.

02

You share a link

The link contains a public key that lets anyone encrypt responses — but not decrypt them.

03

Someone fills it out

Their answers are encrypted in their browser before submission. We receive unreadable ciphertext.

04

Only you can read it

You (and teammates you authorize) hold the private keys. Only you can decrypt responses.

We don't have a backdoor. We don't have a master key. We built a system where we can't access your data — by design.

What this means for you

You're not liable for our security

If we get breached, hackers get encrypted gibberish. Your data stays safe.

Subpoena-resistant

If we're served a warrant for your data, we can only hand over encrypted blobs. We don't hold the keys. We can't decrypt on behalf of law enforcement.

Note: You can still be compelled to decrypt and share data you control.

Team collaboration without compromise

Grant decryption access to trusted teammates. Each person gets their own secure keys — no shared passwords. Revoke access anytime without re-encrypting existing data.

What this means for your respondents

No account required

They click your link, fill out the form, submit. That's it.

No surveillance

We don't log IP addresses, fingerprint devices, or embed tracking scripts. No cookies. No analytics. No third parties watching.

No metadata trails

We don't record who submitted what, or when, or from where. Responses can't be traced back to individuals — even by you, unless you explicitly ask for identifying info.

What we do see

We're transparent about what we collect:

  • Form metadata — Form titles, field names, when forms were created
  • Response counts — How many responses each form has received (but not who sent them)
  • Account info — Your email, workspace name, billing details
  • Usage data — When you log in, which forms you access (to provide the service)

We don't see:

  • Form responses — encrypted
  • Respondent identities — no IP logs, no tracking
  • What questions reveal — field labels yes, actual answers no

This metadata is necessary to operate the service — but it can't decrypt your responses.

Built for trust

Client-side encryption

Encryption happens in the browser. Your private key never touches our servers.

Anonymous responses

No IP addresses logged. No device fingerprinting. No way to tie a response to a person.

Open source

AGPL licensed. Read the code, audit the encryption, or self-host your own instance.

Form builder

Rich field types — text, multiple choice, ratings, file uploads — with a clean drag-and-drop editor.

Multi-step flows

Guide respondents through accordion or paginated step layouts with progress indicators.

Self-hostable

Deploy on your own infrastructure with Docker Compose in minutes. Own your stack end to end.

FAQ

What if I lose my passkey?

You get a one-time recovery code when you create an account. Store it somewhere safe (password manager, printed copy, secure note).

Without it, your data is permanently lost. We can't recover it. That the point.

Can you recover my data if I forget my password?

No. We don't have a backdoor. We don't have a master key.

This is a feature, not a bug.

What if a team member leaves?

Revoke their access instantly. They lose the ability to decrypt new responses.

Note: They may have already downloaded past responses — manage team access carefully.

What happens if Confide shuts down?

Your data is yours. Export encrypted backups anytime. Decrypt them locally using our open-source decryption tool.

You're never locked in.

How do I know you're not lying?

Our encryption code is open source. Read it, audit it, run it yourself.

Try it yourself: inspect the network traffic. You'll see encrypted payloads, nothing else.

Free to start. Open to inspect.

Ready to collect without compromise?

Create an account Self-host instead →