From my understanding, the link contains 2 parts -- paste ID, and decryption key _following_ a "#". Assuming the latter isn't going into the server logs (I believe the fragment identifier isn't sent in headers at all, unless there's JS on the page to tell the server about it), the actual decryption seems to be taking place via javascript (as well as the encryption to begin with), and therefore the encryption key has no reason to be sent to the server at any point.
