Privacy Policy

Last updated: March 26, 2026

1. Introduction

NullKeep ("we", "us", "our") is committed to protecting your privacy. This policy explains how we collect, use, and safeguard your information when you use our browser extension and cloud backup service.

2. Zero-Knowledge Architecture

NullKeep is built on a zero-knowledge architecture. This means:

  • Your master password never leaves your device. We do not know it, store it, or transmit it.
  • Your vault is encrypted locally using AES-256-GCM before any data is transmitted to our servers.
  • We cannot decrypt your vault. Even if our servers were compromised, your data remains encrypted and unreadable without your master password.
  • We cannot recover your data if you lose your master password. There is no "forgot password" for your vault.

3. Information We Collect

3.1 Account Information

When you create a NullKeep Cloud account, we collect:

  • Email address โ€” used for account identification and communication
  • Account password โ€” stored as a bcrypt hash (this is separate from your vault master password)

3.2 Vault Data (Cloud Subscribers Only)

If you subscribe to NullKeep Premium, we store your encrypted vault blob. This blob is:

  • Encrypted with your master password before upload
  • Compressed for efficiency
  • Stored as an opaque binary file โ€” we cannot read its contents

3.3 Usage Information

We collect minimal technical information:

  • Login timestamps
  • Device/browser user-agent (for session management)
  • Vault upload timestamps and file sizes

3.4 What We Do NOT Collect

  • Your master password
  • Your decrypted vault contents (passwords, usernames, notes)
  • Your browsing history
  • Analytics or tracking data

4. How We Use Your Information

  • To authenticate you and manage your account
  • To store and deliver your encrypted vault backup
  • To process subscription payments
  • To send critical account-related emails (e.g., password reset, subscription expiry)

We do not sell, rent, or share your personal information with third parties.

5. Data Storage & Security

  • Account passwords are hashed using bcrypt with a cost factor of 12
  • All communication uses TLS/HTTPS encryption
  • Vault blobs are stored in a sharded filesystem with restricted access
  • Sessions expire after 30 days of inactivity

6. Data Retention

We retain your data as long as your account is active. If you delete your account:

  • Your account record is permanently deleted
  • Your encrypted vault blob is permanently deleted from our servers
  • Active sessions are invalidated

7. Your Rights

You have the right to:

  • Access your personal data at any time via your dashboard
  • Download your encrypted vault backup
  • Delete your account and all associated data
  • Export your vault in an unencrypted format from the extension

8. Third-Party Services

We may use the following third-party services:

  • Stripe โ€” for payment processing (subject to Stripe's Privacy Policy)
  • Have I Been Pwned โ€” for breach checking via k-anonymity API (no complete passwords are ever sent)

9. Children's Privacy

NullKeep is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. Continued use of NullKeep after changes constitutes acceptance of the updated policy.

11. Contact

For privacy-related questions, contact us at privacy@nullkeep.com.