Privacy Policy

Account Information. When you register, we collect your name, email address, and authentication credentials (via OAuth). We do not store passwords directly; authentication is handled by our OAuth provider.

Billing Information. Payment processing is handled by Stripe. We store only your Stripe Customer ID and Subscription ID. We never store full card numbers, CVV codes, or bank account details.

Target Configuration. We store the endpoint URLs, model names, and encrypted API keys you provide when configuring scan targets. This information is used solely to execute scans on your behalf.

Scan Data. We store scan configurations, probe selections, findings, severity ratings, attack prompts, model responses, and remediation recommendations generated during your scans. This data is scoped to your account and is not shared with other users.

Usage Data. We automatically collect information about how you interact with the Service, including IP addresses, browser type, pages visited, scan counts, and API call metadata. This data is used for analytics, quota enforcement, and service improvement.

We use the information we collect to: (a) provide, operate, and maintain the Service; (b) process payments and manage subscriptions; (c) enforce usage quotas and tier-based feature access; (d) send transactional communications such as scan completion notifications and billing receipts; (e) detect and prevent fraud, abuse, and security incidents; (f) comply with legal obligations; and (g) improve the Service through aggregated, anonymized analytics.

We do not use your scan data, target configurations, or model responses to train any AI or machine learning model, and we do not sell your personal information to third parties.

Storage. Scan reports and vulnerability artifacts are stored in Amazon S3 (us-east-1) with server-side AES-256 encryption. Database records are stored in a managed MySQL-compatible database with encryption at rest and TLS-enforced connections in transit.

Retention. Scan reports are retained for the period defined by your subscription tier: 7 days (Free), 90 days (Pro), or 365 days (Enterprise). Account data is retained for the duration of your account and for up to 90 days following account deletion to comply with legal and audit obligations. Billing records are retained for 7 years as required by applicable financial regulations.

Deletion. You may request deletion of your account and associated data by contacting us at [email protected]. We will process deletion requests within 30 days, subject to legal retention obligations.

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

Service Providers. We share data with trusted third-party service providers who assist us in operating the Service, including Stripe (payment processing), Amazon Web Services (cloud infrastructure), and our OAuth provider. These providers are contractually bound to protect your data and may not use it for their own purposes.

Legal Requirements. We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers. In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity, subject to the same privacy protections described in this policy.

NullVector LLM Scanner implements the following security controls consistent with SOC 2 Type II principles:

Encryption. All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256. Target API keys are stored using application-level encryption in addition to database-level encryption.

Access Control. Access to production systems is restricted to authorized personnel using multi-factor authentication. Role-based access control (RBAC) is enforced at the application layer. Users can only access their own scan data, targets, and API keys.

Audit Logging. All administrative actions, authentication events, and API calls are logged with timestamps, user identifiers, and IP addresses. Logs are retained for a minimum of 90 days.

Vulnerability Management. We conduct regular dependency audits and apply security patches on a defined schedule. Security incidents are investigated and remediated according to our internal Incident Response Plan.

We use session cookies to maintain your authenticated state. These cookies are HTTP-only, Secure, and SameSite=None to prevent cross-site request forgery. We do not use third-party advertising cookies or behavioral tracking technologies. Analytics data is collected using privacy-respecting, first-party analytics.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access and Portability. You may request a copy of the personal data we hold about you in a machine-readable format.

Correction. You may update your account information directly from the Settings page within the Service.

Deletion. You may request deletion of your account and personal data as described in Section 3.

Objection and Restriction. You may object to certain processing activities or request that we restrict processing of your data in specific circumstances.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may require identity verification before processing certain requests.

NullVector is operated from the United States. If you access the Service from outside the United States, your information may be transferred to and processed in the United States, which may have different data protection laws than your country of residence. By using the Service, you consent to this transfer. Where required by applicable law, we implement appropriate safeguards such as Standard Contractual Clauses for transfers from the European Economic Area.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately at [email protected] and we will delete the information promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date of the updated policy constitutes your acceptance of the changes.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: