NullShield

Get started

Privacy Policy

Last updated: 10 April 2026

1. Who we are

NullShield is operated by Damijo Limited, a company registered in England and Wales (company number pending). Our registered office is in Reading, United Kingdom. In this policy, “we”, “us”, and “NullShield” refer to Damijo Limited.

2. What data we collect

We collect the following categories of personal data:

  • Account data: name, email address, and organisation name when you register via Clerk authentication.
  • Billing data: payment information processed securely by Stripe. We do not store card numbers on our servers.
  • Scan data: target URLs you submit for scanning and the resulting security reports.
  • Usage data: pages visited, features used, browser type, and IP address for analytics and rate limiting.
  • Contact data: name, email, and message content when you use our contact form.

3. How we use your data

We process your data for the following purposes:

  • Providing and improving our security scanning service.
  • Processing payments and managing subscriptions.
  • Sending transactional emails (scan results, billing receipts).
  • Responding to support requests.
  • Preventing abuse and enforcing rate limits on free scans.
  • Complying with legal obligations under UK law.

4. Legal basis for processing (GDPR)

We rely on the following legal bases:

  • Contract: processing necessary to provide the service you signed up for.
  • Legitimate interest: analytics, fraud prevention, and service improvement.
  • Consent: marketing emails (you can unsubscribe at any time).
  • Legal obligation: where required by UK law.

5. Data sharing

We share data only with these categories of processors:

  • Clerk — authentication and user management.
  • Stripe — payment processing.
  • Neon — database hosting (EU/UK region).
  • Anthropic — AI analysis of scan results (no PII is sent; only technical scan data).
  • Resend — transactional email delivery.
  • Netlify — application hosting.

We do not sell your data to third parties.

6. Data retention

  • Account data: retained while your account is active, deleted within 30 days of account closure.
  • Scan data and reports: retained for 12 months, then automatically purged.
  • Stored credentials (for authenticated scans): AES-256-GCM encrypted at rest, auto-deleted after the expiry date you set.
  • Contact form submissions: retained for 6 months.

7. Data security

We implement industry-standard security measures including:

  • 256-bit TLS encryption for all data in transit.
  • AES-256-GCM encryption for sensitive data at rest.
  • Secure authentication via Clerk with multi-factor support.
  • Regular security audits of our own infrastructure.
  • SSRF protection on all scan inputs to prevent internal network access.

8. Your rights

Under UK GDPR, you have the right to:

  • Access your personal data.
  • Rectify inaccurate data.
  • Erase your data (“right to be forgotten”).
  • Restrict processing.
  • Data portability.
  • Object to processing.

To exercise any of these rights, email us at privacy@nullshield.org.

9. Cookies

We use essential cookies for authentication and session management. We use analytics cookies only with your consent. You can manage cookie preferences in your browser settings.

10. Changes to this policy

We may update this policy from time to time. We will notify registered users of material changes via email. The “last updated” date at the top reflects the most recent revision.

11. Contact us

For privacy-related questions, contact us at privacy@nullshield.org or use the contact form.