This is a draft outline, not the final document.
Our Privacy Notice is being prepared by qualified UK counsel ahead of Nullsend's Q3 2026 public launch. The final version will be substantively complete before any customer signs up — we won't accept paid signups against an unfinished privacy framework.
If you're evaluating Nullsend for procurement and need the current draft, the negotiated version, or specific clauses reviewed before launch: email hello@nullsend.io with the subject line beginning [legal]. We aim to respond within one business day.
What this document will cover
- Who this notice applies to
- What personal data we collect, and why
- What we don't collect — the architectural picture
- Our legal basis for processing
- How long we keep data
- Who we share data with
- International transfers
- Your rights under UK and EU GDPR
- Cookies and tracking
- Changes to this notice
- How to contact us
1. Who this notice applies to
This Privacy Notice applies to two groups: Nullsend account holders (the businesses who pay for and administer a Nullsend tenant) and recipients of transfers (people who receive files via a Nullsend share link).
The way we handle data is different for each group. Account holders give us identifiable information at signup; recipients are largely anonymous to us.
2. What personal data we collect, and why
The final notice will list, exhaustively, every category of personal data Nullsend processes. Indicatively, this includes:
- Account holder data: business email address, password hash, billing details (handled by Stripe), tenant configuration choices, IP addresses for security and rate-limiting.
- Transfer metadata: tenant ID, sender user ID, file count, ciphertext size, expiry timestamp, recipient email address if branded delivery is used.
- Recipient data: if a sender uses our branded email delivery, the recipient's email address. Recipients who follow a share link directly are not identified to us beyond a truncated IP address logged for the audit trail.
3. What we don't collect — the architectural picture
Because Nullsend's encryption happens in the sender's browser, our infrastructure does not have access to:
- The plaintext contents of any file
- Filenames in plaintext
- The decryption keys for any transfer
- Recipient email addresses for transfers shared by link only (not via branded delivery)
The technical detail behind these statements is documented on our security page.
4. Our legal basis for processing
The final notice will identify, for each category of processing, our lawful basis under UK GDPR Article 6. Expected bases:
- Contract — for processing necessary to provide the service to account holders.
- Legitimate interest — for security logging, rate-limiting, and fraud prevention.
- Legal obligation — for tax records, audit logs, and breach notification.
5. How long we keep data
Indicatively:
- Transfer ciphertext: until the transfer's configured expiry, then deleted within 15 minutes by our automated worker.
- Transfer metadata: deleted when the transfer ciphertext is deleted.
- Audit logs: 12 months by default, configurable up to 7 years on Enterprise.
- Account data: for the duration of the account, plus 30 days after cancellation. Hard deletion requests under GDPR Article 17 are honoured within 30 days.
- Billing records: 7 years (statutory requirement for UK financial records).
6. Who we share data with
A current, machine-readable list of our sub-processors is maintained at /security#subprocessors. We will notify active customers of any changes at least 30 days before they take effect.
We do not sell personal data. We do not share personal data for advertising purposes. We do not use personal data for AI model training, by ours or any third party.
7. International transfers
The final notice will detail every cross-border data flow with the legal mechanism that authorises it. Expected mechanisms:
- UK → EU transfers: covered by the UK government's adequacy regulations for the EEA (in force until at least 2027).
- EU → UK transfers: covered by the European Commission's adequacy decision for the UK (in force until at least 2027).
- Onward transfers to global sub-processors (e.g., Cloudflare PoPs outside the EEA): protected by Standard Contractual Clauses and the UK International Data Transfer Addendum where applicable.
8. Your rights under UK and EU GDPR
The final notice will set out, in plain language, every right you have as a data subject:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
- Rights related to automated decision-making (Article 22)
It will also explain how to exercise each right, the response timeframe, and your right to complain to the ICO (UK) or your local supervisory authority (EEA).
9. Cookies and tracking
Nullsend's public website (this site) uses no third-party tracking, no advertising cookies, and no behavioural analytics. The only cookies set are essential session cookies required for the application to function once accounts are live.
The final notice will detail every cookie set, its purpose, and its retention.
10. Changes to this notice
When the final notice is published, material changes will be notified to account holders by email at least 30 days before taking effect. The current version will always be available at this URL with a clearly visible "last updated" date.
11. How to contact us
For privacy questions, GDPR rights requests, or to receive the current draft of this notice for procurement review:
Nullsend Ltd
Email: hello@nullsend.io
Legal queries: hello@nullsend.io with subject prefix [legal]
Postal address: Will be published with the final notice. Available on request to procurement teams in the interim.