NullPad Docs

Appearance

Privacy Policy

Last Updated: May 2026

Your privacy is the foundation of NullPad. NullPad is operated by Lucas Vazzoller Marangoni, acting as the Data Controller. This policy explains how we handle data when you use our service, whether locally or with a cloud account. For privacy-related inquiries or to exercise your rights, please contact us at privacy@nullpad.app.

1. Information We Collect

  • Account Data: If you create an account, we store your email (via Firebase Auth), a chosen nickname, and your subscription status.
  • Technical Logs: Our infrastructure (Cloudflare/Firebase) processes technical data like IP addresses and request metadata for security, DDoS protection, and performance.
  • Encrypted Blobs: If you use Cloud Sync, we store your notes as encrypted blobs. We cannot read the content of these blobs.

2. Legal Bases for Processing (GDPR & LGPD)

How and why we process your data:

  • Authentication and Synchronization (Optional): If you choose to create an account using Google or GitHub (via Firebase Auth) to sync your information, we collect your email address.
    • Legal Bases: Performance of a Contract — Art. 7, V of LGPD (Brazil) and Art. 6(1)(b) of GDPR (Europe).
  • Subscription Processing (Paddle): When you subscribe to a plan, Paddle manages the payment. We receive the necessary information to confirm the transaction and provision your subscription features.
    • Legal Bases: Performance of a Contract and Compliance with Legal Obligations — Art. 7, II and V of LGPD (Brazil) and Art. 6(1)(b) and (c) of GDPR (Europe).
  • Security & Infrastructure (Technical Logs): We process technical logs to protect the system and prevent abuse.
    • Legal Bases: Legitimate Interests — Art. 7, IX of LGPD (Brazil) and Art. 6(1)(f) of GDPR (Europe).

3. Information We Do NOT Collect

  • Unencrypted Content: We never see your notes, titles, or encryption keys.
  • Passwords: Your session passwords never leave your browser.
  • Behavioral Tracking: We do not use cookies for tracking, marketing, or profiling.

4. Data Storage, Sovereignty, and International Transfers

  • Local Storage: Notes are stored in your browser's IndexedDB. You can enable At-Rest encryption for added local security.
  • Cloud Synchronization: Optional sync uses AES-256-GCM client-side encryption.
  • Third-Party Providers: We use Firebase (Google) for authentication, Cloudflare for infrastructure, and Paddle for billing. These providers have their own privacy policies.
  • International Transfers: Since Firebase, Cloudflare, and Paddle operate globally, your account metadata, email, IP addresses, and transaction details may be transferred to and processed in the United States and other countries outside of Brazil or the European Economic Area (EEA). These transfers are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) and data processing agreements that guarantee a level of data protection equivalent to the GDPR and LGPD.

5. Your Rights

Under the GDPR (Europe) and LGPD (Brazil), you have several rights regarding your personal data:

  • Confirmation & Access: You can request confirmation of whether we process your data and receive a copy of the personal data we hold about you.
  • Rectification: You can request correction of inaccurate or incomplete personal data.
  • Erasure (Right to be Forgotten): You can delete your account at any time via the Profile settings. We enforce a 30-day "Soft Delete" grace period before your account and data are permanently purged from our servers.
  • Portability: You can request the transfer of your personal data to another service provider.
  • Objection to Processing: Since we do not rely on consent but on Contract Execution (for sync/billing), Legal Obligations (for tax records), and Legitimate Interests (for security logs), you can object to the processing of your data if you believe it is done in violation of the law. Note that objecting to data processing necessary for our services (like sync) will require account deletion.
  • Information on Sharing: You have the right to be informed about which entities we share your data with (Firebase, Cloudflare, and Paddle, as listed in Section 4).
  • Lodge a Complaint: You have the right to file a complaint regarding our data practices with a supervisory authority, such as the ANPD in Brazil (gov.br/anpd) or your local Data Protection Authority in the EU/EEA.

How to exercise your rights: To submit a request regarding your rights, contact us at privacy@nullpad.app. To protect your privacy and security, we may request verification of your identity before fulfilling your request.

Response time: We will respond to your request within 30 days (or 15 business days under the LGPD rules for small-scale controllers). In cases of high complexity or multiple requests, this period may be extended by an additional 60 days, in which case you will be notified of the extension and the reasons for it.

6. Security Compliance

NullPad is designed to comply with global data protection standards by minimizing data collection and ensuring all sensitive data remains under user control through encryption.

7. Contact

For privacy-related inquiries, please contact privacy@nullpad.app.

Copyright © 2025 Lucas Vazzoller Marangoni (NullPad.app). All rights reserved.
Contact: contact@nullpad.app · Security: security@nullpad.app