Security & Privacy

Privacy isn't just a feature of NullPad; it's the foundation of the entire application.

Data Sovereignty

Local-By-Default: All notes remain strictly on your device's localStorage unless you explicitly enable cloud sync.
Browser Isolation:Your notes are isolated from other websites by the browser's built-in Same-Origin Policy.

We believe your notes are private.

Zero Tracking: We do not use behavioral trackers, session recorders, or marketing cookies.
Anonymized Technical Logs: Like most web services, our infrastructure (Cloudflare/Firebase) processes technical logs (IP, request metadata) for security and DDoS protection. These are never used for user profiling. Refer to Cloudflare's and Firebase's privacy policies for details on their data handling.

Our Cloud Sync uses industry-standard AES-256-GCM encryption.

Zero-Knowledge: Notes are indecipherable to us and our service providers.
No Password Storage: Your password is never transmitted to or stored on our servers.
Custom Salt Support: For advanced users, custom salts add an extra layer of entropy and control over the encryption process. Learn how to manage them in Sync & Storage.

We use Firebase Authentication to support Google and GitHub sign-ins.

This allows for secure identity management without us ever handling your actual credentials.
Your session is managed locally — we never handle your Google or GitHub credentials directly.
Use of these providers is subject to their respective privacy policies.

NullPad provides the tools for high-security documentation, but the final responsibility lies with the user.

Password Hygiene: Ensure you use a strong, unique password for encryption.
Compliance: NullPad can be used in GDPR, HIPAA, or high-OPSEC environments, but compliance depends on your specific configuration (e.g., opting for 100% local storage).