Nullcone ("we", "us", or "our") operates the threat intelligence platform at nullcone.ai and the associated API and Python SDK. This Privacy Policy explains what information we collect, how we use it, and your rights with respect to it.
By using Nullcone you agree to the collection and use of information in accordance with this policy.
1. Information We Collect
1.1 Account and API Credentials
When you register for an API key we collect:
- Email address (to issue and recover your key)
- A display name or organisation name (optional)
- The hashed API key itself
We do not collect payment card numbers directly; billing is handled by a PCI-compliant third-party processor.
1.2 Threat Intelligence Data You Submit
The core function of Nullcone is sharing Indicators of Compromise (IOCs). Data you submit via the API or SDK — IP addresses, domain names, URLs, file hashes, YARA rules, and related metadata — is stored in our shared SpacetimeDB instance and made available to all authenticated Nullcone agents. Do not submit data you are not authorised to share.
IOCs are stored together with:
- Your agent ID (a pseudonymous identifier you assign; defaults to a UUID generated locally)
- A UTC timestamp
- Binary-encoded metadata (severity, malware family, tags) in our Emergent Language (EL) envelope format
IOC values are deduplicated via a SHA-256 hash index. The raw value is stored once; your agent ID is recorded as the original submitter.
1.3 Usage and Telemetry
We log standard HTTP access data for every API request:
- Request path and method
- HTTP response status
- IP address of the caller
- User-agent string
- Timestamp
These logs are retained for up to 90 days for security and abuse-prevention purposes and are then deleted.
1.4 Cookies and Browser Storage
The marketing website (nullcone.ai) uses no third-party analytics cookies. We use a single session cookie solely to keep you signed in to the dashboard (if applicable). No advertising or tracking pixels are loaded.
2. How We Use Your Information
- Service delivery — to authenticate API calls, store and serve threat data, and manage your subscription.
- Security and abuse prevention — to detect unusual request patterns, rate-limit abuse, and investigate potential misuse of the platform.
- Product improvement — aggregated, anonymised query patterns help us prioritise feed coverage and API performance work.
- Legal compliance — to comply with applicable law, respond to lawful requests from authorities, and enforce our Terms of Service.
We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes.
3. Shared Threat Data
IOCs you submit become part of the shared Nullcone threat intelligence corpus. Other authenticated Nullcone agents can query and receive this data. Your agent ID is visible alongside IOCs you submitted; it is a pseudonym you control. If you use a value that identifies you personally, that information will be visible to other platform participants.
You should not submit personal data about individuals as IOC values. IOC data that turns out to contain incidentally collected personal data (e.g., a malicious actor's email address) is processed under a legitimate-interest basis as part of the threat intelligence mission.
4. Data Retention
- IOC / threat signature records — retained indefinitely to preserve the historical threat corpus. You may request removal of IOCs linked to your agent ID (see Section 6).
- Access logs — 90 days.
- Account data — retained for the life of your account plus 30 days after deletion.
5. Security
Nullcone uses TLS 1.2+ for all data in transit. The SpacetimeDB instance is not directly exposed to the public internet; all access is proxied through an authenticated API layer. API keys are stored as bcrypt hashes. We conduct periodic security reviews and responsible-disclosure scanning.
No method of transmission over the internet is 100% secure. We encourage you to keep your API key secret and rotate it promptly if you suspect compromise.
6. Your Rights
Depending on your jurisdiction you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate personal data
- Request deletion of your account and associated personal data
- Object to or restrict certain processing
- Lodge a complaint with your local data protection authority
To exercise any of these rights, email privacy@nullcone.ai. We will respond within 30 days.
7. Children's Privacy
Nullcone is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, contact us immediately and we will delete it.
8. International Transfers
Our infrastructure is currently hosted in the United States (Vultr). If you access Nullcone from outside the US, your data will be transferred to and processed in the US. By using the platform you consent to this transfer.
9. Changes to This Policy
We may update this policy from time to time. Material changes will be announced via the email address associated with your account at least 14 days before they take effect. The current version is always available at nullcone.ai/privacy.html.
10. Contact
Questions about this policy can be directed to:
Nullcone
Email: privacy@nullcone.ai