Privacy Policy

1. Who We Are

The Null Hypothesis Foundation (“h₀,” “we,” “us”) operates software products including NetGhost and Niru. Our registered address is on file with the State of Delaware. For privacy inquiries, contact us at root@nullfoundation.org. We do not have a Data Protection Officer because we do not have enough data to protect. We are working on it. The data part, not the officer.

2. The Short Version

3. What Data We Collect

We collect different categories of data depending on which product you use and whether you have a paid account:

3.1 Account Information

If you purchase a license: your email address, license key, and payment transaction ID. That's it. We don't ask for your name, birthday, mother's maiden name, or the street you grew up on. Those are security questions, not marketing data, and the distinction matters.

3.2 Payment Information

Payments are processed by Stripe. We do not store your credit card number, CVV, or billing address. Stripe does. Their privacy policy governs that data. We receive only a transaction confirmation and your email. We trust Stripe with the hard part because the hard part is PCI compliance and we value our sanity.

3.3 Device Information

For license activation, we generate a device fingerprint (a hash of hardware identifiers) to enforce seat limits. This fingerprint is a one-way hash — we cannot reverse it to identify your specific hardware. We also store the device name you assigned in System Settings, because it helps you identify which devices are activated. If you named your MacBook “Dave's Work Laptop,” we now know a person named Dave exists. We will do nothing with this information.

3.4 Usage Data

We currently collect no analytics, telemetry, or usage tracking of any kind. No crash reporters. No event logging. No heat maps. The product either works or you email us. This is not a sophisticated approach to product development, but it is an honest one.

3.5 Data Processed On-Device

NetGhost processes all network data locally. Niru processes all audio locally. None of this data is transmitted to our servers, ever. Your packet headers, transcriptions, and meeting notes stay on your machine. We architecturally cannot access them, which is the strongest form of privacy policy: the kind enforced by code, not by promises.

4. How We Use Your Data

We use the data we collect to:

• ›Provide, operate, and maintain the Service
• ›Process payments and deliver license keys
• ›Respond to support requests (when you email us)
• ›Enforce license seat limits
• ›Comply with legal obligations

That is the complete list. There is no “and other business purposes” catch-all. We hate those too.

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area, we process personal data under the following legal bases:

• ›Contract performance: Processing your email and license key to deliver the product you purchased
• ›Legitimate interest: Fraud prevention and license enforcement
• ›Legal obligation: Tax and financial records as required by law

We do not rely on consent as a legal basis because we do not do anything that requires it. No marketing emails. No tracking. No profiling. Consent is for companies that need permission to do things you wouldn't like. We just didn't do those things.

6. Cookies and Tracking

Our marketing website (the one you're on) uses no cookies, no analytics scripts, no tracking pixels, and no fingerprinting. Our web applications use only essential session cookies required for authentication. We do not use Google Analytics, Facebook Pixel, Hotjar, Mixpanel, or any other surveillance-as-a-service tool. The irony of a privacy company tracking its users was not lost on us, so we simply didn't.

7. Data Sharing

We share personal data with the following third parties, and only for the purposes described:

• ›Stripe — Payment processing
• ›Supabase — Database and serverless infrastructure (hosts license records)
• ›Resend — Transactional email (sends your license key after purchase)

We do not sell personal information. We do not share personal information with advertisers. We do not share personal information with data brokers. We do not share personal information for behavioral advertising. We do not have a “partners” section in this policy because we do not have data-sharing partners. If this changes, we will update this policy and feel terrible about it.

8. Data Retention

We retain your account data (email, license key) for as long as your account is active, plus 2 years for legal and accounting purposes. Payment records are retained for 7 years as required by tax law. Device fingerprints are deleted when you deactivate a device or when your license expires. If you request account deletion, we will process it within 30 days. Some data may persist in encrypted backups for up to 90 days, after which it is permanently deleted. We do not keep data because we might need it someday. “Someday” is not a retention policy.

9. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

• ›Access — Request a copy of the data we hold about you
• ›Rectification — Correct inaccurate data
• ›Erasure — Request deletion of your data
• ›Portability — Receive your data in a machine-readable format
• ›Object — Object to processing based on legitimate interest
• ›Do Not Sell (CCPA) — We don't sell your data, but you can formally tell us not to, and we will formally continue not doing it

To exercise any of these rights, email root@nullfoundation.org. We will respond within 30 days (GDPR) or 45 days (CCPA). We will not charge you for reasonable requests. We will not retaliate against you for exercising your rights. That is both the law and common decency.

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS) and at rest, access controls, and secure infrastructure. We use reputable cloud providers with SOC 2 compliance. We do not store payment credentials. License keys are stored with hashed device identifiers. That said, no system is perfectly secure, and we cannot guarantee absolute protection. We can guarantee we take it seriously — which, for a company that builds security tools, would be embarrassing not to.

11. Children's Privacy

Our services are not directed to individuals under the age of 13. We do not knowingly collect personal information from children. If we discover that we have inadvertently collected data from a child under 13, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at root@nullfoundation.org.

12. International Transfers

Our infrastructure is hosted in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) where required for transfers from the EEA. We acknowledge this is not a perfect solution. Neither is international data privacy law, but here we are.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the “Last Updated” date. We will not make changes that reduce your rights without your consent. If we materially change how we handle your data, we will also send an email notification to active account holders. You deserve to know, even if you don't read it.

14. Contact

For privacy-related questions, requests, or complaints: root@nullfoundation.org. For general inquiries: root@nullfoundation.org. We will respond. We may not respond quickly, because we are small and probably deploying something, but we will respond.