NullRoute - Privacy Policy

1. Overview

NullRoute is a cybersecurity research project that analyzes real-time attack data from honeypot sensors. This privacy policy explains how we handle data on this website.

Last updated: March 2026

2. Responsible Party

Jan Steck
c/o Online-Impressum #7050
Europaring 90
53757 Sankt Augustin, Germany

E-Mail: [email protected]

A data protection officer has not been appointed as this is not required by law for this type of processing.

3. Data We Collect

3.1 Website Visitors

When you visit this website, technical connection data (e.g. IP address, request headers) may be processed by our infrastructure providers to deliver the website securely. We do not use tracking or analytics cookies.

The authenticated dashboard uses a strictly necessary session cookie for access control. This cookie expires automatically after 24 hours and contains no tracking data.

3.2 Email Subscription

If you voluntarily provide your email address via the notification form, we store your email address solely for the purpose of sending you launch updates. Email subscriptions require confirmation via a double opt-in process. Legal basis: your consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time by contacting [email protected] - your data will be deleted without delay.

3.3 Honeypot Data

NullRoute collects IP addresses, attack patterns, credentials, and malware samples from unauthorized access attempts on our honeypot systems. IP addresses are treated as personal data under GDPR.

The processing is limited to data generated by unsolicited connection attempts to publicly reachable systems. No active targeting or monitoring of individuals takes place. This data is not provided directly by the data subject (Art. 14 GDPR).

Legal basis: legitimate interest in cybersecurity research and defense against unauthorized access (Art. 6(1)(f) GDPR). Our legitimate interest lies in analyzing attack behavior, improving defensive capabilities, and contributing to cybersecurity research.

4. Legal Basis Summary

Processing of personal data is based on the following legal grounds:

Art. 6(1)(f) GDPR - legitimate interest in cybersecurity research, secure website delivery, and defense against unauthorized access (honeypot data, infrastructure providers)
Art. 6(1)(a) GDPR - consent for voluntary email subscription

Providing personal data is neither legally nor contractually required. Failure to provide data may limit the ability to receive updates (email subscription).

5. Third-Party Services

This website uses the following external services:

Cloudflare - CDN and DDoS protection. Cloudflare may process connection metadata (IP address, request headers) per their privacy policy.
Google Fonts - JetBrains Mono font delivery. Google may receive your IP address when loading fonts.
AbuseIPDB / VirusTotal - Threat intelligence lookups for IP addresses and malware samples captured by our honeypots (no visitor data is shared).
Anthropic API - AI-based analysis of aggregated attack statistics. No personal data is transmitted.
Telegram API - Internal alert notifications. May include single IP addresses from attack events.

The use of Cloudflare and Google Fonts is based on Art. 6(1)(f) GDPR (legitimate interest in secure and efficient delivery of the website).

Recipients of personal data may include infrastructure providers, security services, and analysis tools as listed above.

Some of these services are provided by companies based outside the European Union. Data transfers may occur to countries without an adequacy decision. In such cases, appropriate safeguards such as Standard Contractual Clauses (Art. 46 GDPR) are applied.

6. Data Retention

Honeypot attack data is retained for up to 90 days. Evidence and analysis logs are retained for 30 days. Malware samples may be retained longer for ongoing research, stored in isolation.

Technical connection data processed by infrastructure providers (e.g. Cloudflare) is retained according to their respective policies.

Session cookies for authenticated access expire automatically after 24 hours.

Email subscriptions are retained until you withdraw consent. Upon withdrawal, the email address will be deleted without delay.

7. Your Rights (GDPR)

You have the following rights under the GDPR:

Right of access (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object to processing (Art. 21 GDPR)
Right to withdraw consent at any time (Art. 7(3) GDPR)

You also have the right to lodge a complaint with a supervisory authority in your country of residence or in Germany.

Contact: [email protected]

8. Security

All connections to NullRoute are encrypted via TLS. Access to the dashboard requires authentication. We take reasonable measures to protect any data we handle.