Data Protection
Last updated: November 3, 2025
GDPR & Data Protection Compliance
SecureMail is committed to full compliance with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws. Your data protection rights are fundamental to our service design.
1. Data Protection Principles
Our data handling practices are guided by core protection principles:
- Lawfulness, Fairness, Transparency: All data processing has a legal basis and is transparent
- Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes
- Data Minimization: Only necessary data is collected and processed
- Accuracy: We maintain accurate and up-to-date data
- Storage Limitation: Data is kept no longer than necessary
- Integrity and Confidentiality: Appropriate security measures protect data
- Accountability: We can demonstrate compliance with these principles
2. Types of Personal Data We Process
2.1 Data We Collect
- Account Data: Email address, encrypted password
- Recovery Data: Encrypted seed phrase for account recovery
- Technical Data: IP address, timestamp, device information
- Communication Data: Encrypted email content (which we cannot read)
2.2 Data We Don't Collect
- Real names or personal identifiers beyond email
- Phone numbers or addresses
- Payment information (service is currently free)
- Location data or device fingerprints
- Email content or message metadata beyond technical requirements
3. Legal Basis for Processing
We process personal data based on the following legal grounds:
- Contract Performance: To provide the email service you requested
- Legitimate Interest: For security, fraud prevention, and service improvement
- Legal Obligation: When required by applicable law
- Consent: For any optional processing activities
4. Your Data Protection Rights
Under GDPR and other data protection laws, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Right of Access | Request copies of your personal data | Contact us through secure channels |
| Right to Rectification | Request correction of inaccurate data | Update through account settings or contact us |
| Right to Erasure | Request deletion of your personal data | Contact us with deletion request |
| Right to Restrict Processing | Limit how we process your data | Contact us with your restrictions |
| Right to Data Portability | Receive your data in a standard format | Contact us for data export |
| Right to Object | Object to certain types of processing | Contact us with your objections |
5. Data Retention
5.1 Retention Periods
- Active Accounts: Data retained while account is active
- Deleted Accounts: All data permanently deleted within 30 days
- Email Content: Retained according to user settings and self-destruct timers
- Technical Logs: Rotated and deleted within 24-48 hours
- Security Data: Limited retention for security incident investigation
5.2 Deletion Process
When you request account deletion or your account becomes inactive:
- Account is marked for deletion
- All user data is securely deleted from primary systems
- Backup systems are updated to exclude the data
- Cryptographic keys are securely destroyed
- Deletion is verified and logged
6. International Data Transfers
Your data may be processed in countries outside your residence. When we transfer data internationally, we ensure adequate protection through:
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions for approved countries
- Other legally recognized transfer mechanisms
Regardless of where your data is processed, it remains protected by the same high-security standards and encryption protocols.
7. Data Security Measures
7.1 Technical Safeguards
- End-to-end encryption for all communications
- Encryption at rest using AES-256
- Secure key management with Hardware Security Modules
- Regular security updates and patches
- Intrusion detection and prevention systems
7.2 Organizational Safeguards
- Employee training on data protection
- Access controls and authentication requirements
- Regular security audits and assessments
- Incident response procedures
8. Data Breach Notification
In the unlikely event of a data breach affecting your personal data:
- We will investigate and contain the breach immediately
- Relevant authorities will be notified within 72 hours
- Affected users will be notified without undue delay
- Detailed information about the breach will be provided
- Steps taken to address the breach will be documented
9. Children's Data Protection
Our service is not intended for individuals under 13 years of age. We do not knowingly collect personal data from children under 13. If we become aware that we have collected such data, we will delete it immediately.
For users between 13-16 years old, we will obtain parental consent where required by applicable law.
10. Data Protection Officer
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and compliance. The DPO can be contacted for any data protection-related inquiries.
11. Complaints and Supervisory Authority
If you have concerns about our data protection practices, you have the right to lodge a complaint with the relevant supervisory authority in your country of residence.
For EU users, you can contact your local Data Protection Authority. For California users, you can contact the California Attorney General's office.
12. Updates to Data Protection Policy
We may update this Data Protection Policy from time to time to reflect changes in our practices or legal requirements. We will notify users of significant changes through email or in-service notifications.
13. Contact Information
For any questions about this Data Protection Policy or to exercise your data protection rights, please contact us through our secure channels. We are committed to addressing your concerns promptly and transparently.