“Privacy. It’s not just our policy. It’s our mission.”

StartMail is built by the people behind StartPage and Ixquick, the world’s most private search engines. As early as 2005 we recognized privacy as a fundamental human right. We turned out to be ahead of our time. Over the next decade, revelation after revelation showed how much our online privacy had come under attack. In response, we built more and more defenses into our search engines to protect our users. People now use StartPage and Ixquick to find information millions of times per day, without being tracked or profiled.

We then turned to our next challenge: email privacy. Everyone uses email, but sending regular email is like sending a postcard—it makes snooping very easy! Advanced encryption technology already exists to stop hacking and mass surveillance, but making this technology user‐friendly was our challenge. That’s why we built StartMail from scratch: a total solution for protecting your email privacy that includes features like extra-secure data storage, disposable email addresses, and an ownership that will resist unwarranted intrusion. It has easy‐to‐use ‘one‐click’ encryption, and a very clear privacy policy.

We have the ambition to empower people everywhere to take back their online privacy. StartMail is the latest addition to our state-of-the-art privacy-enhancing technologies.

Robert Beens
CEO

StartMail has been developed to Protect your Privacy

StartMail believes that privacy is a fundamental human right. Using StartMail, you can protect yourself against unwarranted intrusion and mass surveillance, and take back your right to communications privacy. Our core values include “privacy by design” and “minimal data retention”.

Read more

Our core values are:

  • Privacy by design. Privacy shouldn’t be an afterthought. We built StartMail from scratch, and privacy has always been our main objective.
  • Encryption made easy. Encryption is a must to achieve privacy. While existing encryption solutions for email are cumbersome, StartMail makes encryption easy for everyone.
  • Optimal security. Privacy and security must go hand in hand. There can be no privacy without security.
  • Minimal data retention. We store and process as little personal information about you as possible.
  • Transparency of purpose. We have no hidden agenda with your information. If we store your data at all, we always tell you exactly why.
  • Responsible protection of users’ civil rights. We believe communications privacy is a fundamental right. StartMail protects your email against unauthorized and unconstitutional intrusions.
  • Transparency about our solutions and remaining threat vectors. 100% privacy or security does not exist. We strive to be as open and clear as possible about what our solution can and cannot offer.

Definitions of the capitalized terms are included in the Terms of Service.

We put you Back in Control

We are fully transparent about which data we process and why. We put you back in the driver’s seat when it comes to your data.

Read more

Your inbox and other personal information are yours even though we help you by storing it and making it accessible through our user-friendly interface. Exactly which part of your data is processed by us and why, depends on how you are using our Website and the StartMail Service.

1. Visiting our Website, until the session ends

When you visit the Website, the following details are automatically processed for the duration of your session:

  • Your IP address
    → to allow effective troubleshooting.
  • Browser and operating system type and version
    → to display the Website in the right format for your browser and operating system.
  • Browser language settings
    → to show you the Website in the right language.
  • Country (based on IP-address), date and time
    → to know in which countries and at what moments our marketing efforts appear to be effective.
  • Origin of your visit (such as whether you directly typed the Website URL, or accessed the Website through a search engine query or link from another website)
    → to assess the success of our search engine optimization and information outreach efforts.
  • Clicked links and visited (parts of) pages on our Website
    → to help us get an idea of which of our pages appear to be effective to inform our visitors. When your session ends all of this information is either deleted or anonymized, with the exception of the IP address, which will be anonymized (using a sha-256 hash with salt) after a maximum of 48 hours, and completely deleted within a maximum of 3 days (33 days for beta accounts).

When your session ends all of this information is either deleted or anonymized, with the exception of the IP address, which will be anonymized (using a sha-256 hash with salt) after a maximum of 48 hours, and completely deleted within a maximum of 3 days (33 days for beta accounts).

We collect the anonymized information above, excluding the SHA-256 hash of your IP address, on an aggregate level, in order to analyse usage trends and for troubleshooting purposes.

2. Signing up for an Account

When signing up for the StartMail Service you are asked to provide:

  • A name that you choose (optional and may be an alias or pseudonym, but see also our Terms of Service),
    → to be able to address you when we communicate with you.
  • Your desired email address (required),
    → to provide you with your StartMail email address.
  • A password (required),
    → to provide authentication for your Account.
  • A Recovery Email Address (optional, see also our ToS),
    → to communicate with you in the event that you need to recover access to your StartMail Account should you ever lose your password.
  • An invite code (optional, if you have one),
    → to give you the benefit of a promotional offer.
  • Your preference as to whether you would like to subscribe to our newsletter(s),
    → to send you our newsletters only if you want to receive them.

3. Paying for a Personal Account

For the Personal StartMail Service, we offer various payment methods.

A specialized payment provider (Ogone) processes payment and registers card numbers and secure codes. They have strict security standards, as laid down in the Payment Card Industry Security Standards (PCI DSS), with which they are fully compliant. They store any account payment details under a unique number, but cannot connect the payment data to the account email address. The StartMail system also works with this unique number and has no direct access to Ogone’s system – effectively separating the two systems. StartMail also offers anonymous payment methods for additional privacy.

Please consult the Privacy Policy of our payment provider to learn which of your data Ogone needs to process and why.

4. Using the StartMail Service

  • All of your email messages are stored in a secure User Vault on our servers. All information in the vault is encrypted (see StartMail Gives You Ironclad Data Protection on how we use encryption to protect your data)
  • Everything you can see through the regular user interface (your inbox and folders, including spam folder) is stored, and is stored safely in the User Vault.
  • Additionally, the following is also stored in the User Vault:
    • personalized spam preferences of the User as part of the self-learning process of the spam filter
    • a search index, which allows an efficient email search functionality

For several functions in the StartMail Service, such as logging in or account recovery, a SHA-256 hash of your IP-address is stored for several minutes for the purpose of preventing brute force attacks.

When you use the StartMail Service to send an email, your IP address is not included in the header of the email. Instead our IP address is shown.

5. Communicating with Us

Under certain circumstances you may provide information about yourself to us, for example, by sending feedback or asking a question. If this information can be linked, without disproportionate effort, to your real identity, we will treat it as personal information.

We strive to ensure that any of your personal information we obtain through your communication with us, is used solely to address the reason you contacted us. We will make every reasonable effort to delete any personal data that is no longer needed from our systems. Our support system is physically completely separated from the StartMail system.

Deleted is Deleted

When you delete an email, it is immediately deleted from our production servers, unlike what happens with many other webmail providers. Only on the off-site backups (which are fully encrypted, of course) a copy will remain for the maximum retention period of three days.

Your Account will be stored for as long as our Agreement remains in force. When an Agreement is fully terminated, all data contained in the Account, including all emails, will be deleted permanently.

Viewing and Amending your Personal Data

If you have any questions about our Privacy Policy or if you have questions about viewing, amending or deleting your personal data, you can contact us via email at: legal@startmail.com.

No Tracking or Advertising – Guaranteed

StartMail is an ad-free service. Tracking cookies are strictly forbidden on our StartMail servers. We only use non-tracking cookies, and only to the extent that this is necessary to provide you with a smooth and user-friendly experience, and to understand how our Website is used in general.

Read more

Other webmail providers collect and use your personal data to display personalized ads to you. As a result you pay for your webmail with your privacy. We think your privacy is worth more than gold. We therefore don’t track your behaviour online and we don’t build any personal profiles of you. The StartMail Service is strictly ad-free.

What (tracking) cookies are and what they can do

A cookie is a small file that is stored on a computer (such as a PC, smartphone or tablet) when visiting a website. Cookies are very useful to enable a smooth and user-friendly experience on a website, for example to prevent that visitors would have to supply their login details again for every action on the website, or to remember the contents of a shopping basket. However, so-called ‘tracking cookies’ can also be used to track users across multiple websites and to build personalized profiles for advertising or other purposes, negatively affecting privacy.

StartMail only uses non-tracking cookies, to protect your privacy

StartMail protects your privacy and does not use any tracking cookies. StartMail only uses five strictly non-tracking cookies, named “SMSESSID”, “SMSESSIDQA”, “SMRU”, “pgp_kc_*” and “cookietest”.

These are session-only cookies or expire in accordance with the user’s chosen settings. These cookies allow you to use StartMail smoothly. For example, they keep you from having to supply your Login Details for every action you take in the StartMail Service, and they even enable you to configure after how much time of inactivity you will be asked to provide your password again.

We use only anonymous data to try to improve our services

We collect only strictly anonymous statistics from our domain. Anonymous data is collected only in order to get an idea about what pages are effective in informing our users about the StartMail Service, and to improve the user interface. For example, we count the total number of times each page is being visited and we may get some insight into which pages or features are usually accessed consecutively, but we never know who has visited which pages and when.

We use an open source statistical measurement tool for this, called Piwik. We run this very lightweight tool on our own infrastructure to prevent anybody snooping the data, and we have specifically configured it for minimal data collection to ensure that no personal data is recorded at any time.

StartMail blocks remote content by default, to protect your privacy

Some emails contain remote content (such as images, which may even be invisible). If such remote content is loaded automatically, this enables the sender to know when the e-mail was opened, because the sender can detect when its content was loaded and by whom.

To protect your privacy, StartMail prevents any remote content to be loaded automatically when you open an email. It is possible to explicitly choose to always load such content automatically in your Settings. Please note that you should still be careful to avoid opening any attachments or clicking on any links in any email, unless you trust the sender and the content.

StartMail gives you Ironclad Data Protection

We use state-of-the-art technical and organizational security measures to protect your data.

Read more

On the Technical Side, we use state-of-the-art cryptography to protect your data. For example:

  • Traffic between the User and our servers is encrypted with SSL, and perfect forward secrecy is applied.
  • We only store passwords in hashed form on our servers.
  • Your StartMail inbox and its folders are stored in your own encrypted User Vault. Your User Vault is only opened when you login. When it is closed it is inaccessible to anyone.
  • When you are logged out of StartMail, your entire inbox is encrypted. When you are logged in, your unencrypted emails are unencrypted, but all of your PGP-encrypted emails are still encrypted unless you open an encrypted email by submitting your PGP-passphrase.
  • Users can encrypt emails via OpenPGP.
  • The users’ key-pair is stored in the User Vault. Additionally, the private key is encrypted by means of the passphrase. Without the passphrase the private key it can’t be decrypted or used.
  • We only use validated encryption algorithms that are considered safe by respected cryptographers.

For more detailed information about our technical security measures, please read our Security White Paper.

On the Organizational Side we have strict protocols in place to ensure the safety of your data. For example:

  • At each level, access to our systems is restricted to authorized staff with a legitimate need to know. This access is tightly limited, and is only for the purpose of providing the StartMail Service to you.
  • Any individual, who is given access to the StartMail system, is required to sign a confidentiality agreement.
  • No third party, contractor, or sub-contractor of StartMail is given access to the system, except for the purpose of enabling us to provide the StartMail Service to you. All such parties must sign a data processing agreement, containing confidentiality provisions and stringent security protocols.

Compliance with Legitimate Requests by Authorities

While we respect and try to protect your privacy to the best of our abilities, your use of StartMail does not place you above the law. But neither do we place authorities above the law. ONLY if we receive a request from Dutch judicial authorities to hand over information about one of our Users, we will have our lawyers check the validity of the request and determine whether we are obliged to comply. We will NOT comply with such requests unless we are convinced that the request is legally valid and we believe that it is undeniably our legal obligation to comply.

We will NOT comply with requests from any authorities other than Dutch authorities. If we receive a request from any foreign government, we will refuse to comply and will instead instruct the requestor to place a formal request to the Dutch authorities for mutual assistance.

StartMail will never cooperate with any voluntary surveillance programs. Under the strong laws that protect the right to privacy in Europe, European governments cannot legally force service providers like StartMail to implement a blanket-spying program on their users.

Requests by Private Third Parties

We will NOT comply with any requests from private third parties to provide information about our Users, unless we would receive a valid Dutch court order and we believe it is undeniably our legal obligation to comply.

We will not reduce your rights without your explicit consent

We may change our Privacy Policy from time to time. Any changes to our Privacy Policy will be posted on this page, and we will provide a more prominent notice, such as an email message, if we believe a change significantly affects your privacy. You may also review older versions of our Privacy Policy through our Website.

StartMail complies with the World’s toughest Privacy Laws

StartMail is based in The Netherlands, Europe, where privacy laws and regulations are among the strictest in the world.

Read more

For example, to comply with the Dutch personal data protection act (In Dutch: “Wet bescherming persoonsgegevens”):

  • We clearly state the purposes for which we process personal data. This can be found in our privacy policy.
  • We strive to limit the collection of personal data to only those personal data that are necessary for legitimate purposes, such as to create your account and process your payments.
  • We implement appropriate security measures to prevent loss and unauthorized access to your personal data.
  • We respect your right of inspection, correction and removal of your personal data, upon your request.