Your inbox and other personal information are yours even though we help you by storing it and making it accessible through our user-friendly interface. Exactly which part of your data is processed by us and why, depends on how you are using our Website and the StartMail Service.
1. Visiting our Website, until the session ends
When you visit the Website, the following details are automatically processed for the duration of your session:
- Your IP address
→ to allow effective troubleshooting.
- Browser and operating system type and version
→ to display the Website in the right format for your browser and operating system.
- Browser language settings
→ to show you the Website in the right language.
- Country (based on IP-address), date and time
→ to know in which countries and at what moments our marketing efforts appear to be effective.
- Origin of your visit (such as whether you directly typed the Website URL, or accessed the Website through a search engine query or link from another website)
→ to assess the success of our search engine optimization and information outreach efforts.
- Clicked links and visited (parts of) pages on our Website
→ to help us get an idea of which of our pages appear to be effective to inform our visitors. When your session ends all of this information is either deleted or anonymized, with the exception of the IP address, which will be anonymized (using a sha-256 hash with salt) after a maximum of 48 hours, and completely deleted within a maximum of 3 days (33 days for beta accounts).
When your session ends all of this information is either deleted or anonymized, with the exception of the IP address, which will be anonymized (using a sha-256 hash with salt) after a maximum of 48 hours, and completely deleted within a maximum of 3 days (33 days for beta accounts).
We collect the anonymized information above, excluding the SHA-256 hash of your IP address, on an aggregate level, in order to analyse usage trends and for troubleshooting purposes.
2. Signing up for an Account
When signing up for the StartMail Service you are asked to provide:
- A name that you choose (optional and may be an alias or pseudonym, but see also our Terms of Service),
- → to be able to address you when we communicate with you.
- Verification email address → This address is used to send you an activation link to activate your StartMail trial account. To maintain the integrity of the StartMail service, StartMail must take measures to avoid the automatic creation of accounts by spammers. This is because if spammers use StartMail to send messages, StartMail’s IP addresses can become blocked by major mail providers such as Gmail, Yahoo, Outlook, etc.
- Your desired email address (required),
→ to provide you with your StartMail email address
- A password (required),
→ to provide authentication for your Account.
- A Recovery Email Address (optional, see also our ToS),
→ to communicate with you in the event that you need to recover access to your StartMail Account should you ever lose your password.
- An invite code (optional, if you have one),
→ to give you the benefit of a promotional offer.
- Your preference as to whether you would like to subscribe to our newsletter(s),
→ to send you our newsletters only if you want to receive them.
3. Paying for a Personal Account
StartMail offers a paid subscription service which can be paid for with various online payment methods. To facilitate payment and to manage the customers’ subscription, StartMail works with third-party payment providers and a subscription management provider.
- For payment processing, StartMail relies on third parties such as Stripe and Paypal to process payment details such as credit card information to process your payments or refunding such payments. In accordance with Payment Card Industry Security Standards (PCI DSS), which our payment and subscriptions providers all adhere to, they are not permitted to use your information for anything other than processing your payment.
- For subscription management, StartMail relies on Chargebee to manage customer lifecycle operations such as managing trials, assigning credits, issuing refunds and making mid-cycle subscription Our subscription management provider processes data only as our ‘processor’ (as intended in the GDPR). Through our data processing agreement, we have bound this provider to only process data in order to provide their services to us and not for other purposes. In addition, we pseudonymize your data before providing it to our subscription management provider.
StartMail necessarily must share some information with these third-party data processors to provide the StartMail Service
The legal basis of this processing is the performance of the contract between you and StartMail.
In order to protect your privacy, StartMail will minimize the type and amount of data which is being shared with our data processors so you can make use of the StartMail service without sharing more of your private information than necessary.
For example: For StartMail to manage your subscription through Chargebee, a unique and random identifier is generated and shared with Chargebee. This unique identifier enables StartMail to link your StartMail e-mail address to your subscription at Chargebee but not the other way around. Chargebee only receives this unique identifier and as a result Chargebee cannot directly link the payment details to the email address you have registered at StartMail. This provides an additional safeguard to protect your privacy. For additional privacy, StartMail also offers anonymous payment methods. Please send a message to firstname.lastname@example.org to receive more information on how to perform such a payment.
Information required for Payment, billing and subscription information
The specialized payment and subscription providers Stripe, Paypal and Chargebee have been carefully chosen to responsibly process payment details and billing information which is used to manage your subscription. These companies have strict security standards, as laid down in the Payment Card Industry Security Standards (PCI DSS), with which they are fully compliant. These providers store account payment details under a unique number but cannot connect the payment data to the account email address. The StartMail system also works with this unique number and has no direct access to Stripe’s system – effectively separating the two systems
- Both Stripe and Chargebee are certified under the EU-US and Swiss-US Privacy Shield.
- Chargebee’s Privacy Shield certification can be viewed here. For more information, please visit Chargebee’s EU data transfers support page here
- Stripe’s Privacy Shield certification is here, and Stripe’s Privacy Shield Policy here. For more information, please visit Stripe’s EU data transfers support page here.
4. Location of data
The StartMail databases (containing customer emails which are stored in encrypted user vaults) are located in data centers in the Netherlands. Payment and subscription details are stored in the (cloud) servers used by our payment and subscription management providers, outside of the EU. See below for more information.
Stripe’s data (credit card information for payment processing) is hosted solely in data centers in the US. Under EU data protection law, there is no requirement to localize, i.e., to store data in the EU. However, when data is transferred to a non-EU country that does not offer the same level of data protection as the European Union’s General Data Protection Regulation (GDPR), a data transfer mechanism has to be implemented to ensure this protection. To ensure this protection, Stripe has certified to the EU-U.S. and Swiss-U.S. Privacy Shield.
Chargebee has servers located in Northern Virginia (US) and the DR site in Frankfurt (EU). As it is not mandatory to maintain servers in the EU region. To facilitate this, StartMail and Chargebee have a Data Processing Addendum (DPA) for the transfer of data outside of the EU. StartMail uses pseudonymization to ensure that our subscription management provider cannot relate your subscription information to your e-mail address.
Paypal processes data in the US and is certified under EU-US Privacy Shield. Please see Paypal’s privacy statement to understand how they manage your payment details.
5. Using the StartMail Service
- All of your email messages are stored in a secure User Vault on our servers. All information in the vault is encrypted (see StartMail Gives You Ironclad Data Protection on how we use encryption to protect your data)
- Everything you can see through the regular user interface (your inbox and folders, including spam folder) is stored, and is stored safely in the User Vault.
- Additionally, the following is also stored in the User Vault:
- personalized spam preferences of the User as part of the self-learning process of the spam filter
- a search index, which allows an efficient email search functionality
For several functions in the StartMail Service, such as logging in or account recovery, a SHA-256 hash of your IP-address is stored for several minutes for the purpose of preventing brute force attacks.
When you use the StartMail Service to send an email, your IP address is not included in the header of the email. Instead our IP address is shown.
6. Communicating with Us
7. Subscribing to our newsletter
On our support form, you have the option to subscribe to our newsletter. If you have subscribed, you may receive our newsletters until you have unsubscribed. You can unsubscribe at any time.
8. Deleted is Deleted
When you delete an email, it is immediately deleted from our production servers, unlike what happens with many other webmail providers. Only on the off-site backups (which are fully encrypted, of course) a copy will remain for the maximum retention period of three days.
Your Account will be stored for as long as our Agreement remains in force. When an Agreement is fully terminated, all data contained in the Account, including all emails, will be deleted permanently.
9. Viewing and Amending your Personal Data