MailServ Email Management Logo

IMAP - SSL/TLS - STARTTLS - SMTP - POP3 - 2FA Webmail Login

"A different approach to organization with option, anonymity and security."

Data Related to the Account

In order to maintain the integrity of the Services, we must take measures to avoid creation of accounts by spammers. This is because if spammers use our service to send messages, IP addresses retained by can become blocked by major mail providers such as Gmail, Yahoo, Outlook, etc.

In order to pursue our legitimate interest of preventing the creation of accounts by spam bots or human spammers, we use a variety of human verification methods. Verification may also be requested for some sensitive operations besides account creation in order to protect against brute-force attacks. You may be asked to verify using either the Captcha (or re-CAPTCHA in the event that the Captcha is unavailable), Email, or SMS. IP addresses, email addresses, and phone numbers provided are saved temporarily in order to send you a verification code and for anti-spam purposes. The period of temporary data retention is determined by our legitimate interests of protecting the service from spam, and also by any applicable Canadian legal requirements we must comply with. If this data is saved permanently, it is always saved as a cryptographic hash, which ensures that the raw values cannot be deciphered by us.

Data Collection

Our overriding policy is to collect as little user information as possible to ensure a completely private and anonymous user experience when using the Services. We have no technical means to access the content of your encrypted emails, files, and calendar events.

Data collection is limited to the following:

Visiting our website: We employ a local installation of open-source analytics tools. Analytics are anonymized whenever possible and stored locally (and not on the cloud).

Account creation: It is not necessary to provide personal information in order to create an account, but you may provide an external email address for notification or password recovery purposes. Should you choose to provide it, we do associate another email address with your account (for password recovery, or notifications).

Account activity: Due to limitations of the SMTP protocol, we have access to the following email metadata: sender and recipient email addresses, the IP address incoming messages originated from, message subject, and message sent and received times. We do NOT have access to encrypted message content, unencrypted messages sent from external providers to our servers are scanned for Spam and Viruses to pursue the legitimate interest of the protection of our users. We also have access to the following records of account activity: number of messages sent, amount of storage space used, total number of messages, last login time.

Calendar Account activity: The Service needs to be able to access some properties of events in order to send required notifications and alarms. In order to do so, we have access to the following metadata: calendar name and description, event start and end date, repetition rules, attendees’ participation status, alarms and notifications, event creation and update times and event status (confirmed or cancelled). We do NOT have access to the description of the events, their summary or title, locations and the attendees’ details.

Communicating with Your communications with the Company, such as support requests, bug reports, or feature requests may be saved by our staff. The legal basis for processing is our legitimate interest to troubleshoot more efficiently and improve the quality of the service.

IP Logging: By default, we do not keep permanent IP logs in relation with your use of the Services. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc). The legal basis of this processing is our legitimate interest to protect our Services against nefarious activities. If you are breaking Canadian law, can be legally compelled to log your IP address as part of a Canadian criminal investigation. This obligation however does not extend to subscriber is 100% liable and responsible for their actions on or by thus use of our service.

Payment Information: We rely on third parties to process credit card, PayPal, and Bitcoin transactions and must therefore share payment information with third parties. Anonymous cash or Bitcoin payments and donations are however accepted. The legal basis of this processing is the necessity to the execution of the contract between you and us.

Native Applications: When you use our native applications, we (or the mobile app platform providers) may collect certain information in addition to the information mentioned elsewhere in this Policy. We may use mobile analytics software (such as app statistics and crash reporting, Play Store app statistics, App Store app statistics, or self-hosted Sentry crash reporting) to send crash information to our developers so that we can fix bugs rapidly. Some platforms (such as the Google Play Store or the Apple App Store) may also collect aggregate, anonymous statistics like which type of devices and operating systems that are most commonly used (like percentage of Android 6.x vs Android 7.x), the total number of installs, total number of uninstalls, and the total number of active users, and may be governed by the privacy policy and terms and conditions of the Google Play Store or the Apple App Store. also has access to certain device IDs which are required for sending push notifications to user devices. None of the software on our apps will ever access or track any location-based information from your device at any time. Any personal data acquired during this process is anonymized.

Data Retention

When a account is closed, data is immediately deleted from production servers. Active accounts will have data retained indefinitely. Deleted emails, files, and calendar events are also permanently deleted from production servers.

Data Use

We do not have any advertising on our site. Any data that we do have will never be shared except under the circumstances described below in the Data Disclosure Section. We do NOT do any analysis on the limited data we do possess with two exceptions:

  • Emails sent unencrypted to accounts (e.g. Gmail to MailServ) are scanned automatically pursuing the legitimate interest of detecting spam so we can block IPs which are sending a lot of spam to MailServ users and place spam messages in a spam directory. Inbound messages are scanned for spam in memory, and then encrypted and written to disk. We do not possess the technical ability to scan messages after they have been encrypted.
  • Emails sent by MailServ users to outside (e.g. Gmail) users with encryption disabled are scanned automatically pursuing the legitimate interest of detecting spam in the same manner as incoming email. This is to ensure a MailServ account which is being used for spamming purposes can be detected and locked so email deliverability for legitimate users is not degraded.

Data Storage

Only employees of the Company have physical or other access to the servers. Data is ALWAYS stored in encrypted format on our servers. Offline backups may be stored periodically, but these are also encrypted. We do not possess the ability to access any user encrypted message content on either the production servers or in the backups.

Third Party Networks

Proton's alternative routing technology allows MailServ apps to bypass many censorship blocks, spam protections, sender authenticity, but your network traffic may go through third party networks which we do not control (Like your providers censorship). This could enable a third party to record your IP address or see that you are using MailServ apps (the same information that your Internet Service Provider is able to see). These third parties cannot see your actual data, which remains encrypted.

Data Disclosure

We will only disclose the limited user data we possess if we are instructed to do so by a fully binding request coming from the competent Canadian authorities (legal obligation). While we may comply with electronically delivered notices (see exceptions below), the disclosed data can only be used in court after we have received an original copy of the court order by registered post or in person, and provide a formal response.

If a request is made for encrypted message content that we do not possess the ability to decrypt, the fully encrypted message content may be turned over. If permitted by law, we will always contact a user first before any data disclosure. Under Canadian law, it is obligatory to notify the target of a data request, although such notification may come from the authorities and not from us.

We may from time to time, contest requests if there is a public interest in doing so. In such situations, the Company will not comply with the request until all legal or other remedies have been exhausted. Therefore, not all requests described in our Transparency Report will lead to data disclosure. We are also permitted under GDPR and Canadian Laws to disclose data for the purposes of defending against attacks. The legal basis for this is our legitimate interest in protecting our Service and Company against attacks.

Right to Access, Rectification, Erasure, Portability, and right to lodge a complaint

Through the Services, you can directly access, edit, delete or export personal data processed by the Company in your use of the Services.

If your account has been suspended for a breach of our Terms and Conditions, and you would like to exercise the rights related to your personal data, you can make a request to our support team.

In case of violation of your rights, you have the right to lodge a complaint to the competent supervisory authority.

Modifications to Privacy Policy

We reserve the right to periodically review and change this policy from time to time. We will notify users of material changes via public announcements on our blog.
Continued use of the Services will be deemed as acceptance of such changes.