Privacy Policy

Last Updated: 4th September 2024

This policy (together with our Terms and Conditions) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. It applies to addy.io and any subdomains e.g. app.addy.io.

In order to ensure confidentiality and lawful processing of its, Visitors personal data, addy.io in its capacity of a data controller and of a processor, conducts its activities in strict compliance with the requirements set in GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of this data.

Information We May Collect From You

We may collect the following data from you:

• Information that you provide by filling in forms on our site. This includes information provided at the time of registering to use our site or subscribing to our service.
• If you contact us, we may keep a record of that correspondence.
• For keeping track of authenticated sessions we use a small number of cookies. This site does not provide any third party cookies and makes no effort to track you. You can delete stored cookies from your browser whenever you wish.
• If you start a subscription we may ask you to provide us with information such as your name and payment information. Your name and card details will not be stored in our database.
• We use a self-hosted instance of Umami, an open-source, privacy-focused and lightweight option for website analytics. All the site measurement is carried out absolutely anonymously. Cookies are not used and no personal data is collected. There are no persistent identifiers. No cross-site or cross-device tracking either. You can find out more on Umami's website.

Emails are only ever stored in the event of a failed delivery, and only if you have this option enabled in your account settings. You can check the source code to see what happens when an email is piped to our application by Postfix.

Our server uses Postfix as the mail server software and Nginx as the web server. Nginx access and error logs are kept which do record IP addresses. Default log settings are used for Postfix. All log files are rotated daily and retained for 3 days, old log files are deleted.

Server logs are only used to improve our service and prevent abuse or prohibited use. This information will not be provided under any circumstances to any parties other than when compelled by law.

How We Use Your Personal Information

We use information held about you for the following purposes:

• To notify you about any changes to the service.
• To forward emails to the recipient addresses you have added to the site.

Protection Of Personal Information

We will never misuse, sell, rent, share or give away any personal information to any third parties.

Our website is open-source and available for anyone (who understands PHP) to view and audit. We do not use Google Analytics or any other invasive tracking on our site.

Security

All information you provide to us is stored on our secure servers in the Netherlands (UpCloud). Sensitive data in our database such as your recipient email addresses, alias descriptions, public GPG keys are encrypted using OpenSSL and the AES-256-CBC cipher. Furthermore, all encrypted values are signed with a message authentication code (MAC) to detect any modifications to the encrypted string. Two Factor Authentication (2FA) is also available on our site and we encourage users to enable it.

Opportunistic DANE TLS encryption with strong cipher preference is used for all emails sent through our service. Our mail server also utilises STARTTLS, PFS, DNSSEC, MTA-STS, TLS-RPT, DMARC, SPF and DKIM. These measures help to protect emails sent to/from our server against MiTM (Man in The Middle) downgrade attacks and also against the risk of email forgery.

Our site also uses security features such as; HSTS (HTTP Strict Transport Security), a strict CSP (Content Security Policy), Subresource Integrity, Expect CT and XSS Protection.

You may use this service to forward emails containing sensitive information such as bank or cryptocurrency information, we do our best to make sure any email is not lost but this cannot be guaranteed.

We take all measures reasonably necessary to protect against unauthorised access, use, alteration or destruction of data.

Your Rights

You have the right to request access to personal data that we may process about you.

You have the right to require us to correct any inaccuracies in your data, free of charge. You can access, correct, update or request deletion of your personal information at any time, either through your online account or by contacting us.

Third party services

We use Stripe and NOWPayments to process payments for subscriptions. Any payment transactions will be carried out by Stripe and NOWPayments over encrypted connections. Your card information never touches our server. If you are subscribed to our newsletter then we will also use Amazon Simple Email Service (SES) to deliver email campaigns.

We also use Cloudflare Turnstile, a privacy friendly captcha solution on our login, register and reset password pages to protect against bots and abuse.

Changes To Our Privacy Policy

Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. However, we advise that you check this page regularly to keep up to date with any necessary changes.

Contact

Questions, comments and requests regarding this privacy policy are welcomed and should be directed to the Data Protection Officer - (GPG Key - E652C2DB43859328F35575DEBF7B93C6497510D0)