MMailFlat
Back to Home

Table of Contents

  • 1. Information We Collect
  • 2. Zero-Knowledge Encryption
  • 3. Payment Processing & Billing
  • 4. Data Retention & Deletion
  • 5. Data Security & Infrastructure
  • 6. Cookie Policy
  • 7. Third-Party Services & Subprocessors
  • 8. International Data Transfers
  • 9. Your Privacy Rights (GDPR & CCPA)
  • 10. Controller Identity, Contact & Updates

Privacy Policy

Last updated: June 28, 2026

1. Information We Collect

Our service values your privacy and is built on the principle of minimal data collection. The information we process includes:

  • Account Credentials: During registration, we collect your full name, username, email address, and a hashed representation of your password. We do not store plain-text passwords.
  • Google Sign-In Data: If you choose to sign in with Google, Google shares a limited set of profile information with us — your name, email address, and Google account identifier — solely to create or authenticate your account. We never receive your Google password, and we do not access your Gmail, contacts, or any other Google data.
  • Verification & Security Emails: To support two-factor authentication (2FA), password resets, and email-address changes, we generate one-time codes and send security notifications to the relevant email address. These are operational records tied to your account security.
  • Temporary Inbox Data: We store metadata about the inboxes you create (prefixes and subdomains) to route emails to your account.
  • Incoming Email Content: Emails received by your temporary inboxes are stored temporarily so that you can view them. If you do not enable encryption, they are stored in plain text.
  • API Request Logs: For security and rate-limiting purposes, we log incoming API request metadata (HTTP method, path, response status, duration, and origin IP address) for a rolling window of 7 days.

2. Zero-Knowledge Encryption

MailFlat provides an optional End-to-End (E2E) zero-knowledge encryption feature for personal inboxes:

  • Local Key Generation: When encryption is activated, your browser generates a public/private RSA-OAEP key pair. The private key is saved directly inside your browser's secure local storage (IndexedDB) and is never sent to our servers.
  • Server-Side Encryption at-Rest: Our SMTP server uses your public key to encrypt incoming emails immediately upon receipt. Once encrypted, the plain-text content is discarded, and only the ciphertext is saved on our disks.
  • Zero Access: Because we do not hold the private key, we cannot decrypt or read your encrypted email content. If you lose your credentials or clear your browser data without a backup, we cannot recover your emails.

3. Payment Processing & Billing

We process subscription payments and upgrades through Stripe, a third-party secure payment processing platform.

When you subscribe or upgrade your plan, you provide your billing information directly to Stripe. MailFlat does not store or have access to your full credit card numbers or sensitive financial details. We only retain the Stripe Customer ID and Subscription ID sent by Stripe webhooks to apply the appropriate quotas and limits to your account.

4. Data Retention & Deletion

MailFlat is designed as a transient, disposable email service. The lifecycle of your data is governed as follows:

  • Email Automatic Deletion: All received email messages are automatically and permanently purged from our database after the expiry of your selected retention period (ranging from 2 hours for free plans up to 30 days for premium tiers).
  • Account Deletion: You can choose to delete your account at any time through the Profile Settings. Doing so immediately and permanently purges your account credentials, custom domains, inboxes, and all associated emails.
  • Log Expiration: System audit logs and API usage logs are automatically deleted after 7 days.

5. Data Security & Infrastructure

We host our services and database on secured virtual private servers (VPS) with restricted firewall rules, SSH-key-only access, fail2ban rate-limiting jails, and regular dependency updates to defend against intrusion.

All traffic between your browser and our servers is encrypted in transit using industry-standard TLS (HTTPS). While we take substantial measures to safeguard your account, no method of transmission or storage is 100% secure, and we recommend using our zero-knowledge encryption for maximum security.

6. Cookie Policy

We do not use tracking, advertising, or marketing cookies.

Our website uses only essential functional cookies to keep you logged in. When you authenticate, a JSON Web Token (JWT) is stored in your browser's cookies or local storage to authorize your subsequent requests to our API. These cookies expire automatically when your session ends or when you log out.

7. Third-Party Services & Subprocessors

We do not sell, trade, or rent your personal data or email content to outside parties. To operate the Service, we rely on a small number of trusted third-party processors ("subprocessors"), each receiving only the minimum data needed for their function:

  • Stripe, Inc. (payment processing) — handles card payments, subscriptions, and the billing portal. We receive only a Stripe Customer ID and Subscription ID; we never see your full card details.
  • Google LLC (authentication) — if you use "Sign in with Google," Google processes the authentication and shares basic profile data (name, email, account ID) with us.
  • Sentry (Functional Software, Inc.) (error monitoring) — receives technical error reports (such as stack traces, request paths, browser type, and IP address) when the application encounters a fault, so we can diagnose and fix issues. We do not send your email content or passwords to Sentry.
  • Hetzner Online GmbH (cloud hosting) — provides the virtual private servers and managed database where the Service and your account data are hosted.
  • Public DNS Resolvers (BYOD): If you configure a custom domain (Bring Your Own Domain), our servers perform automated DNS queries (MX, SPF, DKIM records) using public DNS resolvers to verify your ownership.
  • Legal Compliance: We may disclose information if required to do so by a court order, subpoena, or to comply with applicable laws.

We maintain a current list of subprocessors here. If we add or replace a subprocessor that processes personal data, we will update this page.

8. International Data Transfers

MailFlat operates globally, and some of our subprocessors (including Stripe, Google, and Sentry) are based in or process data in the United States. This means your personal data may be transferred to, stored in, or processed in countries outside your country of residence, including outside the European Economic Area (EEA).

Where personal data of EEA, UK, or Swiss users is transferred to a country without an adequacy decision, such transfers are protected by appropriate safeguards, such as the European Commission's Standard Contractual Clauses (SCCs) or the providers' participation in the EU-U.S. Data Privacy Framework. By using the Service, you understand that your data may be processed in these locations.

9. Your Privacy Rights (GDPR & CCPA)

Depending on where you live, you have rights over your personal data. We honor these rights for all users regardless of location:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Correct inaccurate or incomplete data (you can update your name and email directly in Profile Settings).
  • Erasure ("right to be forgotten"): Delete your account and all associated data at any time from Profile Settings, which immediately and permanently purges your account, inboxes, and emails.
  • Portability: Request your data in a structured, machine-readable format.
  • Objection & Restriction: Object to or ask us to restrict certain processing of your data.
  • Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

California residents (CCPA/CPRA): You have the right to know what personal information we collect, to request its deletion, and to opt out of any "sale" or "sharing" of personal information. We do not sell or share your personal information.

To exercise any of these rights, contact us at privacy@mailflat.net. We will respond within the timeframe required by applicable law. You also have the right to lodge a complaint with your local data protection authority.

10. Controller Identity, Contact & Updates

The data controller responsible for your personal data is:

  • Service: MailFlat. Our full registered legal entity name and address are available on request via the privacy contact below.
  • Privacy contact: privacy@mailflat.net
  • General support: support@mailflat.net

We may update this Privacy Policy from time to time. When updates are published, we will change the "Last updated" date at the top of this page. Material changes will be communicated through the Service or by email where appropriate.