Last modified: March 28, 2022
We, the Mailvelope GmbH ("Mailvelope"), as the provider of the Mailvelope browser extension ("the browser extension"), as the operator of the website under the URL www.mailvelope.com ("the website") and as the operator of the Mailvelope key server keys.mailvelope.com ("the key server"), take data protection matters very seriously and wish to ensure that your privacy as a user of our service is protected.
In this Data Protection Policy, we therefore explain how we handle your personal data in connection with your use of our service.
We reserve the right to modify the content of this Data Protection Policy from time to time. It is therefore recommended that you re-acquaint yourself with the Data Protection Policy at regular intervals.
1. General Aspects and Definitions
1.1. We shall comply at all times with the applicable data protection laws, in particular the stipulations in the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), the German Telemedia Act (Telemediengesetz, TMG) and the General Data Protection Regulation (GDPR) (EU).
1.2 We define Personal Data (or "your data") in the following manner: Any information that you provide to us about yourself while using the service that could help someone else identify you as an individual entity according to Section 3 (1) BDSG. This may include information such as your name, phone number, location, IP address, system locale and preferences, picture, public key information, etc. We define as "products" any downloadable or electronically available software products owned by Mailvelope, such as Mailvelope browser extension.
1.3. We collect, process, and use your personal data only if your consent has been obtained or if such processing or use is permitted by law. We process or use only such data as are needed for our service, or such data that you provide to us.
2. Use of Personal Data
We may use your personal information only for one or more of the following purposes:
To give you access to the products or Service. For example if you subscribe to Mailvelope Business we may send you a link by email to activate your account.
To provide you with support. For example, if you leave your personal information by email, we may contact you back to help you solve your issues or answer your questions.
To promote our services. For example, if we think you might benefit from using another product or service we offer, or if we think information about a change in the current service is relevant for you, we may contact you to tell you about it.
To bill and collect money owed to us when subscribing to Mailvelope Business. This includes communications with regards to invoices, receipts, payment statuses and processing issues.
3. Processing and Use of Your Data
We collect, process, and use the following personal data:
3.1 Contacting us
If you provide us with personal data for the purpose of or in connection with contacting us, these data will be stored by us only for as long as this is required for communication, customer contact, and project planning/implementation purposes. As soon as the personal data is no longer required by us for these purposes, they will be deleted immediately.
3.2 Using the website
3.3 Using the Mailvelope download server
Our server download.mailvelope.com collects anonymous technical data, such as the name of your web browser, operating system, information about the website from which you linked to us and the pages on our server that you visit. These data are stored automatically. They are analyzed in anonymous form and solely for statistical purposes with the aim of further improving our service for you.
3.4 Download of the Mailvelope Extension
3.4.1 Chrome Extension
Chrome Extensions are hosted on the Chrome Web Store. Please refer to www.google.com/policies/privacy for information on which data is collected if you download the extension or during the regular updates.
3.4.2 Firefox Add-On
Firefox add-ons are hosted on addons.mozilla.org (AMO). Please refer to www.mozilla.org/en-US/privacy for information on which data is collected if you download the extension or during the regular updates.
3.4.3 Edge Extension
Edge Extensions are hosted on Microsoft Edge-Add-Ons. Please refer to https://privacy.microsoft.com/en-us/ for information on which data is collected if you download the extension or during the regular updates.
3.5 Using the browser extension
Mailvelope stores data only locally in the local storage of the browser, which is not accessible by other applications. Sensitive or personal user data is stored in Mailvelope only in the form of PGP keys, which contain user name and email address, and are stored in the keyring of Mailvelope. When a new PGP key is generated, Mailvelope has the option (default: on) to upload the key to the Mailvelope key server (see 3.6). Apart from that, when the resp. options are activated in the key server settings of Mailvelope (default: on), the following mechanisms could leak meta data of the user:
- The browser extension by default searches for keys on the Mailvelope key server and on keys.openpgp.org for unknown email addresses. In the process of this key search, the email address of a contact is sent from the extension to the key server.
- The browser extension by default searches for keys in the Web Key Directory (WKD). In the process of this key search, the hashed email address of a contact is sent from the extension to mail providers that support WKD.
Mailvelope will ask the user during the setup process for consent to share aggregated and anonymized analytics information with us. We use the Clean Insights measurement platform to help better understand app usage patterns. Data is captured in a privacy-preserving way: we don’t use a tracking cookie, we don't store IP addresses, we don’t capture personal information, and we don’t track users across sites. We use Matomo to collect information about your usage of the browser extension.
3.6 Using the Mailvelope key server
By uploading a key to the key server you give us your revocable consent to store the key (which may contain personal information like your real name and your email address) on the key server so that we can serve it to other users who are addressing encrypted messages to your email address. You can delete your keys from the server at any time at keys.mailvelope.com/manage.html.
When searching for keys on the key server we collect anonymous technical data, such as the name of your web browser and operating system. These data are stored automatically. They are analyzed in anonymous form and solely for statistical purposes with the aim of further improving our service for you.
3.7 Using the Gmail API integration
If you grant the Mailvelope browser extension access to your Gmail account via Google API Services, it will solely use this access for enhancing Gmail with PGP encryption services. Specifically, this means:
- The browser extension will use its access only to read Gmail message bodies (including attachments), metadata and headers to display the content of encrypted emails and attachments within the Gmail UI. Furthermore the Mailvelope email editor component allows users to compose and send encrypted emails.
- Your emails and your user data are processed only in the local installation of the browser extension and will never be shared with any third party nor transmitted to a Mailvelope server.
- The Mailvelope browser extension stores your email address and your access token for Gmail in the local storage of the browser (which is only accessible by Mailvelope). Emails and other data from your Gmail account are never stored in the browser extension.
- Mailvelope does not include advertisements. Your Gmail data will not be used for serving advertisements.
- The browser extension will never send emails without your consent. All actions have to be triggered by you.
- Mailvelope's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
3.8 Using Mailvelope Business & Enterprise
For managing the Mailvelope subscription services, processing of payments and billing we collect personal information such as your email, name, address, VAT information, preferred payment channel, etc.
We do not have direct access to your credit card or debit card information. This information is collected and processed securely directly by the third party payment processing services involved such as our payment gateway and your bank.
If you are a non-profit and have been granted free access to our business products your personal data will be processed according to this chapter.
3.9 Signing up to our newsletter
Mailvelope uses Mailjet, a GDPR compliant and privacy concerned newsletter service provider to send its newsletters. When you sign up to our newsletter we collect your name, email and IP address as part of the newsletter signup process. This information is required to be able to get in touch with you and for security purposes such as spam and abuse detection. Privacy policies of Mailjet can be found here: https://www.mailjet.com/security-privacy/
We may collect personal information about you and your usage of Mailvelope as part of voluntary surveys you participate in. Surveys may request personal information such as your name, email, phone number, organization name, etc.
4. Declaration of Consent
In accepting this Data Protection Policy you give us your revocable consent to collect, process, and use the personal data that you directly or indirectly provide to us as described in section 3.
You may revoke your declaration of consent at any time by giving us a respective notice. The easiest and fastest way to revoke your consent is to write a short email to firstname.lastname@example.org.
5. Sharing of Personal Data
We will not share your personal data with third parties unless you have given your prior explicit consent or such sharing of data is prescribed by law or legally permissible. We will not sell your data to third parties, nor market them in any other manner.
However personal data can be shared only in the following cases:
- If requested by government agencies and authorities only in compliance with mandatory national laws. So far this has never happened.
- For providing information to representatives and advisors. These include engineers, attorneys and accountants, who help us comply with legal, accounting, or security requirements. Our employees and partners are obligated by us to maintain confidentiality and to comply with the data protection regulations.
6. Data Storage
Your data will be stored only as long as required for us to provide our services or as long as we are legally obligated to save it.
Our servers are located in:
7. Information, Correction, Deletion
You can obtain information at any time, free of charge, about the personal data we store about you. If your data is incorrect or wrongly stored by us, we shall be pleased to correct, block or delete such data. Please notify us immediately of any changes in your data.
Please send any requests for information, questions, complaints or suggestions to the following address: email@example.com