Icon for Fastmail

Fastmail

Fastmail is an email service that offers paid email accounts for individuals and organizations.


Transparency

Does the policy require users to be notified in case of a data breach? No

0/7

Decided May 16, 2020 (revision history). This question accounts for 8% of the final score.

Note that all companies operating in the EU are subject to Art. 33 of the GDPR, which requires companies to notify their data protection authority of a data breach within 72 hours of discovering it.

Possible Options

No0/7
Yes, eventually5/7
Yes, within 72 hours7/7
N/A (the service collects so little personal data that notification would not be possible)7/7

Note

The policy does not specify a data breach protocol.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Is the policy's history made available? No

0/5

Decided May 15, 2020 (revision history). This question accounts for 6% of the final score.

Possible Options

No0/5
Only the date it was last modified3/5
Yes, with revisions or a change-log5/5

Note

No date provided.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Will affected users be notified when the policy is meaningfully changed? Yes

5/5

Decided May 15, 2020 (revision history). This question accounts for 6% of the final score.

Possible Options

No0/5
Yes5/5
N/A (no personal data—or contact information—collected)5/5

Citation

We may review or update this privacy policy from time to time to keep it up to date with legal requirements and the way we operate our business. We will place any updates on this webpage, so please regularly check for updates. If we make fundamental changes to this privacy policy, we may take additional steps to notify you including by posting on our website(s), through pop-up notices or via email. We will not reduce your rights under this Privacy Policy without your explicit consent.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy outline the service's general security practices? Yes

2/3

Decided May 15, 2020 (revision history). This question accounts for 4% of the final score.

Possible Options

No0/3
Somewhat1/3
Yes2/3
Yes, including audits2.5/3
N/A (no personal data collected)3/3
Yes, including independent audits3/3

Citation

We store most of your personal information electronically. We implement and maintain appropriate technical and organisational security measures, policies and procedures designed to reduce the risk of accidental destruction or loss, misuse or interference or the unauthorised disclosure, access or modification to such information appropriate to the nature of the information concerned.

The security of your information is paramount and a critical consideration for FastMail in the provision of its services to you. Please see further information on the security measures we engage on our websites and platform and when you use any of our services.

We work hard to protect you and FastMail from unauthorised access, alteration, disclosure, or destruction of information we hold. Measures we take include:

  • placing confidentiality requirements and restricted access protocols on our staff members and service providers who need access to your information in order to process it to provide our services to you;
  • destroying your personal information if it is no longer needed to provide you with our service;
  • destroying logging or other transactional information that may incidentally contain personal information in accordance with our schedules to clear such information;
  • following strict security procedures in the access, storage and disclosure of your personal information to prevent unauthorised access to it; and
  • using secure communication transmission software (known as "secure sockets layer" or "SSL") that encrypts all information you input on our website before it is sent to us. SSL is an industry standard encryption protocol and this ensure that the information is reasonably protected against unauthorised interception. As the security of information depends in part on the security of the computer and/or device you use to communicate with us and the security you use to protect your user IDs and passwords, please take appropriate measures to protect this information.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Collection

Does the service collect personal data from third parties? No

10/10

Decided May 15, 2020 (revision history). This question accounts for 12% of the final score.

This includes the use of data brokers and independent verification authorities (such as background check providers).

Possible Options

Yes0/10
Only for critical data7/10
No10/10

Note

N/A

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy list the personal data it collects? Yes, exhaustively

10/10

Decided May 15, 2020 (revision history). This question accounts for 12% of the final score.

All types of collected personal data are listed specifically

Possible Options

No0/10
Only summarily3/10
Yes, generally7/10
Yes, exhaustively10/10
N/A (no personal information is collected)10/10

Citation

If you register to use, or use, one of our websites or services including FastMail https://www.fastmail.com, Pobox (Lifetime Email) https://www.pobox.com, Listbox https://www.listbox.com or Topicbox https://www.topicbox.com, personal information that may be collected directly from you includes name, billing address, mobile phone number, organisation name, your own domain name, IP address, browser user-agent and billing details (credit card, or PayPal account). We also collect some of this information if you are using our services on a trial basis. Our help page on each service explains how your information is deleted if you decide not to proceed.

We may also collect personal information such as IP address, device information and log information by using cookies. Please see Cookies for more information on this and our Cookies Policy.

We process mail sent and received from your account to block spam and fraud. We receive information from third party services to assist us in identifying spam. If you report a message to us, either through the service or via customer support, as spam or not spam, we may share that message with the third party service that flagged it to improve the accuracy of future filtering. See further below on your rights when we disclose your information to our third party service providers.

We also store information from your address book, calendar, notes and files on our servers until you delete them (for more information on data retention see our security help page). We will also share this information with your devices and external accounts where you have authorised us to do so.

We also collect the email content you create, upload, or receive from others when using our services. We use this information to deliver our services, like processing the terms you search for in order to return results or helping you add addresses to messages by suggesting recipients from your contacts.

Each time you connect to our service, we log your IP address, your client identifier (browser or mail client information) and your username. If you send mail, we also log the email address you're using to send mail and the email address you're sending to. If you take action on mail in your mailbox, we also log the activities taken. This is necessary for providing proof of delivery and fraud analysis. For example, we need this information for detecting deliverability issues if there are failures sending email that we either detect through monitoring or when you ask if email you are sending/receiving is working properly. We also need your IP address and username to help you validate if someone else has gained access to your account to send spam or for other fraudulent purposes. [...] In a multi-user account, if you are permitted to access and use a user account on any of our services by the registered user directly, we may collect the following information about you: IP address and name.

The registered account holder is responsible for your access and use if they provide you with access to and use of an account and the Personal Information residing in that account.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Is it clear why the service collects the personal data that it does? Yes

10/10

Decided May 16, 2020 (revision history). This question accounts for 12% of the final score.

This question deals with transparency. Even if the service uses data for reasons that aren't ideal for privacy, provided they list all of those uses, the service can still receive full credit for this question. However, if they are not explicit about their uses (by employing language like "such as"), a lower score is assigned.

Possible Options

No0/10
Somewhat4/10
Mostly7/10
Yes10/10
No personal data is collected10/10

Citation

We use this information to:

  • provide you with our services and to maintain, manage and improve our services;
  • help our services deliver more useful, customised content such as more accurate search results;
  • send you notifications when you receive new mail or events; we may also send you a notification if we detect suspicious activity, like an attempt to sign in to your account from an unusual location;
  • at your option, contact you to let you know about updates to our services or information we feel may be of interest to you (see more information at Direct Marketing);
  • provide you with customer support including technical support and troubleshooting (for example, to reset your password);
  • protect you and conduct security investigations and fraud and abuse analysis (including to help us flag spam mail);
  • conduct analytics and measurement to understand how our services are used; comply with our legal obligations, for example when assisting governments and law enforcement agencies or regulators (as may be required by law);
  • improve the safety and reliability of our services. This includes detecting, preventing, and responding to fraud, abuse, security risks, and technical issues that could harm FastMail, you, our users, or the general public.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow the user to control whether personal data is used or collected for non-critical purposes? On an opt-out basis, for all non-critical data/uses

3/5

Decided May 16, 2020 (revision history). This question accounts for 6% of the final score.

Some services allow users to opt-out or opt-in to of non-critical collection or use of personal data, such as collecting data for personalized advertisements.

Possible Options

No0/5
On an opt-out basis, but only for some non-critical data/uses1.5/5
On an opt-out basis, for all non-critical data/uses3/5
N/A (no data used for non-critical purposes)5/5
On an opt-in basis5/5

Citation

To protect your privacy rights and to ensure you have control over how we manage marketing with you:

  • users of the FastMail, Listbox and Pobox services can opt out of any non-essential communication by de-selecting the relevant checkbox in the settings page in the web interface;
  • even after opting in, you can ask us to stop sending email marketing by following the “unsubscribe” or opt-out links in electronic communications. Alternatively you can contact us; and [...]
  • Matomo respects Do Not Track browser flags; you may opt out of tracking by setting your browser to Do Not Track.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Handling

Does the service allow third-party access to private personal data? Yes, all parties specified (including non-critical service providers such as advertisers)

3/10

Decided May 16, 2020 (revision history). This question accounts for 12% of the final score.

This may come in the form of outright data sharing or by using local third-party analytics software (such as Google Analytics, which collects a plethora of user information).

Note that whether the policy allows sharing aggregated user data does not affect this question.

If the personal data is encrypted when it passes through the third-party, it does not count as third-party access (as the data is inaccessible to that party).

If personal data has been made public by, for example, posting it to a blog, it does not count as private personal information (and is therefore not considered by this question).

Possible Options

Yes, not all parties specified0/10
Yes, all parties specified (including non-critical service providers such as advertisers)3/10
Yes, not all parties specified (but only to critical service providers)7/10
Yes, all parties specified (only to critical service providers)8/10
No10/10

Citation

We may share your personal information in the manner and for the purposes described below:

  • with third parties who help manage our business and deliver services. These include service providers who help manage our systems. Some of these providers use “cloud based” IT applications or systems, which means that your Personal Information will be hosted on their servers, but under our control and direction. We require all our service providers and third parties to respect the confidentiality and security of Personal Information and our contracts with them generally include obligations for them to comply with applicable privacy laws and to use any personal information we share with them solely for the purpose of providing services to us.

[...]

  • with government organisations and agencies, law enforcement, regulators to comply with all applicable laws, regulations and rules, and requests of law enforcement, regulatory and other governmental agencies;
  • with banks and payment providers to authorise and complete payments, though we only maintain a record of your email address (for PayPal), or the last four digits of your credit card and expiry date (for credit card);
  • if, in the future, we sell or transfer some or all of our business or assets to a third party, we may disclose information to a potential or actual third party purchaser of our business or assets; and

[...]

  • We use Matomo, a web analysis service of InnoCraft Inc. (“Matomo”). Matomo uses cookies to monitor traffic to, and use of our marketing websites only. There is no Matomo tracking once you are logged in. Information about the use of our website generated by these cookies is generally transferred to a Matomo server in the USA and stored there. Matomo uses this information on our behalf to evaluate usage of our website, and to compile reports on activities. All personal information, including IP addresses, are anonymised by them. Matomo respects Do Not Track browser flags; you may opt out of tracking by setting your browser to Do Not Track.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy allow personally-targeted or behavioral marketing? Yes, but you must opt-in

7/10

Decided May 15, 2020 (revision history). This question accounts for 12% of the final score.

Possible Options

Yes0/10
Yes, but you can opt-out3.5/10
Yes, but you must opt-in7/10
No10/10

Citation

We may use your name and email address to send direct marketing communications to you and let you know more about our services or related services that we believe will be of interest to you. We may contact you by email, or through other communication channels that we think you may find helpful. In all cases, we will respect your preferences for how you would like us to manage marketing activity with you. [...]

To protect your privacy rights and to ensure you have control over how we manage marketing with you:

  • users of the FastMail, Listbox and Pobox services can opt out of any non-essential communication by de-selecting the relevant checkbox in the settings page in the web interface;
  • even after opting in, you can ask us to stop sending email marketing by following the “unsubscribe” or opt-out links in electronic communications. Alternatively you can contact us; and

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


When does the policy allow law enforcement access to personal data? When reasonably requested

3/5

Decided May 16, 2020 (revision history). This question accounts for 6% of the final score.

Possible Options

Always0/5
Not specified0/5
When reasonably requested3/5
Only when required by a court order or subpoena4/5
N/A (no personal data to share)5/5
Never (special legal jurisdiction)5/5

Citation

Your use of FastMail products and services is subject to your organisation's policies, if any. You should direct your privacy inquiries, including any requests to exercise your data protection rights, to your organisation’s account administrator.

[We may share data with] government organisations and agencies, law enforcement, regulators to comply with all applicable laws, regulations and rules, and requests of law enforcement, regulatory and other governmental agencies;

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow you to permanently delete your personal data? Yes, using an automated mechanism

5/5

Decided May 15, 2020 (revision history). This question accounts for 6% of the final score.

Even if there is a reasonable delay before the data is fully deleted (as is common), the data still counts as "permanently deleted" and satisfies the parameters for this question.

Possible Options

No0/5
Yes, by contacting someone3/5
Yes, using an automated mechanism5/5
N/A (no personal information collected)5/5

Citation

You can also delete certain information, or your entire FastMail account should you wish to do so. You can download and export a copy of all of your data and content in your FastMail account if you want to back it up or use it with a service outside of FastMail.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.



Warnings

Fastmail has no warnings published on PrivacySpy. PrivacySpy publishes warnings when it learns a service has announced a data breach or is found misusing user data. If you believe a warning should be published for Fastmail, submit one here.


Highlighted Policy Snapshot ALPHA

No highlighted policy snapshot has been created for this privacy policy. To view the policy at its original location, click here.

6.8/10

How we calculate ratings →


Version Added

May 15, 2020

Ratings Updated

May 16, 2020

Warnings

0

Maintained by

doamatto

Original Location
Open in New Tab
Other Versions