Mailbox.org

Mailbox.org is a email service provider that is priding itself on privacy and being eco-friendly.

This page is not published. While you can access it via its direct link, it is not yet displayed on the website.

Handling

Does the policy allow personally-targeted or behavioral marketing? No

10/10

Decided May 22, 2020 (revision history). This question accounts for 12% of the final score.

Possible Options

Yes0/10
Yes, but you can opt-out3.5/10
Yes, but you must opt-in7/10
No10/10

Citation

The data stored by you is used exclusively for the aforesaid purposes. Your data will not be used for other purposes, evaluated or shared under any circumstances. We have no interest in using your data for marketing or market research purposes. A sharing of the data with third parties is excluded.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow third-party access to private personal data? No

10/10

Decided May 22, 2020 (revision history). This question accounts for 12% of the final score.

This may come in the form of outright data sharing or by using local third-party analytics software (such as Google Analytics, which collects a plethora of user information).

Note that whether the policy allows sharing aggregated user data does not affect this question.

If the personal data is encrypted when it passes through the third-party, it does not count as third-party access (as the data is inaccessible to that party).

If personal data has been made public by, for example, posting it to a blog, it does not count as private personal information (and is therefore not considered by this question).

Possible Options

Yes, not all parties specified0/10
Yes, all parties specified (including non-critical service providers such as advertisers)3/10
Yes, not all parties specified (but only to critical service providers)7/10
Yes, all parties specified (only to critical service providers)8/10
No10/10

Citation

The personal data collected will not be disclosed to third parties, unless such disclosure is required by law or serves the legal defence of the data processing controller.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow you to permanently delete your personal data? Yes, by contacting someone

3/5

Decided May 22, 2020 (revision history). This question accounts for 6% of the final score.

Even if there is a reasonable delay before the data is fully deleted (as is common), the data still counts as "permanently deleted" and satisfies the parameters for this question.

Possible Options

No0/5
Yes, by contacting someone3/5
Yes, using an automated mechanism5/5
N/A (no personal information collected)5/5

Citation

Every Data Subject affected by the processing of personal data shall have the right to require the controller to erase the personal data concerning him or her immediately, provided that one of the following reasons applies and insofar as the processing is not necessary: - The personal data has been collected or otherwise processed for purposes for which it is no longer necessary. - The Data Subject revokes his or her consent on which the processing was based in accordance with Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR, and there is no other legal basis for the processing. - The Data Subject objects to the processing in accordance with Article 21 (1) GDPR and there are no overriding legitimate grounds for processing, or the Data Subject objects to processing in accordance with Article 21 (2) GDPR. - The personal data has been processed unlawfully. - The erasure of personal data is necessary to fulfil a legal obligation under European Union law or the law of the Member State to which the controller is subject. - The personal data was collected in relation to the offered services of the information company in accordance with Article 8 (1) GDPR.

If one of the above-mentioned reasons applies and you wish to have personal data stored at Heinlein Support GmbH erased, please contact our customer support.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


When does the policy allow law enforcement access to personal data? Only when required by a court order or subpoena

4/5

Decided May 22, 2020 (revision history). This question accounts for 6% of the final score.

Possible Options

Always0/5
Not specified0/5
When reasonably requested3/5
Only when required by a court order or subpoena4/5
N/A (no personal data to share)5/5
Never (special legal jurisdiction)5/5

Citation

We protect free communication against eavesdropping by means of minimal data storage and other technical measures, including systematic encryption. We teach and motivate people here to make use of the technical protection options.

According to Section 113 of the German Telecommunications Act (Telekommunikationsgesetz, TKG), the public prosecutor’s office and the police have relatively easy access to the so-called database data of a telecommunications provider like us. In this case, simple requests for information are sufficient without the need for a judge’s decision. According to Section 113 of the Telecommunications Act, a telecommunications provider cannot legally defend itself against this request for information – it must be fulfilled. It should be noted that according to Section 113 (II) of the Telecommunications Act the provider must maintain silence about the request and may not inform the affected customer about the access.

Access to the log data of mail or web servers or the email content of a mailbox requires a judge’s decision to disclose/search, unless the investigating authorities can directly establish “imminent danger”. The telecommunications provider has no legal means at its disposal, even against the search order; it can no longer defend itself against the “confiscation” of the log data.

We have no choice but to disclose data to the investigating authorities under the conditions described here; otherwise, there is the threat that entire servers will be seized in the context of a company search or, where applicable, there will also be coercive detention of employees of the company.

Conversely, we will not disclose any data if the legal requirements for disclosure are not mandatory (so-called “anticipatory obedience”). Such requests for information from the police without a court order will definitely be rejected by us, as in these cases it would be illegal for us to disclose the data. We, or our lawyers, strictly and critically examine all disclosure requests.

However, we cannot judge whether the database data you provided when you registered is correct and accurate. If you encrypt your email traffic with PGP, we are also not able to make the content of these emails readable either.

You will find further information in our annual Transparency Report on requests from the authorities.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Transparency

Does the policy require users to be notified in case of a data breach? N/A (the service collects so little personal data that notification would not be possible)

7/7

Decided May 22, 2020 (revision history). This question accounts for 8% of the final score.

Note that all companies operating in the EU are subject to Art. 33 of the GDPR, which requires companies to notify their data protection authority of a data breach within 72 hours of discovering it.

Possible Options

No0/7
Yes, eventually5/7
Yes, within 72 hours7/7
N/A (the service collects so little personal data that notification would not be possible)7/7

Note

There is no direct way to alert users of data breaches except via the service.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Will affected users be notified when the policy is meaningfully changed? N/A (no personal data—or contact information—collected)

5/5

Decided May 22, 2020 (revision history). This question accounts for 6% of the final score.

Possible Options

No0/5
Yes5/5
N/A (no personal data—or contact information—collected)5/5

Note

There is no direct way to alert users of policy changes except via the service.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Is the policy's history made available? Only the date it was last modified

3/5

Decided May 22, 2020 (revision history). This question accounts for 6% of the final score.

Possible Options

No0/5
Only the date it was last modified3/5
Yes, with revisions or a change-log5/5

Citation

As of: 30 September 2019

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy outline the service's general security practices? Yes

2/3

Decided May 22, 2020 (revision history). This question accounts for 4% of the final score.

Possible Options

No0/3
Somewhat1/3
Yes2/3
Yes, including audits2.5/3
N/A (no personal data collected)3/3
Yes, including independent audits3/3

Note

A deeper page involving a lot more on how they protect your data is at https://mailbox.org/en/security

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Collection

Is it clear why the service collects the personal data that it does? Yes

10/10

Decided May 22, 2020 (revision history). This question accounts for 12% of the final score.

This question deals with transparency. Even if the service uses data for reasons that aren't ideal for privacy, provided they list all of those uses, the service can still receive full credit for this question. However, if they are not explicit about their uses (by employing language like "such as"), a lower score is assigned.

Possible Options

No0/10
Somewhat4/10
Mostly7/10
Yes10/10
No personal data is collected10/10

Citation

Our web servers collect various kinds of general data and information each time you visit our website. This general data and information is stored in the log files of the server. The web servers may record (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrer), (4) the sub-websites which are accessed via an accessing system on our website, (5) the date and time of access of the website, (6) an internet protocol address (IP address), (7) the internet service provider of the accessing system, and (8) other similar data and information used for security purposes in the event of attacks on our information technology systems.

When using this general data and information, Heinlein Support GmbH does not draw any conclusions about the Data Subject. Rather, this information is required to (1) correctly deliver the contents of our website, (2) optimise the contents of our website, (3) ensure the long-term functionality of our information technology systems and the technology of our website and (4) provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber attack. The anonymously collected data and information is therefore evaluated by us statistically and also with the aim of increasing data protection and data security in our company in order to ultimately ensure an optimum level of protection for the personal data processed by us. The anonymous data of the server log files is stored separately from all personal data provided by a Data Subject.

You have the option of registering on our websites by entering personal data. The respective input mask used for registration determines what personal data will be transmitted to us. The personal data entered by you will be collected and stored exclusively for internal use and for your own purposes.

When you register on our internet pages, the IP address assigned by your internet service provider (ISP) as well as the date and time of the registration are stored. This data is stored because this is the only way to prevent misuse of our services and, if necessary, to enable us to investigate criminal offences committed. In this respect, the storage of this data is necessary to protect the data processing controller. This data will fundamentally not be shared with third parties unless required by law or for the purpose of criminal prosecution.

Your registration with voluntary disclosure of personal data lets us offer your content or services that can only be offered to registered users due to the nature of the matter. Registered persons are free to modify the personal data provided during registration at any time or to have it completely erased from the database of the data processing controller.

If requested, we will inform you at any time about what personal data concerning you is stored by us. Furthermore, we will rectify or erase personal data if requested or instructed by the Data Subject if there are no legal duties to store such data. In this context, our customer support staff are available as contacts.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy list the personal data it collects? Yes, exhaustively

10/10

Decided May 22, 2020 (revision history). This question accounts for 12% of the final score.

All types of collected personal data are listed specifically

Possible Options

No0/10
Only summarily3/10
Yes, generally7/10
Yes, exhaustively10/10
N/A (no personal information is collected)10/10

Citation

You have the option of registering on our websites by entering personal data. The respective input mask used for registration determines what personal data will be transmitted to us. The personal data entered by you will be collected and stored exclusively for internal use and for your own purposes.

When you register on our internet pages, the IP address assigned by your internet service provider (ISP) as well as the date and time of the registration are stored. This data is stored because this is the only way to prevent misuse of our services and, if necessary, to enable us to investigate criminal offences committed. In this respect, the storage of this data is necessary to protect the data processing controller. This data will fundamentally not be shared with third parties unless required by law or for the purpose of criminal prosecution.

Your registration with voluntary disclosure of personal data lets us offer your content or services that can only be offered to registered users due to the nature of the matter. Registered persons are free to modify the personal data provided during registration at any time or to have it completely erased from the database of the data processing controller.

If requested, we will inform you at any time about what personal data concerning you is stored by us. Furthermore, we will rectify or erase personal data if requested or instructed by the Data Subject if there are no legal duties to store such data. In this context, our customer support staff are available as contacts.

Due to legal regulations, the websites of Heinlein Support GmbH contain information that enables rapid electronic contact with our company and direct communication with us, which also includes a general address for so-called electronic mail (email address). If you contact us by email or via a contact form, the personal data transmitted by you will be stored automatically. Such personal data transmitted by you to us on a voluntary basis will be stored for the purposes of processing or contacting you. This personal data will not be shared with third parties.

We offer you the opportunity to leave individual comments or individual contributions on our blog or in our user forum located on our websites. A blog or user forum is a portal on a website, usually open to the public, in which one or more people who are called bloggers or web bloggers can post articles or write down thoughts in so-called blog posts. Comments can usually be made by third parties at the blog posts.

If you leave a comment in our blog or user forum, not only the comments you leave will be saved and published, but also information about the time you made the comment and your chosen user name (pseudonym). The IP address assigned by your internet service provider (ISP) is also logged. This IP address is stored for security reasons and in case the Data Subject violates the rights of third parties or posts illegal content by submitting a comment. The storage of this personal data is therefore in our interest, so that we can clear ourselves of any liability in the event of a violation of the law. The personal data collected will not be disclosed to third parties, unless such disclosure is required by law or serves the legal defence of the data processing controller.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service collect personal data from third parties? Only for critical data

7/10

Decided May 22, 2020 (revision history). This question accounts for 12% of the final score.

For example, a blog providing user avatars or a bank conducting identity verification

This includes the use of data brokers and independent verification authorities (such as background check providers).

Possible Options

Yes0/10
Only for critical data7/10
No10/10

Citation

In some places we link to our mailbox.org pin films, which we let Vimeo host. The Vimeo video player triggers an alarm on some anti-tracking systems because it can send video quality statistics to the manufacturer Conviva (Conviva’s data protection policy). Unfortunately, we do not know any way to get around this and at the same time we are sure that Vimeo is a substantially better video hoster than Youtube.

In addition, comments from users under posts or FAQ articles can lead to a loading of avatar images from Gravatar (Gravatar data protection policy).

To protect against misuse, we use the Google reCaptcha service in our registration form. Your IP address is transmitted to this service for verification. The Google data protection policy applies to this service. We have compiled more on this topic for you here: https://kb.mailbox.org/display/MBOKB/Google+Captchas+in+registration form

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow the user to control whether personal data is used or collected for non-critical purposes? On an opt-out basis, for all non-critical data/uses

3/5

Decided May 22, 2020 (revision history). This question accounts for 6% of the final score.

Some services allow users to opt-out or opt-in to of non-critical collection or use of personal data, such as collecting data for personalized advertisements.

Possible Options

No0/5
On an opt-out basis, but only for some non-critical data/uses1.5/5
On an opt-out basis, for all non-critical data/uses3/5
N/A (no data used for non-critical purposes)5/5
On an opt-in basis5/5

Citation

The comments made in our blog or user forum can fundamentally be subscribed to by third parties. In particular, it is possible for a commentator to subscribe to the comments that follow their comment on a particular blog post. If you choose to subscribe to comments, an automatic confirmation email will be sent to check whether the owner of the indicated email address has actually opted for this option using the double opt-in procedure. The subscription can be cancelled at any time.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.



Warnings

Mailbox.org has no warnings published on PrivacySpy. PrivacySpy publishes warnings when it learns a service has announced a data breach or is found misusing user data. If you believe a warning should be published for Mailbox.org, submit one here.


Highlighted Policy Snapshot ALPHA

No highlighted policy snapshot has been created for this privacy policy. To view the policy at its original location, click here.

8.7/10

How we calculate ratings →


Version Added

May 22, 2020

Ratings Updated

May 22, 2020

Warnings

0

Maintained by

doamatto

Original Location
Open in New Tab
Other Versions