01
Data We Collect
- Account email address (for authentication and account recovery)
- Hashed password (bcrypt, never stored in plaintext)
- Login timestamps and IP addresses (retained 30 days, for abuse prevention only)
- Billing information for paid tiers (processed by payment provider, not stored by us)
That's it. This is the complete list.
02
Data We Do NOT Collect
- We do not read, scan, or analyze the content of your emails
- We do not harvest email metadata for profiling or advertising
- We do not track your behavior across the web
- We do not use analytics scripts, tracking pixels, or third-party cookies
- We do not sell, share, or trade any user data with third parties
- We do not build advertising profiles or behavioral models
If a service is free, you're the product. Our free tier is limited in storage — not in privacy.
03
Email Storage & Encryption
- All email is stored using per-user mail-crypt encryption on disk
- TLS 1.3 enforced for all connections in transit
- Encryption keys are derived from your account credentials
- Physical server access alone cannot decrypt your messages
04
Secure Deletion Policy
This is what sets KrakuMail apart. When you delete something, we make sure it stays deleted.
- When you delete an email, it is not merely marked as deleted
- Deleted messages are moved to a secure expunge queue
- Each message file undergoes a verified overwrite process: random data written over the original sectors, followed by zero-fill
- This process complies with NIST SP 800-88 Rev. 2 (Clear method) — the current federal standard for media sanitization
- We use HDD storage by design — unlike SSDs, HDDs allow deterministic overwrite of specific disk sectors, ensuring deleted data is physically unrecoverable
- Deletion events are logged for compliance auditing (metadata only — what was deleted and when, not content)
Account deletion: Upon request, all account data including mailbox contents undergo the same secure deletion process. Account deletion is irreversible and completed within 72 hours.
05
Third Parties
- We do not use any third-party analytics services
- We do not embed third-party tracking scripts
- We do not use advertising networks
- Payment processing is handled by our payment provider — they receive only the billing information necessary to process your payment. They do not have access to your email data.
- We do not use CDNs that could intercept traffic — all connections terminate at our servers
06
Server Location & Jurisdiction
- KrakuMail servers are located in Iceland
- Iceland is not a member of the Five Eyes, Nine Eyes, or Fourteen Eyes intelligence-sharing alliances
- Icelandic privacy law (Act No. 90/2018 on Data Protection and the Processing of Personal Data) implements and exceeds GDPR requirements
- We are subject to Icelandic law exclusively
- We do not voluntarily cooperate with foreign intelligence agencies
07
Law Enforcement & Legal Requests
- We will only disclose user data in response to a valid Icelandic court order
- We will notify affected users of any legal request for their data, unless prohibited by the court order itself
- We publish a transparency report annually detailing the number and nature of legal requests received
- We have never received a national security letter or secret court order
- We will challenge any request we believe to be overly broad or legally questionable
08
Data Portability
- You can export all your email data at any time via standard IMAP
- We support full mailbox export in standard formats (mbox, Maildir)
- Your data belongs to you — we will never hold it hostage
09
Changes to This Policy
- We will notify all registered users by email at least 30 days before any material changes to this policy
- Previous versions of this policy will be archived and publicly accessible
- Changes will never retroactively reduce your privacy protections
10
Contact
- Privacy inquiries: privacy@krakumail.com
- General support: support@krakumail.com
- Postal: KrakuMail, Reykjavík, Iceland