We believe that you own your data, and you entrust us to only hold and use your data to provide you with the service you pay for: really great email. On this page, we list the regulations, practices, and policies we abide by to protect your privacy.
- What can you expect from us
- Key privacy laws
- Fastmail policies
- Certifications
- Law enforcement
- Specific privacy practices
What can you expect from us
We treat your email with the same care as if it were our own:
- Your data belongs to you, and nobody else.
- We use your data only for the purposes you have paid for.
- We ensure that the vendors we use also follow our privacy principles, have the legal and policy paperwork to contractually bind them, and that they have the technical capacity to do what the paperwork claims.
Key privacy laws
Australian Privacy Principles
Australia has thirteen privacy principles that come under the Australian Privacy Act of 1988. These existed prior to the European GDPR, but govern Australian organizations in similar ways. They provide digital rights to its citizens, and hold organizations to account for their data practices.
Fastmail has always adhered to these privacy principles. You can read more about the Australian Privacy Principles here.
GDPR and the Fastmail DPA
The European General Data Protection Regulation (GDPR) was the first digital rights law that had significant and wide-reaching penalties for non-compliance. It held companies accountable for their data protection practices if they had a relationship with a European citizen, even if the organization itself was headquartered outside of Europe. Fines issued under GDPR are sizable and actively enforced.
Fastmail has always offered our customers protection from invasive data usage, along with the tools to control, erase, download, and update their own data, as well as other data protections required by GDPR. These were part of our service and applied no matter where customers lived, even prior to GDPR coming into effect. We continue to remain naturally compliant with GDPR through our values and privacy practices.
All of our customers (whether European and subject to GDPR, or not) can choose to explicitly sign a Data Protection Addendum (DPA) with us. Fastmail is required to have this document under GDPR, and it states the responsibilities that Fastmail has towards our customers and explains the rights that customers are entitled to.
The DPA provides information about the categories of data being transferred, our security controls and the list of vendors we use in order to provide customers with our service. It also provides the customer's right to be informed about any new vendor, and the right to be given the opportunity to object.
Signing the DPA confers one additional right that isn’t part of our regular service: you will be notified of, and can object to, any new vendor that we use to process your data. 14 days prior to us using a new vendor, we will send you a DPA notice via email. This gives you the opportunity to contact us, and for us to discuss your options if you object to the new vendor.
If you wish to sign our DPA, you can do so by following the steps in our Business policy settings help page.
You can read the Fastmail Data Protection Policy in full here.
Fastmail policies
Privacy
Our Privacy Policy explains how we use, collect, and process your information in the course of managing your account.
We outline what information we collect from you when you visit our websites, use our platform, or subscribe to our newsletter. We also include details on when and why we share information with other parties, such as our anti-spam partners, payment processors, or your Fastmail account administrator.
You can read the Fastmail Privacy Policy in full here.
Cookies
When you use our email web interface, we store cookies to let you keep your session open and to keep your session secure.
If you’re using our marketing site, we use cookies to track if we owe you a signup discount through a referral or marketing campaign. We also cookies to help us understand what pages people are finding useful, and to inform us if you found Fastmail via advertisements or marketing.
You can read our Cookies Policy in full here.
Certifications
Fastmail is not compliant with the Health Insurance Portability and Accountability Act (HIPAA) of the United States. HIPAA compliance has a specific set of requirements which include mandated end-to-end encryption, which we do not provide.
We have not pursued formal certification of System and Organization Control (SOC), but we apply its principles to our work.
Law enforcement
We comply with all valid law enforcement requests.
We review all law enforcement requests carefully and check for legitimacy, proportionality, and accuracy. Wherever possible, we notify accountholders that a request has been made for their information.
You can read our requirements for law enforcements requests at our Information for law enforcement help page.
You read details on Fastmail's past responses to law enforcement by reading our Data Transparency Report here.
Specific privacy practices
Remote image loading
When accessing your email through our web interface, we protect your privacy by fetching all remote images through our servers. This prevents the owner of the image from receiving additional information about you, such as your IP address (which can reveal your rough location), browser information, or tracking cookies.
Remote images can also be disabled in your user settings, so that these images only load if you want them to. This can be set to apply to all messages you receive, or only messages from senders that are not in your address book. Blocking remote images prevents "spy pixels" or "tracking pixels" from being used to inform the sender that you have opened an email.
Transfer of confidential data with third parties
Fastmail’s value proposition is “service in exchange for money.” We don’t ever sell or monetize confidential customer data or aggregate customer data.
As part of our commitment to open source, we do sometimes share statistical data (e.g., the average size of emails, or the percentage of email traffic which is encrypted). This information is useful in the broader email community to help drive software design.
We also share reports of spam, including spam false positives and false negatives, as well as spam intelligence with our partner organizations who provide us with spam feeds.
We use some third-party hosted services for bug tracking, support, exception alerting, and communications. While we don’t send bulk data through any of these services, small pieces of customer data (e.g. name, email address) may wind up in core dumps, in support ticket updates, inside bug descriptions, or in chat messages where colleagues work to resolve customer issues. We obfuscate where possible, but sometimes raw data is needed.
A list of third-party vendors used by Fastmail can be found in our Data Protection Policy.
Newsletters
We love giving customers the opportunity to hear about our new features as they land, get the most out of improvements we make to our service, and receive news about our company. We believe in quality over quantity, so our newsletters are only sent 4-6 times per year.
You can opt in or out of our newsletters at Settings → Privacy & Security, or by clicking the Unsubscribe from this list link at the bottom of every newsletter email.
We are not a bulk mailing company, and we have sending limits in place to enforce this. For this reason, we use an external partner to manage the delivery of our newsletters. To protect your privacy, we generate a single use address for every Fastmail newsletter recipient, ensuring that our newsletter partner receives no information about you.
You can find more information at our How Fastmail newsletters are delivered help page.
See also
If you're looking for information on Fastmail's security practices, you may be interested in reading our How we provide a secure service help page.