TacitusMail
Privacy policy

Your data is not our business model.

This is the plain-English version, written to be understood. We don't sell your data, we don't train AI on it, we don't serve you ads, and we don't forward it to US clouds. Details below — including the exact GDPR rights you have and how to exercise them.

Last updated: 13 April 2026

The one-line version: we hold your mail so you can send and receive it, we hold your chat and call signalling so messages reach the right person, and we use your email address to contact you about the service. That's it. No ads, no mining, no AI training, no US cloud replication.

Who is the controller?

The data controller (the legal entity responsible for your data under the GDPR) is the operator of Tacitus Mail, based in the European Union. Contact: [email protected] — any mail sent to that address reaches the actual operators, not a support robot.

There is no designated DPO at our current size; the operator acts as the primary data protection contact. For formal GDPR requests, use [email protected].

What we collect, why, and how long we keep it

Category Lawful basis Retention
Account identity
Email address, chosen username, Argon2id password verifier, optional display name.		 Contract (Art. 6(1)(b)) — we need it to run your mailbox. While the account is active, then 30 days after deletion for reversal, then purged.
Mail content
Subject, headers, bodies, attachments for your @tacitusmail.com account.		 Contract — this is literally the mailbox service. Until you delete it, or until the account itself is purged.
External mailbox credentials
IMAP/SMTP hostnames, usernames, passwords for Gmail/Outlook/etc. you added.		 Contract — you asked us to fetch those mailboxes. Until you remove the account. Encrypted at rest with AES-256-GCM.
Chat messages
Ciphertext between you and another Tacitus user.		 Contract. Until you or the recipient delete the conversation. We cannot read them — we only relay.
Call signalling
Who called whom, at what time, outcome (accepted/rejected/missed). Media is peer-to-peer and never stored.		 Contract. 90 days for the call log, then anonymised counters only.
Calendar, notes, contacts
Events, notes bodies, address book entries.		 Contract. Until you delete them.
Billing metadata
Stripe customer ID, subscription status, period end, last-four card digits (via Stripe).		 Contract & legal obligation (VAT retention). As long as legally required by EU accounting law (typically 10 years), then purged.
Server & access logs
Timestamp, request method, path, response code, originating IP, user-agent.		 Legitimate interest (Art. 6(1)(f)) — abuse and debugging. 30 days rolling, then auto-purged.
Push tokens
APNs token, Web Push endpoint, user-agent.		 Contract — needed to deliver notifications you opted in to. Until you sign out or revoke the device.

What we do NOT do

  • We do not load any third-party analytics, pixel, session replay, or fingerprinting SDK in the web client. No Google, no Facebook, no Segment, no Hotjar.
  • We do not sell, rent or trade your data to advertisers, brokers, or anyone else. There is no arrangement to.
  • We do not train AI / language models on your mail, chat, calendar, notes or contacts. Not our own models, not anyone else's.
  • We do not inject tracking links into your outbound mail.
  • We do not replicate your mail, chat or calendar events to storage outside the European Union.
  • We do not read your mail to tailor ads, suggestions, or "smart" features.

Sub-processors

We use a small number of service providers whose role is strictly infrastructure. Each is listed below with its purpose and region. If we add a new sub-processor, this list is updated and the "Last updated" date at the top changes.

  • Hetzner — EU (Germany / Finland) dedicated server hosting. All application data sits on disks rented from Hetzner under a Data Processing Agreement.
  • Let's Encrypt — free TLS certificates for tacitusmail.com and mail.tacitusmail.com. They see the domain name, not the content.
  • Stripe — billing and VAT. Stripe sees your card details and billing address for paid plans; we only receive a customer ID and subscription status back. Stripe is processed under their Data Processing Addendum.
  • Apple Push Notification Service (APNs) — delivery of notifications to the iOS app. APNs receives the opaque device token and the encrypted notification payload (sender name, subject preview truncated to 80 characters).
  • Mailgun / Postmark (only if configured as an outbound relay for reputation — disabled by default). Would see the envelope of outbound mail destined for third-party recipients. Body is delivered unchanged.

Your GDPR rights

If you are in the EU / EEA, the GDPR gives you a specific set of rights over your personal data. We honour all of them, whether or not you are a paying customer:

  • Right of access (Art. 15). You can request a copy of every piece of personal data we hold about you. Response target: 7 days.
  • Right to rectification (Art. 16). You can ask us to correct inaccurate data — or just edit it yourself in the web UI.
  • Right to erasure / to be forgotten (Art. 17). You can delete your account from /settings/accounts, or email us, and everything listed in the table above is purged within 30 days. Backups containing your data age out of rotation within another 30 days.
  • Right to data portability (Art. 20). You can export every mail as an .mbox file and every contact as .vcard. Calendars export as .ics. Notes export as markdown.
  • Right to restrict processing (Art. 18). Pause sync or outbound delivery without deleting your account — email us and we will.
  • Right to object (Art. 21). Object to processing based on legitimate interest (e.g. ask us to stop keeping server logs for you). Note that for some flows — particularly abuse handling — we may still need to retain minimum metadata.
  • Right to lodge a complaint. You can complain to your local data protection authority. We'd rather you tell us first so we can fix whatever the issue is.

Cookies

The web client uses exactly one cookie: access_token — the HTTP-only, Secure, SameSite=Strict session JWT that proves you're logged in. It's set on /auth/login, cleared on /auth/logout, and never read by client-side JavaScript. We do not use advertising, analytics, or tracking cookies.

Your UI preferences (theme, sidebar accent, background pattern, mail view mode, density) are stored in localStorage in your browser only. We never read them from the server.

Contact

See the security details Read the terms →