Privacy Policy
Most privacy policies are written to be skimmed past. This one is written to be read. We are a paid, private email service: our whole business is holding as little of your data as possible and keeping what we do hold locked away - including from ourselves. This policy explains exactly what we collect, why, how long we keep it, and what your rights are under the revised Swiss Federal Act on Data Protection (FADP). We also comply with the GDPR and the UK GDPR for our EU and UK customers, whose rights are the same in substance.
1. Who we are
The data controller for everything described in this policy is Scroogle Mail AG, a company registered in the Commercial Register of the Canton of Zurich, Switzerland (UID CHE-214.796.358).
Scroogle Mail AG
Werdmattweg 7
8005 Zurich
Switzerland
Our Swiss VAT number is CHE-214.796.358 MWST. Because we sell to UK consumers, we are also VAT-registered in the UK under number GB 427 8811 36.
Questions about privacy or this policy go to privacy@scrooglemail.com, which reaches our Data Protection Officer directly. If your question is about the service itself rather than your data, our Terms of Service and support pages are the right place.
2. The short version
If you only read one section, read this one. The rest of the policy is the detail behind these six statements:
- We cannot read your mail. Your mailbox is encrypted with keys derived from your password, which we never see.
- We collect the minimum needed to run a paid service - an account, a bill, and enough logs to stop abuse. That is genuinely it.
- We do not sell, share or advertise. No ad networks, no data brokers, no "trusted partners".
- No analytics cookies. This website sets one strictly-necessary cookie when you sign in, and nothing else.
- Your mail never leaves Switzerland. It lives in our two Swiss datacentres, not in someone else's cloud.
- You are in control. You can export or delete everything yourself, from Settings, without asking our permission.
3. Data we collect, and why
We designed Scroogle Mail so that the honest answer to "what do you know about me?" is "very little". Here is the complete list, category by category. If it is not listed here, we do not collect it.
Account creation
When you sign up we store your chosen username, a password verifier - a cryptographic value that lets us check your password is right without ever knowing what it is - and, if you choose to give one, an optional recovery email address. We never store or see your actual password: it stays on your device, where it is used to derive your encryption keys.
Account activity
To run your account we keep basic operational facts: how much storage you are using, which plan you are on, and the feature settings you have chosen (aliases, filters, custom domains, two-factor authentication and so on). This is the metadata any service needs to function. It does not include the content of your messages, which is encrypted before it reaches our disks.
IP addresses and logs
By default we do not keep permanent IP logs. Access logs are retained for 3 days to fight abuse and fraud, then deleted.
One honest qualifier: if an account is under active investigation for abuse - for example, it is being used to send spam or phishing - we may extend log retention for that account until the investigation is closed, because three days is not always long enough to establish a pattern. This is the exception, applied per account, not the rule.
Payments
Payments are processed by our payment provider, not by us. What we see and store is your plan, the amount, the dates, and the last four digits of your card - enough to answer "did this invoice get paid?" and nothing more. Full card numbers never touch our systems. Refunds and cancellation are covered in our Terms of Service.
Support conversations
If you write to support, we keep the conversation so we do not make you repeat yourself and so we can spot recurring problems. Support staff can see the account metadata described above - plan, billing state, storage used - but never your message content, because they have no technical means to decrypt it.
The website
scrooglemail.com uses no analytics and no tracking cookies. When you sign in, we set one strictly-necessary session cookie so the site knows you are you; it is deleted when your session ends. There are no third-party scripts watching what you read on this site, which is rarer than it should be.
4. Lawful bases
Data protection law - the FADP for everyone, and the GDPR and UK GDPR for our EU and UK customers - requires a justification for every use of personal data. Here is ours, purpose by purpose:
| Purpose | Data | Lawful basis |
|---|---|---|
| Providing your mailbox and the features of your plan | Username, password verifier, account settings, storage usage, encrypted mailbox data | Contract - we cannot deliver the service you pay for without them |
| Billing, invoicing and VAT records | Plan, amounts, payment dates, last four card digits | Legal obligation - the Swiss Code of Obligations requires us to keep business and billing records |
| Preventing abuse, spam and fraud | Short-lived access logs (IP address, timestamp) | Legitimate interests - protecting our users and our infrastructure from attack, account takeover and outbound spam. We balanced this against your privacy and kept retention to 3 days by default |
| Account recovery via an optional recovery email | The recovery email address you choose to give us | Consent - it is optional, and you can remove it in Settings at any time |
| Service emails (invoices, security alerts, material changes) | Your address, plan and billing state | Contract - these are part of running your account, not marketing |
Note what is missing from that table: marketing, profiling, advertising and "product improvement analytics". We do not do any of them, so we do not need a lawful basis for them.
5. Who we share data with
We use a small number of processors - companies that handle data on our instructions, under written contracts, and for no purpose of their own:
- Our payment provider, which processes card payments so that full card details never reach us.
- The operators of our two Swiss datacentres (Zurich and Lausanne), which house our own hardware. They provide power, cooling and physical security; they have no access to the data on our machines, which is encrypted at rest anyway.
That is the whole list. There are no ad networks, no data brokers, no analytics companies and no "selected third parties". We have never sold personal data and never will. It is not a clever legal position; it is the entire reason the company exists.
Like every Swiss company, we can be legally compelled to disclose data by a Swiss court or a competent Swiss authority. We comply with Swiss law - but we designed the service so that what we can hand over is almost nothing: encrypted blobs we cannot decrypt, and the minimal metadata described in section 3. Every request we receive is counted in our annual transparency report.
6. International transfers
In normal operation your mail stays in Switzerland. It is stored in our two Swiss datacentres, in Zurich and Lausanne, on hardware we own. We do not use third-party cloud hosting, and no processor we use takes your mail or account data outside Switzerland. The one exception is in your hands: if you pay by card, PayPal or Apple Pay, your payment details go to that payment provider under its own safeguards - they never pass through our mail systems.
Both the UK and the EU have formally recognised Switzerland as providing adequate data protection, so no additional transfer safeguards are needed for us to serve our UK and EU customers - your mail can lawfully stay right here.
If we ever used a processor elsewhere in future, we would put the appropriate safeguards in place first, and we would update this section - and tell you - before any transfer happened, not after.
7. How long we keep things
Our default is to delete. Where we keep something longer, it is because the law requires it or because deleting it immediately would create a genuine problem, and we say which below:
| Data | Kept for | Why |
|---|---|---|
| Mailbox content | Until you delete it or close your account; then purged from live systems within 30 days and from backups within 90 days | It is your mail - you decide when it goes |
| Access logs | 3 days | Abuse and fraud prevention (see section 3 for the investigation exception) |
| Billing records | 10 years | Required by the Swiss Code of Obligations |
| Support tickets | 24 months | Handling follow-ups and spotting recurring faults |
| Closed-account stub (email address and closure date only) | 90 days | Prevents immediate re-registration abuse of a just-closed address |
8. Your rights
Under the FADP - and, for our EU and UK customers, the GDPR and UK GDPR - you have the right to:
- Access the personal data we hold about you;
- Rectification - have inaccurate data corrected;
- Erasure - have your data deleted;
- Restriction - limit how we use your data while a dispute is resolved;
- Portability - receive your data in a usable, machine-readable format;
- Objection - object to processing based on legitimate interests;
- Withdraw consent at any time, where consent is the basis (for example, your optional recovery email).
For most of these you do not need to ask us at all: export and delete are self-service, in Settings, and work immediately. Export gives you your entire mailbox in standard formats; delete closes the account and starts the purge timelines in section 7.
For anything you cannot do yourself, email privacy@scrooglemail.com. We respond within one calendar month, as the law requires - usually much faster. We will need to verify that you control the account before acting, which protects you: a data-protection right should never become someone else's way into your mailbox.
9. Complaints
If you think we have handled your data badly, please tell us first at privacy@scrooglemail.com - we would appreciate the chance to deal with your concerns before you approach a regulator, and we take them seriously.
You also have the right, at any time, to complain to our supervisory authority:
Feldeggweg 1
CH-3003 Bern
Switzerland
www.edoeb.admin.ch
UK customers may also complain to the Information Commissioner's Office (ICO) at ico.org.uk.
10. Automated decision-making
We do not make any automated decisions about you that have legal or similarly significant effects. There is no profiling, no scoring and no algorithmic account judgement.
The closest thing we have is spam filtering, which runs on your device and against encrypted metadata patterns rather than message content we can read. Its only effect is which folder a message lands in - and you can override it with a click.
11. Status of this website
As of the date at the top of this policy, this website operates as a non-interactive design demonstration. Its forms are not connected to any backend: nothing entered anywhere on this site is collected, transmitted or stored by us or by anyone else, no account is created, and no payment can be taken. The sections above describe how the service is designed to operate when it is live. This section will be removed when that happens.
12. Changes to this policy
If we make a material change to this policy - anything that changes what we collect, why, or who sees it - we will email every account holder 30 days before the change takes effect, in plain English, with the old and new wording. We will never slip a change in quietly and rely on "continued use constitutes acceptance".
An archive of every previous version of this policy is available on request from privacy@scrooglemail.com.
13. Contact
For anything in this policy, or any question about your personal data:
- Email privacy@scrooglemail.com (this reaches our Data Protection Officer); or
- Write to: Scroogle Mail AG, Werdmattweg 7, 8005 Zurich, Switzerland - mark the envelope FAO Data Protection Officer.
For questions about the service, billing or your subscription rather than your data, see our Terms of Service or contact support.