Privacy Policy

1. Our Privacy Promise

PicaMail exists to protect your privacy. We built this service because we believe you should be able to give out an email address without worrying about spam, data breaches, or tracking. Our business model is simple: we charge for premium features, not for your data.

We do not sell your data. We do not show ads. We do not use analytics trackers. We collect the absolute minimum data needed to run the service.

2. What Data We Collect

Account Information

• Email address - your real email where aliases forward to. Required for the service to work.
• Password hash - we store a one-way bcrypt hash, never your plaintext password.
• Account creation date - for internal record-keeping.
• Subscription status - whether you are on the free or Pro tier, and billing dates.

Alias Metadata

• Alias name - the alias address you created (e.g., [email protected]).
• Creation date - when you created the alias.
• Active/inactive status - whether the alias is currently forwarding.
• Forwarded count - how many emails have been forwarded through this alias.
• Blocked count - how many emails were blocked by your rules.

Payment Information (Pro users only)

Payment processing is handled entirely by Stripe. PicaMail never sees or stores your full credit card number. We receive only:

• Card type and last four digits (for your reference in the dashboard).
• Billing address country (required for tax compliance).
• Stripe customer ID (to link your payment to your account).

3. What We Do NOT Collect

This is the most important section.

• Email content - PicaMail forwards emails in memory. Email subjects, bodies, and attachments pass through our servers but are never written to disk, never stored in a database, and never logged. Once the email is delivered to your inbox, it no longer exists on our systems.
• IP addresses of email senders - we do not log who sends emails to your aliases.
• Browsing behavior - we do not track what websites you visit, what you click, or how you use third-party services.
• Device fingerprints - we do not fingerprint your browser or device.
• Analytics data - we do not use Google Analytics, Facebook Pixel, Hotjar, or any third-party analytics or tracking service.

4. Failed Delivery Logs

By default, if an email fails to forward (for example, because your inbox is full), PicaMail discards the email and increments a "failed" counter on the alias.

If you enable the Store Failed Deliveries option in your account settings, PicaMail will temporarily store the content of failed emails so you can retry delivery or view them in the dashboard. Failed delivery data is encrypted at rest and automatically deleted after 7 days. You can manually delete it at any time.

This feature is opt-in and disabled by default.

5. Cookies

PicaMail uses only essential cookies:

Cookie	Purpose	Duration
session	Keeps you logged in	Until you log out or 30 days
theme	Remembers your dark/light mode preference	1 year

We do not use advertising cookies, tracking cookies, or any third-party cookies. There is no cookie banner because there is nothing to consent to beyond essentials.

6. Data Storage and Security

Your account data and alias metadata are stored on encrypted servers in the European Union. All data is encrypted at rest using AES-256 and in transit using TLS 1.3.

Access to production systems is restricted to a minimal number of authorized personnel with multi-factor authentication. We perform regular security audits and penetration testing.

7. GDPR Compliance

PicaMail is fully committed to GDPR compliance. As a user, you have the following rights:

Right to Access

You can view all data PicaMail holds about you at any time through your account dashboard. You can also request a machine-readable export of your data.

Right to Data Export

You can export all your data (aliases, metadata, settings) as a JSON file from your account settings at any time, without needing to contact support.

Right to Deletion

You can delete your account at any time from your account settings. When you delete your account:

• All alias metadata is permanently deleted.
• Your email address is removed from our systems.
• Any stored failed delivery data is permanently deleted.
• Payment records are retained only as required by tax law (typically 7 years for transaction records), with all personal identifiers removed.

Account deletion is immediate and irreversible. There is no "soft delete" or recovery period.

Right to Rectification

You can update your email address and account details through the dashboard at any time.

Right to Restrict Processing

You can deactivate all aliases at any time, which stops all email forwarding while preserving your account and alias configuration.

8. Third-Party Data Sharing

We do not share your data with any third party for marketing, advertising, analytics, or any other purpose.

The only third parties that interact with your data are:

• Stripe (payment processing) - only for Pro subscribers, governed by Stripe's Privacy Policy.
• Infrastructure providers (server hosting) - bound by data processing agreements that prohibit them from accessing or using your data.

We will disclose data only if legally compelled by a valid court order, and we will notify you unless legally prohibited from doing so.

9. Data Retention

• Active accounts: data retained for the lifetime of your account.
• Deleted accounts: all personal data deleted immediately. Anonymized aggregate statistics (total emails forwarded, total aliases created across the platform) may be retained.
• Failed delivery logs: auto-deleted after 7 days, or immediately on manual deletion.
• Server access logs: retained for 48 hours for security monitoring, then permanently deleted. These logs contain only timestamps, HTTP methods, and status codes - no email content or personal identifiers.

10. Children's Privacy

PicaMail is not directed at children under 16. We do not knowingly collect data from children. If we learn that we have collected data from a child under 16, we will delete it immediately.

11. Changes to This Policy

When we make changes to this privacy policy, we will notify you via the email address associated with your account at least 14 days before the changes take effect. We will also update the "Last updated" date at the top of this page.

Previous versions of this policy are available upon request.

12. Data Protection Officer

If you have privacy-related questions or concerns, you can contact our Data Protection Officer:

• Email: [email protected]

We aim to respond to all privacy inquiries within 48 hours.

13. Contact

For general privacy questions or to exercise your rights, contact us at:

• Email: [email protected]
• DPO: [email protected]

Effective date: March 2026