Last updated: 23 May 2026

At Mailotte, privacy is not a feature — it is the foundation of everything we build. This Privacy Policy explains what information we collect, why we collect it, how we use it, and the choices you have to control your data. Mailotte is operated by MAILOTTE LTD, a company incorporated in England and Wales, and we comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018. Although our company is registered in the United Kingdom, your mailboxes, attachments, and account data are stored exclusively on servers located in the European Union (Germany).

Who We Are (Data Controller)

The data controller responsible for your personal data is:

• MAILOTTE LTD
• Registered in England and Wales, company number 17119010
• Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
• Data protection contact: privacy@mailotte.com

1. Information We Collect

We collect the minimum amount of information necessary to provide and secure our email service.

Information you provide to us

• Account information: a username (which becomes your email address), your name, and a password.
• Email content: messages you send and receive, including attachments, stored on our servers to deliver the service.
• Payment information: if you subscribe to a paid plan, your payment details are processed by our third-party payment provider. We do not store your full card number on our servers.
• Support requests: information you provide when you contact our support team.

Information collected automatically

• Log data: IP address, browser type, access times — retained for security and automatically deleted after 90 days.
• Device information: operating system, device type, and language settings.
• Usage data: aggregated, anonymised statistics about how you use Mailotte, used solely to improve the service.

2. How We Use Your Information

• To provide, maintain, and improve Mailotte’s email services
• To send and receive email on your behalf
• To protect your account and prevent abuse, fraud, and spam
• To communicate with you about your account, service updates, and security alerts
• To comply with legal obligations under UK and EU law
• To provide customer support when you contact us

We do NOT scan your emails for advertising, build advertising profiles, sell your data, train machine-learning models on your private email content, or track you across other websites.

3. How We Protect Your Information

• All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• All data is stored exclusively on EU-based servers in GDPR-compliant data centres
• Ongoing security testing, with independent third-party audits introduced as our security programme matures
• Strict access controls — only authorised personnel can access infrastructure
• Email tracking pixels and external content are blocked by default
• Two-factor authentication (2FA) available for all accounts

4. Sharing Your Information

We do not sell, rent, or trade your personal information. We share limited data only with trusted service providers (subprocessors) bound by data processing agreements, or where required by law. Our current subprocessors include:

• Hetzner Online GmbH (Germany) — server & storage hosting
• Aiven (Finland, EU) — managed PostgreSQL
• Stripe — payment processing for paid plans. Depending on your location, your payment data may be handled by Stripe entities in the EU and the United States; these transfers are covered by Standard Contractual Clauses and the UK International Data Transfer Addendum. (We may move payment processing to an EU-based provider in future; this policy will be updated if we do.)
• Sentry (EU region, Frankfurt) — error tracking
• Mistral AI SAS (Paris, France) — EU-resident AI provider used only as a fallback when our local model is unavailable; contractually prohibited from using your content to train its models
• Web push gateways (Google, Apple, Mozilla) — only if you opt in to browser notifications; payloads are end-to-end encrypted

Your stored email content remains in the European Union (Germany) and is not transferred outside the EEA except as expressly described in this policy (for example, end-to-end encrypted push notifications and payment processing). Because MAILOTTE LTD is a UK company that administers EU-hosted infrastructure, limited personal data (such as account and billing identifiers) may be accessed from the United Kingdom, and any administrative access from outside the EEA is limited to authorised personnel, logged, and subject to strict access controls. UK–EU transfers are covered by the mutual adequacy decisions in force between the UK and the EU. Where a subprocessor processes data outside the UK and EEA (for example, Stripe via its US affiliates), the transfer is covered by Standard Contractual Clauses and the UK International Data Transfer Addendum under GDPR Art. 46.

AI processing. Mailotte’s AI features run primarily on a local model hosted on our own servers in Germany, with an EU-resident fallback (Mistral AI) that is contractually prohibited from using your content to train its models. We do not send your email content to OpenAI, Anthropic, Google, or any other US-based AI provider, and we do not train models on your private content.

Push notifications. If you enable browser push, alerts are reached through your browser vendor’s push service (Google, Apple, or Mozilla), which may route through the United States. Each notification is encrypted end-to-end under the Web Push standard (RFC 8291) before it leaves our servers, so the gateway can only relay an opaque message — it cannot read the sender, subject, or content. You can disable push at any time in Settings → Notifications.

5. Your Privacy Rights

Under the UK GDPR and EU GDPR you have the rights of access, rectification, erasure, restriction, data portability, objection, and withdrawal of consent. To exercise any of these, visit your Account Settings or contact privacy@mailotte.com. We respond within one month as required by law.

6. Data Export and Deletion

You can export all of your data at any time from your Account Settings in standard, portable formats (e.g. .eml for emails, vCard for contacts). You can also delete your account at any time, which permanently removes your personal data, emails, and associated content from our servers after a short grace period.

7. Data Retention

We retain personal data only as long as necessary. Account data is kept for the life of your account; security logs and login history for 90 days; mail delivery events for 30 days; items in Trash for 30 days; billing records as required by UK tax and accounting law.

8. Cookies and Tracking

Mailotte uses only essential cookies (authentication, security, and preferences). We do not use advertising cookies, third-party advertising trackers, cross-site tracking, or browser fingerprinting. See our Cookie Policy for full detail.

9. Children’s Privacy

Mailotte is not directed at children under 16 (or the minimum age required in your country to consent to the processing of personal data). We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a prominent notice within the service at least 30 days before the changes take effect.

11. Supervisory Authority

If you believe our processing infringes data protection law, you may lodge a complaint with a supervisory authority. As MAILOTTE LTD is established in the United Kingdom, our lead authority is the UK Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom (ico.org.uk). If you are in the EEA, you may instead complain to the supervisory authority of your country of residence. Please contact us first so we can try to resolve your concern directly.

12. Contact Us

Questions about this Privacy Policy or your personal data can be sent to our data protection contact at privacy@mailotte.com.