Privacy policy

EasyCrypt is committed to protecting privacy of users and safeguarding their data. We will never sell or willingly transfer user data to 3rd parties. Moreover, we will always strive to learn as little as possible about our users. To this end, we deploy advanced technical means including, among other things, access to our service over the Tor network at an onion address and encryption of user data with keys and passwords known only to the users. The information to which our servers are exposed belongs to the following categories:

 

  1. Volatile data that our servers do not collect and do not store. Such data only pass temporarily through the volatile RAM memory of our servers and are erased as soon as user session or email transmission are over. This includes the user’s  IP address (which the user may hide using Tor), and the user’s email password or authentication token (for EasyCrypt webmail only; no such exposure occurs if the user uses our desktop or mobile clients). For the currently offered basic PGP encryption service, this also includes email message metadata that is included in email headers of the encrypted messages (OpenPGP does not encrypt message headers), as well as email messages that the user chooses to send and receive unencrypted. This information is  never stored in non-volatile memory and is only readable by our servers when the user is online and is actively using the webmail service. 
  2. User country information that we collect at time of sign-up for statistical analysis of our user base. The user may choose to hide the country from which they sign up by using Tor browser. 
  3. User email addresses that we store in encrypted databases, with decryption keys known to EasyCrypt.
  4. Cryptographic hash of the EasyCrypt password of the user. The password itself is never exposed to EasyCrypt servers.
  5. Data encrypted by the user’s public key or EasyCrypt password. Such data cannot be decrypted by EasyCrypt, stolen or given away in unencrypted form. For our webmail service, this includes PGP-encrypted email message body and attachments (which pass encrypted through our servers and are erased from them  as soon as message transmission is over); email password or authentication token (that are encrypted by the user’s public key and stored on our servers);  and the user’s private keys. The latter are encrypted by a password that is known only to the user and cannot be decrypted by EasyCrypt or 3rd parties.

 

EasyCrypt will obey a valid court order or subpoena if required to provide information to Swiss authorities. Such orders will be scrutinized by our legal counsel and resisted if legally possible. For the following reasons, the only type of readable personally identifiable information that can be provided to authorities under such circumstances is the user’s email address (data category 3 above):

 

  • Data of category 1 are, to the best of our knowledge, impossible to subpoena under Swiss law as this would require forcing EasyCrypt to actively spy on its users while they are online and using the service.
  • The user’s country information (category 2), even if provided under a subpoena, is not personally identifiable.
  • The user’s EasyCrypt password (category 4) is hashed and unreadable.
  • Data of category 5 are encrypted and unreadable. 

 

See Under the Hood for technical details.

 

 

Send this to a friend