Last modified: September 6th, 2021
The Services are offered by Proton AG (the "Company" or "We").
The Company is domiciled in Switzerland at the following address:
Proton AG, Route de la Galaise 32, 1228 Plan-les-Ouates Geneva, Switzerland
Therefore, it is governed by the laws and regulations of Switzerland. Additional information about the legal framework can be found in our Transparency Report.
Any email address provided to us through either our waiting list, optional email verification, or optional notification/recovery email setting in your account, is considered personal data as defined and protected by the Swiss Federal Data Protection Act (DPA).
Such data will only be used to contact you with important notifications about the Services, to send you information related to security, to send you an invitation link to create your ProtonMail account, to verify your ProtonMail account, or to send you password recovery links if you enable the option. We may also inform you about new Proton products in which you might have an interest. You are free, at any given time, to opt-out of those features through the account settings panel.
In order to maintain the integrity of the Services, we must take measures to avoid creation of accounts by spammers. This is because if spammers use ProtonMail to send messages, ProtonMail’s IP addresses can become blocked by major mail providers such as Gmail, Yahoo, Outlook, etc.
In order to pursue our legitimate interest of preventing the creation of accounts by spam bots or human spammers, we use a variety of human verification methods. Verification may also be requested for some sensitive operations besides account creation in order to protect against brute-force attacks. You may be asked to verify using either hCaptcha (or reCAPTCHA in the event that hCaptcha is unavailable), Email, or SMS. IP addresses, email addresses, and phone numbers provided are saved temporarily in order to send you a verification code and for anti-spam purposes. The period of temporary data retention is determined by our legitimate interests of protecting the service from spam, and also by any applicable Swiss legal requirements we must comply with. If this data is saved permanently, it is always saved as a cryptographic hash, which ensures that the raw values cannot be deciphered by us. Learn More
Our overriding policy is to collect as little user information as possible to ensure a completely private and anonymous user experience when using the Services. We have no technical means to access the content of your encrypted emails, files, and calendar events.
Data collection is limited to the following:
Visiting our website: We employ a local installation of open-source analytics tools. Analytics are anonymized whenever possible and stored locally (and not on the cloud).
Account creation: It is not necessary to provide personal information in order to create an account, but you may provide an external email address for notification or password recovery purposes. Should you choose to provide it, we do associate another email address with your account (for password recovery, or notifications). The legal basis for processing is consent and you are free to remove that data in the account panel of your ProtonMail account.
ProtonMail Account activity: Due to limitations of the SMTP protocol, we have access to the following email metadata: sender and recipient email addresses, the IP address incoming messages originated from, message subject, and message sent and received times. We do NOT have access to encrypted message content, but unencrypted messages sent from external providers to ProtonMail are scanned for Spam and Viruses to pursue the legitimate interest of the protection of our users. We also have access to the following records of account activity: number of messages sent, amount of storage space used, total number of messages, last login time.
Proton Calendar Account activity: The Service needs to be able to access some properties of events in order to send required notifications and alarms. In order to do so, we have access to the following metadata: calendar name and description, event start and end date, repetition rules, attendees’ participation status, alarms and notifications, event creation and update times and event status (confirmed or cancelled). We do NOT have access to the description of the events, their summary or title, locations and the attendees’ details.
Proton Drive Account activity: For operational purposes, the Service must have access to the following metadata unencrypted: file/folder creation and modification timestamps, file/folder permissions, file type, file/folder owner username. When sharing a file or folder, we need to record which users own or can access said shared file or folder. When sharing URLs, we have access to the creation and last access time, the number of times the URL was accessed to and its creator. We however do NOT have access to file contents, file and folder names and thumbnail previews. Such data is end-to-end encrypted. We only know the size of the encrypted files, not the size of original unencrypted file.
In addition to end-to-end encryption, all content is also cryptographically signed by the user, before sending it to us. This means that you can always check the signature of any content you get back from our servers, which protects you from forgery (e.g. by a malicious actor).
Communicating with ProtonMail: Your communications with the Company, such as support requests, bug reports, or feature requests may be saved by our staff. The legal basis for processing is our legitimate interest to troubleshoot more efficiently and improve the quality of the ProtonMail service.
Your login IP address is also kept permanently (until you delete it) if you enable authentication logging for your account (by default this is off). The legal basis of this processing is consent, and you are free to opt-in or opt-out at any time in the security panel of your account.
Payment Information: We rely on third parties to process credit card, PayPal, and Bitcoin transactions and must therefore share payment information with third parties. Anonymous cash or Bitcoin payments and donations are however accepted. The legal basis of this processing is the necessity to the execution of the contract between you and us.
Import Assistant: When using Import Assistant to transfer your data, you can choose from multiple options:
Import Assistant with "Sign in with Google": When you use our Import Assistant Tool to import your data from Google and authenticate using the “Sign in with Google” option, Import Assistant’s use of information received from Google APIs will comply with the Google API Services User Data Policy, including the Limited Use requirements.
Import Assistant with a username and password combination: When you use our Import Assistant Tool to import your emails from another service provider, the credentials of the email account from which the importation is performed are stored by the Company for the duration of the importation. Once the importation is performed, those credentials are entirely deleted from our systems.
When a ProtonMail account is closed, data is immediately deleted from production servers. Active accounts will have data retained indefinitely. Deleted emails, files, and calendar events are also permanently deleted from production servers. Deleted data may be retained in our backups for up to 30 days.
We do not have any advertising on our site. Any data that we do have will never be shared except under the circumstances described below in the Data Disclosure Section. We do NOT do any analysis on the limited data we do possess with two exceptions:
All servers used in connection with the provisioning of the Services are located in Switzerland and Germany and wholly owned and operated by the Company. Only employees of the Company have physical or other access to the servers. Data is ALWAYS stored in encrypted format on our servers. Offline backups may be stored periodically, but these are also encrypted. We do not possess the ability to access any user encrypted message content on either the production servers or in the backups.
Proton's alternative routing technology allows Proton apps to bypass many censorship blocks, but your network traffic may go through third party networks which we do not control. This could enable a third party to record your IP address or see that you are using Proton apps (the same information that your Internet Service Provider is able to see). These third parties cannot see your actual data, which remains encrypted. By default, alternative routing is not used for Proton apps unless they detect that censorship measures are active on your network. Alternative routing can also be completely disabled in the Settings panel of all of our mobile and desktop applications. However, doing so may cause you to be unable to access your Proton account if you are on a network that is censoring Proton. Learn more
To provide the Services, we rely on different data subprocessors, which process different categories of data:
|Zendesk, Inc.||Provide services in relation with the processing of customer support data (section 2.4). Only the information you include in support tickets is stored by Zendesk.||United States|
Processors never store data outside of the scope of their specific purpose. Notably, they do not store data in relation with the general day-to-day use of your Account and Services.
We will only disclose the limited user data we possess if we are instructed to do so by a fully binding request coming from the competent Swiss authorities (legal obligation). While we may comply with electronically delivered notices (see exceptions below), the disclosed data can only be used in court after we have received an original copy of the court order by registered post or in person, and provide a formal response.
If a request is made for encrypted message content that we do not possess the ability to decrypt, the fully encrypted message content may be turned over. If permitted by law, we will always contact a user first before any data disclosure. Under Swiss law, it is obligatory to notify the target of a data request, although such notification may come from the authorities and not from us.
We may from time to time, contest requests if there is a public interest in doing so. In such situations, the Company will not comply with the request until all legal or other remedies have been exhausted. Therefore, not all requests described in our Transparency Report will lead to data disclosure. We are also permitted under GDPR and Swiss law to disclose data for the purposes of defending against attacks. The legal basis for this is our legitimate interest in protecting our Service and Company against attacks.
Through the Services, you can directly access, edit, delete or export personal data processed by the Company in your use of the Services.
If your account has been suspended for a breach of our Terms and Conditions, and you would like to exercise the rights related to your personal data, you can make a request to our support team.
In case of violation of your rights, you have the right to lodge a complaint to the competent supervisory authority.
We reserve the right to periodically review and change this policy from time to time. We will notify users of material changes via public announcements on our blog.
Continued use of the Services will be deemed as acceptance of such changes.