GDPR is here!
The European Union and the United Kingdom have been leaders in writing regulations to protect something we've long known you value -- your personal information and privacy. We talked about the basics of GDPR protection last month; now it's time to talk about what's changing.
For us, it's been an opportunity to make sure that our practices are in line with our values.
For FastMail, not much is changing. We have high standards for ourselves, and you don't have to change much if you aren't monetizing customers' personal data! Where we've spent the bulk of our time (besides converting our policies from code into words) is thinking about areas where being helpful comes into tension with privacy.
Being helpful vs. protecting your privacy
We pride ourselves on solving unusual problems like buggy mail client behavior, and helping customers out of tough situations (even when that tough situation is something like "my aged parent forgot to pay for their account for two years.") It feels great to go above and beyond for customers! But this process made us think about what kind of personal data might be collected incidentally in the logs we use for debugging, or how long a reasonable person might expect that their information is retained if they choose not to pay for an account.
Reducing our data retention periods, especially in the case where the retained data was likely to contain personal customer information, was one of our biggest changes. We've tried to strike the right balance between making sure you still get the support you expect from us, and protecting your personal information.
You've got rights - know how to use them
What's a DPA, and do I need one?
One of GDPR's other major goals is to try to keep companies from passing the buck in the case of a breach of personal information. As such, corporations that process data on behalf of other people need a contract with all the vendors they use who might hold that information. That contract is a Data Protection Addendum. If you're an individual, you get your services directly from us, and you don't need a DPA.
If you're a corporation, and you do need a DPA, it depends which product you're using, for:
- FastMail: go to your Policy settings page and
select a checkbox to have the DPA applied.
- Pobox: go to your Dashboard and select a checkbox to have the DPA applied.
- Listbox and Topicbox: due to the nature of the services, the DPA is deemed to automatically apply to all customers, so there's nothing to do.
training on security and privacy considerations, and are explicitly empowered to question decisions we're making in all our products to make sure we're always making good choices around your privacy.
Our revised documents and new related resources:
- Terms of Service
- Security Policy
- Data Protection Addendum (only applicable to businesses who control data on
the behalf of others)
If you have further questions about GDPR, your data, or your privacy rights, feel free to reach out to our support team for assistance. Thank you for using FastMail!