GDPR is here!

Company

The European Union and the United Kingdom have been leaders in writing regulations to protect something we've long known you value -- your personal information and privacy. We talked about the basics of GDPR protection last month; now it's time to talk about what's changing.

For us, it's been an opportunity to make sure that our practices are in line with our values.

For FastMail, not much is changing. We have high standards for ourselves, and you don't have to change much if you aren't monetizing customers' personal data! Where we've spent the bulk of our time (besides converting our policies from code into words) is thinking about areas where being helpful comes into tension with privacy.

Being helpful vs. protecting your privacy

We pride ourselves on solving unusual problems like buggy mail client behavior, and helping customers out of tough situations (even when that tough situation is something like "my aged parent forgot to pay for their account for two years.") It feels great to go above and beyond for customers! But this process made us think about what kind of personal data might be collected incidentally in the logs we use for debugging, or how long a reasonable person might expect that their information is retained if they choose not to pay for an account.

Reducing our data retention periods, especially in the case where the retained data was likely to contain personal customer information, was one of our biggest changes. We've tried to strike the right balance between making sure you still get the support you expect from us, and protecting your personal information.

You've got rights - know how to use them

We know our new privacy policy is longer. We went with one that sacrificed brevity for coverage, but we hope it has retained clarity and comprehension.

Due to our commitment to open standards, it's always been possible to get your personal data from us in a downloadable, machine-readable format. The privacy policy now includes much more specific language detailing the laws under which those rights are granted - but at FastMail, everyone has them, not just European residents.

What's a DPA, and do I need one?

One of GDPR's other major goals is to try to keep companies from passing the buck in the case of a breach of personal information. As such, corporations that process data on behalf of other people need a contract with all the vendors they use who might hold that information. That contract is a Data Protection Addendum. If you're an individual, you get your services directly from us, and you don't need a DPA.

If you're a corporation, and you do need a DPA, it depends which product you're using, for:

  • FastMail: go to your Policy settings page and
    select a checkbox to have the DPA applied.
  • Pobox: go to your Dashboard and select a checkbox to have the DPA applied.
  • Listbox and Topicbox: due to the nature of the services, the DPA is deemed to automatically apply to all customers, so there's nothing to do.

What's next?

This is not our last revision to our Terms of Service and Privacy Policy. Protecting your data is not something we need a law to push us to do! It did push us to formally name Privacy Officers (who you can contact at privacy@fastmailteam.com). They are staffers who are receiving additional
training on security and privacy considerations, and are explicitly empowered to question decisions we're making in all our products to make sure we're always making good choices around your privacy.

Our revised documents and new related resources:

If you have further questions about GDPR, your data, or your privacy rights, feel free to reach out to our support team for assistance. Thank you for using FastMail!