SecureMyEmail

Privacy Policy

At Witopia, we are dedicated to upholding what we believe is the fundamental human right to privacy. Our mission and livelihood revolve around providing secure and private services. In line with this commitment, the SecureMyEmail systems, software, and website(s) are intentionally designed to collect minimal data and enforce stringent privacy and security measures. The Privacy Policy outlined here serves to define and communicate how any collected personal data and information are handled.

We care about your privacy, and we appreciate the trust you place in us. To justify your trust, we continuously deploy the latest data security standards, improve our awareness of privacy matters, and comply with the EU General Data Protection Regulation (the “GDPR”) and other privacy laws.

Our Apps adhere to current programming best practices and are regularly updated and patched for any known security loopholes. Local data is stored in a local database on the customer device and available only to the application.

All communications between clients (the Apps) and SecureMyEmail servers are encrypted using modern TLS protocols preferring elliptic curve ciphers. Customers must log in using a password of their choosing and can add optional 2FA to further protect their accounts. Witopia never has access to this password, only a hash of the password is stored in our databases for user verification.

This Privacy Policy describes which of your personal data the App collects, how it stores and processes it, and what happens when you use SecureMyEmail.

Please note that we do not collect, track, or store any personal data over what we need to provide and improve our product and services, perform marketing as described in this Policy, and comply with our legal obligations.

What information do we collect?

Visiting our websites:

We use a basic installation of website analytics software to research general trend data for basic marketing and planning purposes. This data is non-personally-identifying bulk information such as: title of the pages on our websites being viewed, referring websites, and geographical popularity. Again, this data cannot be used to personally identify users or visitors as we do not capture IP addresses or other personally-identifiable information.

Payment:

We use third parties (Stripe, as of this writing) as a payment processor to process credit cards, other financial transactions, and invoicing. These services do have procedures in place to prevent online fraud that may capture and analyze transaction data. If you purchase the Service through Google Play, Apple, or another third party, you should consult with them directly as to their respective privacy policies, but Witopia only retains minimal payment information to process the transaction and provide service.

Account creation and use:

We securely store the email addresses, email configuration, and name(s) you enter when creating your accounts as well as contacts you submit to us. We also, because of the SMTP protocol, must temporarily store your recipients’ email addresses so we are able to route your communications correctly. Again, this is a function of the way email works, not data collection.

Support and other communications:

We may retain emails, chats, and other communications that you voluntarily send to us, including through our internal trouble-ticketing system, so we can troubleshoot issues with the Service.

Authentication:
  • The Service uses a combination of Oauth, app-specific passwords, and hashed passwords to authenticate You to our systems and Your email accounts. We never have access to these passwords.
  • Our apps’ use of information received from Google APIs will adhere to Google API User Data Policy and the Limited Use Requirements.

Google User Data

Witopia's use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements. This section may be helpful for you if you use SecureMyEmail in conjunction with your Gmail or Google Workspace email account.

Protection. We have implemented robust security measures to ensure that your Google user data remains safe and secure. This includes encryption of all data at rest and in transit, providing you with peace of mind about the confidentiality and integrity of your information.

Permissions. When seeking access to your Google user data, all permission requests are being sent by the SecureMyEmail software. Your authorized client credentials to access your Gmail account provided to us will be kept confidential. The SecureMyEmail software only requests access to the information it needs; the SecureMyEmail software will prompt you to refresh the access permissions if it implements new features. Where possible, the SecureMyEmail software will use incremental auth.

Revoking access to Google User Data. You may revoke Witopia's access to your Gmail account by using Gmail settings: My Account -> Security tab -> Third-party apps with account access -> Manage third-party access -> SecureMyEmail -> Remove access.

Should you choose to disconnect your Gmail account from SecureMyEmail, it will result in the loss of access to your Gmail account within our platform. This means we will no longer be able to display emails from your Gmail account. If you decide to delete your SecureMyEmail account, we will delete all data obtained from your Gmail account. However, it's important to note that this may result in the inability to use SecureMyEmail for managing your Gmail emails in the future.

It's crucial to consider the implications of disconnecting your Gmail account from SecureMyEmail. Doing so will lead to the loss of access to your Gmail account within our platform, including the inability to display emails. Deleting your SecureMyEmail account will result in the deletion of all data obtained from your Gmail account.

Request purpose. The purpose for which the App requests your user data is to enable you to use SecureMyEmail features when working with your Gmail account emails. We do not use your Google User Data for any other purposes but to provide you with access and the ability to use the SecureMyEmail Service.

Disclaimer. We do not use Google User Data to display, sell, or distribute this data to any third party conducting surveillance. SecureMyEmail has no hidden features, services, or actions that are not mentioned in this Privacy Policy or the Terms of Service. SecureMyEmail takes reasonable and appropriate steps to protect all applications or systems that make use of Google User Data against unauthorized or unlawful access, use, destruction, loss, alteration, or disclosure. SecureMyEmail belongs to a Permitted Application Type as mentioned in the Google API Services User Data Policy (namely, an application that enhances the email experience for productivity purposes).

With regard to the access to Google User Data as specified above, we will:

  • use access only to read, write, modify, or control Gmail message bodies (including attachments), metadata, headers, and settings to provide an email client that allows Users to compose, send, read, and process emails.
  • not use Gmail data for serving advertisements, including retargeting, personalized, or interest-based advertising;
  • ensure that your employees, agents, contractors, and successors comply with this Google API Services: User Data Policy.

OAuth login or mail server credentials: SecureMyEmail requires your credentials to log into your mail system in order to receive, search, compose and send email messages and other communication. Without such access, our Product will not be able to provide you with the necessary communication experience.

What about the privacy of my email using the service?

Because of the way SecureMyEmail is designed, while our software needs to manage your email, we never have access to the email contained in your email accounts. In fact, because we are not an email provider, but an encryption provider, the only email that ever traverses our servers is encrypted email and, as such, is handled in very specific ways to ensure user privacy.

For email, and attachments, that are encrypted and sent to another SecureMyEmail user or sent to a non-user using our "Encrypted+" method:

Email and attachments are encrypted “end-to-end” and with zero-knowledge encryption. As such, they are encrypted on the sending device, utilizing the secret password or passphrase known only to the user, before they leave that device and are only able to be decrypted on the recipients” device(s). We do not possess the means to decrypt encrypted email sent using these methods as this requires the possession of the user’s private decryption key and secret passphrase, which is known only to the user.

For email that is encrypted, and sent to a non-user, using our "Encrypted" method:

Email is sent via encrypted tunnel to our secure servers. It is then encrypted and made accessible to the recipient via encrypted hyperlink with a random and unique identifier. Upon user-selected time of expiration, the message and contents are completely purged from our systems and fully encrypted at rest using the user's private key and secret password or passphrase and, therefore, inaccessible by anyone except the user. Although email sent via this method is highly secure and always protected by encryption or residing on a secured server, it is not as secure as the "Encrypted+" method which utilizes an additional password to achieve full zero-knowledge encryption while in transit and before expiration.

Handling of your Private Key

Unlike most other encrypted email services, SecureMyEmail does not require your private key to leave your device to function. However, most users do choose to upload their private key to us for backup as well as easier management of the service, such as adding other devices. If your private key is transmitted to us, it is encrypted with your secret password or passphrase before it leaves your device and is delivered through an encrypted tunnel and stored in an encrypted state.

If you have transmitted your private key to us, you may delete it from our systems at any time using the SecureMyEmail software as well as generate a new one locally. In any event, we never have access to your secret password or passphrase so we never possess the ability to view or utilize your private key to decrypt any of your email or attachments.

Data Disclosure

We vigorously protect the privacy rights of our customers by design and by action. Although we do respond to valid legal requests, we scrutinize each and every request for compliance with both the “spirit” and letter of the law. As all SecureMyEmail systems, including our web and email servers, reside in Switzerland, we will disclose the very limited user data we possess if we receive an enforceable court order from a court of appropriate jurisdiction.

Third Parties

We do not have any third-party advertising on our website or contained within our software. We do not share your personal information with any third parties aside from the disclosures already made in this privacy policy.

Modifications to Privacy Policy

By using our services, you consent to our Privacy Policy and we reserve the right to change this policy from time to time. Any changes to this Privacy Policy will become effective when we email you about the changes or post the revised Privacy Policy on the Site. Continued use of the Service will be deemed acceptance of such changes.

Jurisdiction

Any aspects of this agreement directly related to those functions between the parties shall be governed by the Laws of the Commonwealth of Virginia. Exclusive jurisdiction and venue for such matters shall be in courts located in Fairfax County, Virginia.

GDPR Compliance

We adhere to the standards mandated by the European General Data Protection Regulation (GDPR). If you have any questions regarding this policy, or wish to request deletion of archived account data, please contact us at gdpr-officer@securemyemail.com.