Our company is based in BVI however all our client-data is under our subsidiary in Switzerland, On the data front, so we operate solely under the laws and regulations of the Swiss Confederation.
Under Swiss law, the technical means for lawful interceptions of customer communications is governed by the Swiss Federal Act on the Surveillance of Postal and Telecommunications Traffic (SPTT) last amended in the year of 2012. In the SPTT, the obligation to provide the technical means for lawful interception is imposed only on Internet access providers so Invmail, as a mere Internet application provider is entirely exempt from the SPTT’s scope of application. Thus, due to our entirely Swiss domicile on the client-data front, Invmail is not required to, and cannot be compelled, to build in the technical means to intercept client communications.
Any emails provided to Invmail through enabling the notification email setting in your account are considered privileged information under the protection of the Swiss Federal Data Protection Act (DPA). Your email will never be sold or shared with any third parties.
Furthermore, if you disable notifications on your account, your email is permanently removed from our system.
Your email address will only be used to contact you with news and updates regarding Invmail beta, and to send you an invitation link when your Invmail account can be created.
Our company’s policy is to collect as little user information as possible to ensure a completely private and anonymous user experience recognised as Zero-Knowledge Policy.
Invmail’s client data collection is limited to the following:
Visiting our website: We employ a localised installation of Piwik Analytics on the exterior landing site only. Piwick Analytics is not employed on any of the internal pages.
Account creation: We do not require ANY personal information to create an account. Should you choose to provide it, we do not associate any other email address with your account.
Account activity: Due to limitations of the SMTP protocol, we have access to the following email metadata: sender and recipient email addresses, the ip address incoming messages originated from (Invmail has all emails routed through it's own IP, other companies may follow this but we say as standard the sender IP just for this), and message sent and received times. We do NOT have access to encrypted message content or meta data where encrypted. We also have access to the following records of overall server activity (not individualised): number of messages sent, amount of storage space used, total number of messages.
Communicating with Invmail: Your communications with Invmail, such as sales and support requests, bug reports, or feature requests are retained and may be saved by our staff.
Invmail does not employ or have any agreements in-place with any marketing organisations on any of our applications. Further more we also do not have any technical means to access your encrypted accounts or communications data. Any data that we do have will never be shared except under the circumstances described below in Data Disclosure. We do NOT do any analysis on the limited email data we do possess with two exceptions:
Emails sent unencrypted to Invmail accounts (e.g. Hotmail to Invmail) are scanned automatically for spam so we can block IPs which are sending a mass amounts of spam to Invmail users and place spam messages in a spam directory. We do not possess the technical ability to scan encrypted messages.
Emails sent by Invmail users to outside (e.g. Hotmail) users with encryption disabled are scanned automatically for spam. This is to ensure a Invmail account which is being used for spamming purposes can be automatically locked.
All Invmail client-data servers are located within Switzerland and wholly owned and operated by Invmail. Only employees of Invmail have physical or other access to Invmail servers.
Data is ALWAYS stored in encrypted format on our servers. Offsite backups are taken daily and are at an additional secure location within Switzerland, these further more are also fully encrypted. Invmail does not possess the ability to access any user encrypted message content on either the live servers or in the backups further more as the accounts are truly zero-knowledge set up, we only see blocks of encrypted data with no-telling who owns what.
When a Invmail account is closed, data is immediately deleted. Data may be retained for up to 24 hours in our backups. Accounts that are inactive for over 1 month may be automatically deleted. Active accounts will have data retained indefinitely. Deleted emails are instantly burned-then-deleted, although they may be retained in our backups for up to 24 hours.
Invmail will only disclose the limited user data we possess if we receive an enforceable court order from either the Cantonal Courts of Bern or the Swiss Federal Supreme Court. If a request is made for encrypted message content that Invmail does not possess the ability to decrypt, the fully encrypted server account may be turned over (to us it all just looks like random blocks of data as we can not narrow down who owns what, and each is encrypted client side using their key that we do not have access too, a big box of useless data will be supplied). If permitted by law, Invmail will always contact a user first before any data disclosure.
All payment transactions are processed by third parties and Invmail does not retain any customer payment information but we do store data on which account was paid for by a particular transaction. For bitcoin payments, the only information Invmail retains is the account username to which the payment was applied.
Due to the nature of our client-data storage and legal set up around this, this agreement shall be governed in all respects by the laws of the Swiss Confederation. All actions commenced pursuant hereto shall be brought in a court of competent jurisdiction residing in the Republic and Canton of Bern.