Privacy Policy

This privacy policy came into effect on May 4th, 2022.

The only change from our previous policy is the removal of Fathom analytics.

All previous versions of our privacy policy can be found here.


Fastmail Pty Ltd (“we”“our” or “us”) based at PO Box 234, Collins Street West, VIC 8007, Australia, ABN 31 142 646 580 is responsible for your personal information (Personal Information) and we take our data protection and privacy responsibilities seriously.

The privacy of your Personal Information is your right. We want to make our policies on managing your data clear and understandable, so we’ve tried to write our privacy policy in plain English.

Each section of this policy is labelled to make it easy for you to navigate — please click on a topic in the list below to find out more. This privacy policy explains how we collect, use and share your personal information so please read it carefully. If you have any questions, please contact us.

Important information about Fastmail:

Fastmail is an Australian company, Fastmail Pty Ltd (“Fastmail”). We also operate under the brand/marketing names: Pobox (Lifetime Email) https://www.pobox.com, Listbox https://www.listbox.com, and Topicbox https://www.topicbox.com as part of our services portfolio.

Our website has our contact information: https://www.fastmail.com/about/company.html.

You should be aware that your information may be held in databases which can be accessed by other Fastmail companies and their partners or service providers worldwide. We employ people through different Fastmail companies and partners, depending on where they live and those Fastmail companies and partners provide service, at the same level of quality and with the same policies throughout the world. We provide more information on our worldwide service locations and partners in this policy.

You can read about where data is held on our security help page.

This privacy policy explains how we collect, use and share personal information in the course of our business activities, including:

 

Updates

We may review or update this privacy policy from time to time to keep it up to date with legal requirements and the way we operate our business. We will place any updates on this webpage, so please regularly check for updates. If we make fundamental changes to this privacy policy, we may take additional steps to notify you including by posting on our website(s), through pop-up notices or via email. We will not reduce your rights under this Privacy Policy without your explicit consent.

 

Third-party websites

If there is a link to any third party on any of our websites, their privacy policy applies. We are not responsible for the privacy practices of any third party.


 

What personal information we collect, and when and why we use it

In this section you can find out more about:

You can use our services in a variety of ways to manage your privacy when you sign up for a Fastmail account, for example if you want to create and manage content like emails and photos, or see more relevant search results. You can adjust your privacy settings to control what we collect and how your information is used.

 

When we collect information

We collect information about you if you register to use our services, create an account with us, visit our platform or one of our websites, or use one of our services. We also collect information about you where you are an individual representative of one of our business partners or providers with whom we engage in offering and providing our services.

The information we collect, and how that information is used, depends on how you use our services and how you manage your privacy controls in your account.

Personal information we collect and use if you register to use, or use, one of our websites or services (including for trial purposes)

If you register to use, or use, one of our websites or services including Fastmail https://www.fastmail.com, Pobox (Lifetime Email) https://www.pobox.com, Listbox https://www.listbox.com or Topicbox https://www.topicbox.com, personal information that may be collected directly from you includes name, billing address, mobile phone number, organisation name, your own domain name, IP address, browser user-agent and billing details (credit card, or PayPal account). We also collect some of this information if you are using our services on a trial basis. Our help page on each service explains how your information is deleted if you decide not to proceed.

We may also collect personal information such as IP address, device information and log information by using cookies. Please see Cookies for more information on this and our Cookies Policy.

We process mail sent and received from your account to block spam and fraud. We receive information from third party services to assist us in identifying spam. If you report a message to us, either through the service or via customer support, as spam or not spam, we may share that message with the third party service that flagged it to improve the accuracy of future filtering. See further below on your rights when we disclose your information to our third party service providers.

We also store information from your address book, calendar, notes and files on our servers until you delete them (for more information on data retention see our security help page). We will also share this information with your devices and external accounts where you have authorised us to do so.

We also collect the email content you create, upload, or receive from others when using our services. We use this information to deliver our services, like processing the terms you search for in order to return results or helping you add addresses to messages by suggesting recipients from your contacts.

Each time you connect to our service, we log your IP address, your client identifier (browser or mail client information) and your username. If you send mail, we also log the email address you’re using to send mail and the email address you’re sending to. If you take action on mail in your mailbox, we also log the activities taken. This is necessary for providing proof of delivery and fraud analysis. For example, we need this information for detecting deliverability issues if there are failures sending email that we either detect through monitoring or when you ask if email you are sending/receiving is working properly. We also need your IP address and username to help you validate if someone else has gained access to your account to send spam or for other fraudulent purposes.

Information we collect if a registered user allows you to access their account

In a multi-user account, if you are permitted to access and use a user account on any of our services by the registered user directly, we may collect the following information about you: IP address and name.

The registered account holder is responsible for your access and use if they provide you with access to and use of an account and the Personal Information residing in that account.

Information we collect if you are an employee or a contact at our business partner or sign up to our newsletters

If you are an employee or a contact at one of our business partners (including customers and suppliers), or sign up to one of our newsletters, we may collect your business contact details (including name, work address, work email, work telephone numbers, job title) for the purposes of issuing communications to you under the terms of this privacy policy and in accordance with your marketing and communications’ stated preferences.

We collect this information regardless of whether you use the Fastmail, Topicbox, Listbox or Pobox services that we provide.

If you are an individual user who is assigned an account on our website/platform by your company, your account is likely to be managed by an administrator. Alternative and/or additional terms may apply as determined by your company’s privacy and other related policies, and your administrator may be able to access or disable your account.

 

How do we use the personal information we collect from you?

We use this information to:

  • provide you with our services and to maintain, manage and improve our services;
  • help our services deliver more useful, customised content such as more accurate search results;
  • send you notifications when you receive new mail or events; we may also send you a notification if we detect suspicious activity, like an attempt to sign in to your account from an unusual location;
  • at your option, contact you to let you know about updates to our services or information we feel may be of interest to you (see more information at Direct Marketing);
  • provide you with customer support including technical support and troubleshooting (for example, to reset your password);
  • protect you and conduct security investigations and fraud and abuse analysis (including to help us flag spam mail);
  • conduct analytics and measurement to understand how our services are used;
  • comply with our legal obligations, for example when assisting governments and law enforcement agencies or regulators (as may be required by law);
  • improve the safety and reliability of our services. This includes detecting, preventing, and responding to fraud, abuse, security risks, and technical issues that could harm Fastmail, you, our users, or the general public.

 

Data analytics

We routinely analyse information to help improve the way we run our business, to provide a better service and to enhance the accuracy of our products and services. We use usage information for data analytics, particularly to understand how our services are used, but this information is not personal information as it is. We anonymise data fields before allowing information to be available for analysis.

 

Your privacy controls

You have and can manage your choices regarding the information we collect and how it’s used. You have an opportunity to review and adjust privacy settings in your account. Some of our products offer specific privacy settings. For example, you can manage your contact information, such as your name, email address, and phone number. You can also delete certain information, or your entire Fastmail account should you wish to do so. You can download and export a copy of all of your data and content in your Fastmail account if you want to back it up or use it with a service outside of Fastmail.

 

Sharing personal information with others

In this section you can find out more about how we share personal information:

  • within Fastmail;
  • with third parties that help us provide our products and services; and
  • with government organisations and agencies, law enforcement and regulators.

We may share your personal information in the manner and for the purposes described below:

  • with third parties who help manage our business and deliver services. These include service providers who help manage our systems. Some of these providers use “cloud based” IT applications or systems, which means that your Personal Information will be hosted on their servers, but under our control and direction. We require all our service providers and third parties to respect the confidentiality and security of Personal Information and our contracts with them generally include obligations for them to comply with applicable privacy laws and to use any personal information we share with them solely for the purpose of providing services to us.
  • with your consent or as necessary to complete any transaction or provide any product which you have requested or authorised — for example when sending emails to a friend, sharing photos or documents on shared drives, or linking accounts with another service from Fastmail. Or where you direct us to share your personal information with a third-party service provider in order to integrate our services with a service that they may provide, for example with a third-party calendar provider, mail provider or cloud file storage provider. Again, we require all our service providers and third parties to respect the confidentiality and security of Personal Information and our contracts with them generally include obligations for them to comply with applicable privacy laws and to use any personal information we share with them solely for the purpose of providing services to us. Any personal information which is provided directly by you and received by a third party directly may be stored and will be used by them according to their privacy policy;
  • with account administrators — if you work for or are part of an organisation that uses Fastmail services, your account administrators and/or resellers who manage your account will have access to your Fastmail account. They may be able to:
    • access and retain information and your email stored in your account;
    • view statistics regarding your account;
    • change your account password
    • suspend or terminate your account access
    • receive your account information in order to satisfy applicable law, regulation, legal process, or enforceable governmental request
    • restrict your ability to delete or edit your information or your privacy settings

Your use of Fastmail products and services is subject to your organisation’s policies, if any. You should direct your privacy inquiries, including any requests to exercise your data protection rights, to your organisation’s account administrator.

  • with government organisations and agencies, law enforcement, regulators to comply with all applicable laws, regulations and rules, and requests of law enforcement, regulatory and other governmental agencies;
  • with banks and payment providers to authorise and complete payments, though we only maintain a record of your email address (for PayPal), or the last four digits of your credit card and expiry date (for credit card);
  • if, in the future, we sell or transfer some or all of our business or assets to a third party, we may disclose information to a potential or actual third party purchaser of our business or assets; and
  • we may share in aggregate, statistical form, nonpersonal information regarding the visitors to our website, traffic patterns, and website usage with our partners and affiliates.

 

Explaining more about your marketing preferences

In this section you can find out more about:

 

How we use personal information to keep you up to date with our products and services

We may use your name and email address to send direct marketing communications to you and let you know more about our services or related services that we believe will be of interest to you. We may contact you by email, or through other communication channels that we think you may find helpful. In all cases, we will respect your preferences for how you would like us to manage marketing activity with you.

 

How you can manage your marketing preferences

To protect your privacy rights and to ensure you have control over how we manage marketing with you:

  • users of the Fastmail, Listbox and Pobox services can opt out of any non-essential communication by de-selecting the relevant checkbox in the settings page in the web interface;
  • even after opting in, you can ask us to stop sending email marketing by following the “unsubscribe” or opt-out links in electronic communications. Alternatively you can contact us; and
  • we will take steps to limit direct marketing to a reasonable and proportionate level and only send you communications which we believe may be of interest or relevance to you

 

When and how we undertake data analytics and profiling

We use Matomo, a web analysis service of InnoCraft Inc. (“Matomo”). Matomo uses cookies to monitor traffic to, and use of our marketing websites only. There is no Matomo tracking once you are logged in. Information about the use of our website generated by these cookies is generally transferred to a Matomo server in the USA and stored there. Matomo uses this information on our behalf to evaluate usage of our website, and to compile reports on activities. All personal information, including IP addresses, are anonymised by them. Matomo respects Do Not Track browser flags; you may opt out of tracking by setting your browser to Do Not Track.

We may use profiling or other forms of automated processing to assess if your account may be fraudulent, a spam account or suspect in any way. We may also use profiling to lock fraudulent or suspect accounts, including any “stolen accounts”. Our monitoring systems detect high levels of outgoing spam, or unusual login patterns which a staff member then reviews to determine appropriate action.

We do not profile you to customise services for you, provide personalised content or show you personalised advertisements based on your individual interests, preferences, or related activities.

 

Transferring personal information globally

In this section you can find out more about:

  • how we operate as a global business and transfer data internationally; and
  • the arrangements we have in place to protect your personal information if we transfer it overseas.

Your personal information may be disclosed, transferred to or processed outside of your country of residence. This includes to Australia, the United States of America, India, and the Netherlands, where it will be subject to the laws of the country to which it is transferred. These jurisdictions may not have an equivalent level of data protection laws as those in your country.

For EU/UK individuals — if you are an individual based in or a resident of the European Union or the United Kingdom, your personal information may be processed outside of the European Union, in countries such as the United States of America, Australia, India, that are subject to different standards of data protection.

We will take appropriate steps to ensure that transfers of personal information are in accordance with applicable law and carefully managed to protect your privacy rights and interests and transfers are limited to countries which are recognised as providing an adequate level of legal protection or where we can be satisfied that alternative arrangement are in place to protect your privacy rights. To this end:

  • where we transfer your personal information outside of Fastmail or to third parties who help provide our services, we obtain contractual commitments from those third parties to protect your personal information. Some of these assurances are well-recognised certification schemes like the EU US Privacy Shield for the protection of personal information transferred from within the EU to the United States and/or the use of EU approached Standard Contractual Clauses (“EU Model Clauses”) for controller to controller and /or controller to processor transfers from the EU/UK to jurisdictions, such as Australia who do not have an adequacy finding from the EU Commission; or
  • where we receive requests for information from law enforcement or regulators, we carefully validate these requests before any personal information is disclosed.

You have a right to contact us for more information about the safeguards we have put in place (including a copy of relevant contractual commitments) to ensure the adequate protection of your personal information when this is transferred as mentioned above.

 

How we protect and store your information

Security

We store most of your personal information electronically. We implement and maintain appropriate technical and organisational security measures, policies and procedures designed to reduce the risk of accidental destruction or loss, misuse or interference or the unauthorised disclosure, access or modification to such information appropriate to the nature of the information concerned.

The security of your information is paramount and a critical consideration for Fastmail in the provision of its services to you. Please see further information on the security measures we engage on our websites and platform and when you use any of our services.

We work hard to protect you and Fastmail from unauthorised access, alteration, disclosure, or destruction of information we hold. Measures we take include:

  • placing confidentiality requirements and restricted access protocols on our staff members and service providers who need access to your information in order to process it to provide our services to you;
  • destroying your personal information if it is no longer needed to provide you with our service;
  • destroying logging or other transactional information that may incidentally contain personal information in accordance with our schedules to clear such information;
  • following strict security procedures in the access, storage and disclosure of your personal information to prevent unauthorised access to it; and
  • using secure communication transmission software (known as “secure sockets layer” or “SSL”) that encrypts all information you input on our website before it is sent to us. SSL is an industry standard encryption protocol and this ensure that the information is reasonably protected against unauthorised interception.

As the security of information depends in part on the security of the computer and/or device you use to communicate with us and the security you use to protect your user IDs and passwords, please take appropriate measures to protect this information.

How long do we store/retain your personal information

We will store your personal information for as long as is reasonably necessary for the purposes for which it was collected, as explained in this privacy policy. Where your information is no longer needed, we will ensure that it is disposed of in a secure manner.

In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, accounting requirements. Where we log information related to your IP address, we retain this information for approximately 90 days. This is for the purposes of fraud watch, as often users don’t check in with us in a timely fashion over whether their account is compromised. Being able to look at some amount of recent history and know what activity was taken by a legitimate user vs a malicious one is useful.

We proscribe your primary email address, if it’s at one of our domains, for up to 6 six months after your account is closed, to reduce the risk of impersonation, should someone try to use the same email address as you in order to impersonate you.

Where you request that we delete your account from our system, we will immediately lock the account and archive the information, then delete it from our severs within approximately 7 days from the date of your request. This archive window allows you to recover your information in the event of an accident or malicious deletion request.

However, in specific limited circumstances we may store your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.

Children’s data

When a Fastmail product collects age, and there is an age in your jurisdiction under which parental consent or authorisation is required to use the product, the product will either block users under that age or will ask them to provide consent or authorisation from a parent or guardian before they can use it. We will not knowingly ask children under that age to provide more data than is necessary to provide the product.

 

Cookies

A cookie is a text file containing small amounts of information which is downloaded to/stored on your computer (or other internet enabled devices, such as a smartphone or tablet) when you visit a website.

Cookies may collect personal information about you. Cookies help us remember information about your visit to our website, like your username, country, language and other settings. Cookies allow us to understand who has seen which webpages, to determine how frequently particular pages are visited and to determine the most popular areas of our website. They can also help us to operate our website more efficiently and make your next visit easier. Cookies can allow us to do various other things, as explained further in our Cookie Policy.

For more information about how our cookies work and information about how to manage your cookie settings please visit our Cookie Policy

 

Your rights available to help manage your privacy

You have a number of rights in relation to your personal information.

You may access or request correction of the personal information that we hold about you by contacting us. There are some circumstances in which we are not required to give you access to your personal information.

There is no charge for requesting access to your personal information but we may require you to meet our reasonable costs in providing you with access (such as photocopying costs or costs for time spent on collating large amounts of material).

We will respond to your requests to access or correct personal information in a reasonable time and will take all reasonable steps to ensure that the personal information we hold about you remains accurate, up-to-date and complete.

You can access and control your Personal Information that Fastmail has obtained with tools Fastmail provides to you, described below, or by contacting Fastmail.

For example:

  • if Fastmail obtained your consent to use your personal information, you can withdraw that consent at any time;
  • you can request access to, erasure of and updates to your personal information; and
  • if you’d like to port your data elsewhere you can use tools Fastmail provides to do so, or if none are available you can contact Fastmail for assistance.

You can also object to or restrict Fastmail’s use of your personal information. For example, you can object at any time to our use of your personal information:

  • for direct marketing purposes; or
  • where we are performing a task in the public interest or pursuing our legitimate interests or those of a third party.

You may have these rights under applicable laws, including the EU General Data Protection Regulation (GDPR), but we offer them regardless of your location.

If your organisation, such as your employer or service provider, provides you access to and is administering your use of Fastmail products, contact your organisation to learn more about how to access and control your Personal Information.

You can access and control your Personal Information that Fastmail has obtained, and exercise your data protection rights, using various tools we provide. The tools most useful to you will depend on our interactions with you and your use of our products. Please use our help pages first to learn about the tools available to you, but you are able to contact us to exercise your rights.

We may ask you for additional information to confirm your identity and for security purposes, in particular before disclosing personal information to you.

We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.

 

Google API usage

We provide a way for users to migrate their data from Google onto Fastmail. When a user voluntarily connects their Google account, we comply with the Google API Services User Data Policy. Fastmail’s use and transfer to any other app of information received from Google Accounts will adhere to Google API Services User Data Policy, including the Limited Use requirements.

 

Contact us

The primary point of contact for all issues arising from this Policy is our Data Protection Officer. They can be contacted in the following ways:

dataprotection@fastmailteam.com

Fastmail Pty Ltd
PO Box 234
Collins St West
VIC 8007
Australia

If you have any questions, concerns or complaints regarding our compliance with this privacy notice, the information we hold about you or if you wish to exercise your rights, we encourage you to first contact our Data Protection Officer. We will investigate and attempt to resolve complaints and disputes and make every reasonable effort to honour your wish to exercise your rights as quickly as possible and in any event, within the timescales provided by applicable data protection laws.

To contact your data protection supervisory authority

You have a right to lodge a complaint with your local data protection supervisory authority (i.e. your place of habitual residence, place or work or place of alleged infringement).

If you are located in Australia, you can contact the Office of the Australian Information Commissioner at https://www.oaic.gov.au/.

We would however ask that you please attempt to resolve any issues with us before raising with your local supervisory authority.

Glossary: definitions

Defined Term Definition
Personal Information Any information capable of identifying a natural person, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their his or her physical, physiological, mental, economic, cultural or social identity. Information is considered personal when it enables anyone to link information to a specific person, even if the person or entity holding that data cannot make that link.
Processing and “process” Any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, including, but not limited to collection, recording, organisation, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction.