Privacy policy

The changes from our previous policy include:

• Removing any reference to retired Fastmail products and services
• Simplifying the language to make this policy easier to understand
• Adding information on our lawful basis for collecting your data
• Updating information on how we undertake data analytics and profiling
• Updating our process for managing children’s Personal Information

All previous versions of our privacy policy can be found here:

• Dec 31, 2023
• May 4, 2022
• Jan 12, 2021
• May 25, 2020
• May 24, 2019

Fastmail Pty Ltd (“we”, “our” or “us”), based at PO Box 234, Collins Street West, VIC 8007, Australia, ABN 31 142 646 580, is responsible for your Personal Information that you consent to provide us whilst using our services and products. The privacy of your Personal Information is your right. This privacy policy explains how we collect, use, and share your Personal Information, so please read it carefully. If you have any questions, please contact us.

Fastmail is an Australian company, Fastmail Pty Ltd (“Fastmail”). We also operate under the brand/marketing name Topicbox https://www.topicbox.com as part of our services portfolio. Our website has our contact information here.

Your information stays within Fastmail and our related companies, where we apply the same level of privacy standards regardless of location. We only share data with carefully selected service providers when it’s essential for your email service, and we maintain strict oversight of how it’s used. We provide more information on our locations and partners in this policy. You can read about where data is held on our security help page. This privacy policy explains how we collect, use, and share Personal Information in the course of our business activities, including:

• The Personal Information we collect, and when and why we use it
• How we share Personal Information within Fastmail and with our service providers, regulators and other third parties
• Explaining more about your Marketing Preferences
• Transferring Personal Information globally
• How we protect and store Personal Information
• Cookies
• Managing your Privacy rights
• How to contact us for more support
• Data transparency report

Updates

We may update this Privacy Policy from time to time to reflect changes in legal requirements, our operations, or our services. Any updates will be posted on this webpage, so we encourage you to review it periodically. If we make substantial changes, we will take reasonable steps to inform you, such as through notices on our website, pop-ups, or email, where appropriate. We are committed to handling your personal information responsibly and will always endeavour to act in your best interests when updating this policy. We will not make changes that materially reduce your rights under this policy without taking reasonable steps to bring those changes to your attention.

Third-party websites

If there is a link to any third party on any of our websites, their privacy policy applies. We are not responsible for the privacy practices of any third party.

Definitions

“Personal Information” - Personal Information is any data that can be used to identify a person, either directly or indirectly. This might include things like a name, ID number, or details about someone’s physical, mental, economic, cultural, or social identity. Even if the person or organization holding the data can’t identify the individual, the information is still considered personal if it could be linked to someone by anyone else.

“Processing” and “Process” - Processing means any action that’s done with personal data, whether it’s done by hand or automatically. This includes things like collecting, storing, organizing, using, sharing, updating, deleting, or destroying the data.

What Personal Information we collect, and when and why we use it

In this section you can find out more about:

• when we collect Personal Information;
• the different kinds of Personal Information we collect for certain services we offer;
• what lawful basis do we have for Processing your personal data; and
• how we use Personal Information.

When we collect Personal Information

We collect information about you when you sign up for our services, create an account, visit our platform or websites, or use any of our features. If you represent one of our business partners or service providers, we may also collect information to help us work together effectively. The types of information we collect and how we use it depend on how you use our services.

Personal Information we collect

When you sign up for or use our services, such as Fastmail or Topicbox, we collect Personal Information such as your name, billing and contact details, organization and domain names, and technical data like your IP address and browser type. We will also keep records of your communications with us. We also collect tokenized payment information to Process transactions securely. Our help pages explain how your data is deleted if you don’t continue after a trial.

We use cookies to support this functionality. See the Cookies section of this policy and Cookies Policy for details.

How we Process your data

We Process your data to provide, secure, and improve our services. This includes storing your emails, contacts, calendar entries, and files, syncing them with your devices, and enabling features like search and contact suggestions.

To protect against spam and fraud, we analyze email traffic and may share messages you report with trusted anti-spam partners. We also log technical data (like IP addresses and client identifiers) for security, troubleshooting, and auditing.

We don’t intentionally collect special categories of personal data (e.g., health or political information), but such data may be stored if you choose to include it. You can delete this at any time.

For more details on data retention, please visit our security help page.

Information we collect if a registered user allows you to access their account

If another user grants you access to their account, or you are part of a multi-user account, we may collect your IP address and name. The account owner is responsible for managing your access and any data shared with you.

Information we collect if you are an employee or a contact at our business partner or sign up to our newsletters

If you’re a contact at a partner organization or you subscribe to our newsletters, we collect your business contact details to send you relevant communications, in line with your preferences.

If your employer provides your account, they may manage it on your behalf and access associated data, according to their policies.

What lawful basis do we have for Processing your personal data?

We Process your personal data lawfully under the following legal basis:

• Contractual necessity – When Processing your data is necessary to provide our services to you, such as creating and managing your account.
• Legitimate interests – Where we have a legitimate business interest that does not override your rights and freedoms, such as improving our services or ensuring security.

By signing up for our services, we may Process your data under contractual necessity. Where consent is required, you can withdraw it at any time.

How do we use the Personal Information we collect from you?

We use the information we collect to:

• Provide, maintain, and improve our services;
• Personalize your experience—for example, by offering more relevant search results;
• Send notifications for things like new messages or unusual account activity;
• Contact you about updates or features, if you’ve chosen to receive such messages;
• Offer customer support, including technical help like password resets;
• Detect and prevent spam, fraud, and other abuse;
• Understand how our services are used through analytics;
• Meet legal obligations, including responding to lawful requests from authorities;
• Keep our services safe and reliable by addressing risks like fraud or technical issues.

Data analytics

We analyse anonymised usage data to improve our services and guide development. Personal Information is removed or de-identified before analysis.

Your privacy controls

You can manage your privacy settings in your account, including what information is shared and how it’s used. You can update or delete personal details, download your data, or close your account at any time.

Sharing Personal Information with others

We only share your Personal Information when necessary, and always with care:

• With trusted service providers who help us run Fastmail (e.g. hosting, support, or payment Processing). These partners are bound by contract to protect your data and comply with privacy laws.
• With your consent or request, such as when you link Fastmail to another service or share content.
• With account administrators, if your account is managed by an organization. Admins may access your account data or Personal Information as part of their management rights.
• To comply with legal requirements, including requests from law enforcement or regulators.
• To Process payments, we share account information and billing details with banks, payment providers, and tax compliance services.
• In business transfers, if we sell or restructure parts of our business.
• In anonymised form, we may share non-personal, aggregate statistics (e.g., website traffic).

We do not sell your Personal Information.

Explaining more about your marketing preferences

In this section you can find out more about:

• how we use Personal Information to keep you up to date with our products and services;
• how you can manage your marketing preferences; and
• when and how we undertake profiling and analytics.

How we use Personal Information to keep you up to date with our products and services

We may use your name and email to send you updates about our products or related services we think you’ll find useful. We only do this with your consent and always respect your communication preferences. You can change or opt out at any time.

Managing your marketing preferences

To control marketing communications:

• You can opt out of non-essential emails by deselecting the relevant option in your settings.
• You can unsubscribe at any time using the “unsubscribe” link in any marketing email.
• Alternatively, contact us and we’ll adjust your preferences to only send relevant communications.

When and how we undertake data analytics and profiling

We use automated Processing to detect and prevent fraud, spam, and suspicious activity. This includes monitoring unusual login patterns and high levels of outgoing spam. We do not use profiling for personalized content or ads.

Transferring Personal Information globally

As a global business, we may transfer your Personal Information to countries like the US, UK, Australia, India, and Austria, which may have different data protection laws. For EU/UK users, we ensure your data is protected when transferred outside the EU/UK, using safeguards like Standard Contractual Clauses (SCCs).

If we transfer data to third parties, we require them to protect your information in accordance with privacy laws. We also validate any law enforcement or regulatory requests for data before disclosing Personal Information.

For more information about the safeguards we have in place, contact us.

How we protect and store your information

Security

We take your security seriously and implement industry-standard safeguards to protect your data. These include:

• Access Controls: Only authorised personnel and service providers can access your Personal Information.
• Data Retention & Disposal: We securely delete or anonymise your data when no longer needed.
• Encryption & Secure Transmission: We use SSL encryption to protect data during transmission.
• Internal Security Protocols: Strict procedures to prevent unauthorised access or disclosure.

For more details, visit our security help page.

To help protect your account, use strong passwords, enable two-factor authentication (2FA), and be cautious of phishing attempts. If you suspect unauthorised access, contact us immediately.

How long do we store/retain your Personal Information

We store your Personal Information for as long as needed for the purposes outlined in this Privacy Policy. Once no longer required, we securely dispose of it, unless legally required to retain it longer.

Specific retention periods include:

• IP Logs: Retained for up to one year to monitor for fraud.
• Email Address: Retained for up to six months post-account closure to prevent impersonation.
• Account Deletion Requests: Account data is deleted within seven days after closure, with a short archive period to allow for recovery.

In some cases, we may store data longer if required for legal, regulatory, or dispute resolution purposes.

Children’s data

We do not knowingly collect data from children under the age required for parental consent in your jurisdiction, as all Account Holders are required to be 18+. We will delete any Personal Information relating to children on request and provide the functionality for parents and guardians to delete information on children from their account at any time.

Cookies

Cookies are small text files stored on your device when you visit our website. They help us remember your preferences, improve site efficiency, and enhance your experience. For more details on how cookies work and how to manage them, visit our Cookies Policy.

Automated decision making & profiling

We use automated Processes for fraud detection, spam filtering, and account security. While some Processes are fully automated (like spam filtering), others involve human review, especially for decisions with significant impacts. This ensures the integrity of our services while protecting our users.

Managing your privacy rights

You have rights regarding your Personal Information, including the ability to:

• Access, correct, or request deletion of your Personal Information.
• Withdraw consent for the usage of Personal Information at any time.
• Transfer your Personal Information or object to its use for specific purposes (e.g., direct marketing).
• Restrict how we Process your Personal Information based on legitimate interests or public interest tasks.

You can exercise these rights by contacting us or using our tools. If your account is managed by an organization (like your employer), please contact them for assistance. For more details, visit our help pages.

We may ask for verification before Processing your requests, and in certain cases, we may not fulfill a request if it violates confidentiality or legal obligations.

Google API usage

We provide a way for users to migrate their data from Google onto Fastmail. When a user voluntarily connects their Google account, we comply with the Google API Services User Data Policy. Fastmail’s use and transfer to any other app of information received from Google Accounts will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Contact us

If you have any questions or concerns about this policy or how we handle your Personal Information, please reach out to our Data Protection Officer. You can contact them at dataprotection@fastmailteam.com or by mail at:

Fastmail Pty Ltd
PO Box 234
Collins St West VIC 8007
Australia

We’re here to help. If you have a complaint or want to use any of your privacy rights, we recommend getting in touch with our Data Protection Officer first. We’ll do our best to look into and resolve any issues quickly and in line with data protection laws.

To contact your data protection supervisory authority

You have the right to make a complaint to your local data protection authority. This could be where you live, work, or where you think your privacy rights were violated. If you’re in Australia, you can contact the Office of the Australian Information Commissioner at https://www.oaic.gov.au.

That said, we’d really appreciate it if you give us a chance to resolve any issues first before going to your local authority.

Data transparency report

Every year, we publish a data transparency report.