Last updated: March 1, 2026 · Version 3.0
The short version: We collect the minimum information needed to run an email service. We don't sell, share, rent, or monetize your data. We don't track you on this website. We don't show ads anywhere. We're a Canadian company subject to PIPEDA; we honor GDPR rights worldwide because we think they're good rights.
Contents
1. Who we are
"Mailcedar" refers to Mailcedar Mail Ltd., incorporated in British Columbia, Canada. Our registered office is 214 – 470 Granville Street, Vancouver, BC V6C 1V5. Our privacy contact is privacy@mailcedar.com.
2. Data we collect
Categories of data we hold about you:
| Category | Examples |
|---|---|
| Account identity | Your address (username@mailcedar.com), your display name, your recovery email if you provided one |
| Authentication data | Argon2id hash of your password, public keys of registered passkeys, TOTP shared secret (encrypted) |
| Sign-in metadata | IP addresses and timestamps of recent sign-ins (kept 7 days) |
| Billing data | If you pay us: your name, billing address, last 4 digits of card, payment provider transaction IDs. Full card data is held by Stripe, never by us. |
| Support correspondence | Mail you send to support@mailcedar.com and our replies |
| Service operations data | Mailbox quota usage, anti-abuse counters, error logs scrubbed of message contents |
3. Why we collect each thing
We are explicit about the lawful basis under PIPEDA and GDPR for each category:
- Account identity and authentication: contractual necessity — we can't run your inbox without this.
- Sign-in metadata: legitimate interest in detecting unauthorized access to your account and contractual necessity to provide the Service securely.
- Billing data: contractual necessity if you've chosen a paid plan; legal obligation to keep transaction records for tax purposes.
- Support correspondence: legitimate interest in helping you and improving our service.
- Service operations data: legitimate interest in running the Service securely and abuse-free.
4. What about my actual email?
Your mail content is your data, not ours. We hold it in encrypted form so we can deliver and retrieve it on your behalf. We do not:
- Scan, index, or analyze the body of your mail for advertising.
- Use your mail to train AI models, ours or anyone else's.
- Aggregate it with other users' data to produce demographic or behavioral profiles.
- Make it available to any third party except as required by law (see §10).
- Read it for any purpose other than the technical operation of the Service.
For exactly which parts of email we can technically see, regardless of intent, please read our Security page — we are unusually candid about this.
5. How long we keep things
| Data | Retention |
|---|---|
| Mailbox contents | For as long as your account is open. Encrypted backups for 60 days beyond change events. |
| Sign-in metadata | 7 days |
| Support correspondence | 3 years from the last interaction, then permanent deletion |
| Billing records | 7 years (Canadian tax law) |
| Closed-account data | 30 days to deletion of live data; another 60 days for backups to age out |
| Anti-abuse counters | Rolling 30 days |
6. Sharing & subprocessors
We share personal data only with the small set of subprocessors needed to run the Service. We sign data-processing agreements with each.
| Subprocessor | Purpose | Data shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Name, billing address, payment details | Ireland (EU customers), US (Canadian/US customers) |
| iWeb | Data centre / colocation | None (physical hardware only) | Montréal, QC, Canada |
| Cloudflare | DDoS protection, marketing site CDN | IP addresses of website visitors only — not mail traffic | Global; user-facing data centre is the nearest one to the visitor |
| Postmark | Transactional system mail (password reset, invoices) | Email address, message contents we generate | US |
We never sell or rent personal data to anyone for any purpose.
7. Cookies & tracking
This marketing website (mailcedar.com) uses no third-party trackers. We have a single first-party cookie that remembers whether you've dismissed the privacy notice. We don't use Google Analytics, Facebook Pixel, or any equivalent.
The webmail application uses essential cookies for session management. Full details in our Cookie Policy.
8. Your rights
Regardless of where you live, you can:
- Access the personal data we hold about you. Settings → Account → Download my data.
- Export your mail in standard mbox format. Settings → Account → Export.
- Correct any inaccurate data. Edit it in Settings, or email us.
- Delete your account and all associated data. Settings → Account → Close.
- Object to processing. Email privacy@mailcedar.com; we'll work out a solution or close your account.
- Lodge a complaint with a privacy regulator. In Canada, that's the Office of the Privacy Commissioner of Canada. In the EU/UK, it's your local data protection authority.
We respond to all rights requests within 30 days, usually within 7.
9. International transfers
Our infrastructure is in Canada. If you're in the EU, EEA, or UK and use Mailcedar, your data will be transferred to Canada. Canada has been recognized by the European Commission as providing adequate protection (Commission Decision 2002/2/EC) for the personal data being transferred.
Where transfers happen to our subprocessors outside Canada (notably Stripe and Postmark in the US), we rely on Standard Contractual Clauses approved by the European Commission.
10. Government requests
We disclose data to law enforcement only when required by valid Canadian legal process. We notify you of any request as soon as we are legally permitted to. Our practice and current status are documented in detail on the Security page and in our semi-annual transparency report.
11. Changes to this policy
If we change anything material, we email all account holders at least 30 days before the change takes effect. Non-material wording fixes go in without notice. The version history is at the top of this page.
12. How to reach our privacy team
Email privacy@mailcedar.com. A real person answers. Our designated Privacy Officer is Maya Kovach.
If you need a written response (e.g. for a DSAR), include "Privacy request" in your subject line.