Privacy policy
Last modified: 25 May 2022
By using the proton.me website and making use of a Proton Account (the “Account”) and all its related features, including Proton Mail, Proton Contacts, Proton Calendar, and Proton Drive (the “Services”), you understand that your data in relation with your use of our Services is processed according to the following privacy policy. This policy states (i) what data we collect through your access and uses of the Services; (ii) the use we make of such data; and (iii) the safeguards put in place to protect your data. This privacy policy is to be read and understood as being a complement to our terms of service.
Please note, Proton VPN is subject to a different policy, please visit protonvpn.com/privacy-policy(new window) for additional details.
1. Legal framework
The Services are operated by Proton AG (the “Company”, “We”), domiciled at Route de la Galaise 32, 1228 Plan-les-Ouates, Geneva, Switzerland. It is therefore governed by the laws and regulations of Switzerland. Additional information about the legal framework can be found in our transparency report and on our law enforcement help page.
We are also GDPR compliant. The designated representative of the Company in the European Union (notably for the purpose of art. 27 GDPR) is Proton Europe sàrl, rue de Grünewald 94, L-1912 Luxembourg.
2. Data collection and usage
Our overriding policy is to collect as little user information (personal data included) as possible to ensure a completely private user experience when using the Services. We do not have the technical means to access the content of your encrypted emails, files, and calendar events.
Data collection is limited to the following:
2.1 Visiting our website: We employ a local installation of self-developed analytics tools. Analytics are anonymized whenever possible and stored locally (and not on the cloud). IP addresses are not retained and stored for such analytics.
2.2 Account creation: It is not necessary to provide personal information in order to create an Account, but you may provide an external email address for notification or password recovery purposes. Should you choose to provide it, we do associate this email address with your Account (for password recovery or notification purposes). Such data will only be used to contact you with important notifications about the Services, to send you information related to security, to verify your account or to send you password recovery links if you enable the option. We may also inform you about new Proton products in which you might have an interest. The legal basis for processing is consent and you are free to remove that data in your Account settings panel at any time.
In order to maintain the integrity of the Services, we must take measures to avoid creation of accounts by spammers. This is because if spammers use Proton Mail to send messages, Proton Mail’s IP addresses can become blocked by major mail providers such as Gmail, Yahoo, Outlook, etc. In order to pursue our legitimate interest of preventing the creation of accounts by spam bots or human spammers, we use a variety of human verification methods. Verification may also be requested for some sensitive operations besides account creation in order to protect against brute-force attacks. You may be asked to verify using either hCaptcha (or reCAPTCHA in the event that hCaptcha is unavailable), email, or SMS. IP addresses, email addresses, and phone numbers provided are saved temporarily in order to send you a verification code and for anti-spam purposes. The period of temporary data retention is determined by our legitimate interests of protecting the service from spam, and also by any applicable Swiss legal requirements we must comply with. If this data is saved permanently, it is always saved as a cryptographic hash, which ensures that the raw values cannot be deciphered by us. Learn more
2.3 Proton Mail Account activity: Due to limitations of the SMTP protocol, we have access to the following email metadata: sender and recipient email addresses, the IP address incoming messages originated from, message subject, and message sent and received times. We do NOT have access to encrypted message content, but unencrypted messages sent from external providers to your Account, or from Proton Mail to external unencrypted email services, are scanned for spam and viruses to pursue the legitimate interest of protecting the integrity of our Services and users. Such inbound messages are scanned for spam in memory, and then encrypted and written to disk. We do not possess the technical ability to scan the content of the messages after they have been encrypted. We also have access to the following records of Account activity: number of messages sent, amount of storage space used, total number of messages, last login time. User data is never used for advertising purposes.
2.4 Proton Calendar Account activity: The Service needs to be able to access some properties of events in order to retrieve and index them efficiently as well as send required notifications and alarms. In order to do so, we have access to the following metadata: calendar name and description, event unique identifier (UID), start and end date (including time zone), repetition rule (including exclusion dates or times), attendees’ participation status, organizer information (only when an invite is issued or received), alarms and notifications, event creation and update times and event status (confirmed or cancelled). We do NOT have access to the description of the events, their summary or title, locations, and the attendees’ email addresses.
2.5 Proton Drive Account activity: For operational purposes, the Service must have access to the following metadata unencrypted: file/folder creation and modification timestamps, file/folder permissions, file type, file/folder creator. When sharing a file or folder, we need to record which users own or can access said shared file or folder. When sharing URLs, we have access to the creation and last access time, the number of times the URL was accessed to and its creator. However, we do NOT have access to file contents, file and folder names, and thumbnail previews. Such data is end-to-end encrypted. We only store the size of the encrypted files, not the size of the original unencrypted file. In the case of a report for abuse of a shared URL by a third party, the latter has access to the password used to decrypt the file(s) and transmits it to us. We only can access the content of the file(s) in such cases.
In addition to end-to-end encryption, all content is also cryptographically signed by the user, before sending it to us. This means that you can always check the signature of any content you get back from our servers, which protects you from forgery (e.g. by a malicious actor).
2.6 Communicating with Proton: Your communications with us, such as support requests, bug reports, or feature requests may be saved by our staff. The legal basis for processing is our legitimate interest to troubleshoot more efficiently and improve the quality of our Services.
2.7 IP logging: By default, we do not keep permanent IP logs in relation with your Account. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (e.g. spamming, DDoS attacks against our infrastructure, brute force attacks). The legal basis of this processing is our legitimate interest to protect our service against nefarious activities.
If you enable authentication logging for your Account, the record of your login IP addresses is kept for as long as the feature is enabled. This feature is off by default, and all the records are deleted upon deactivation of the feature. The legal basis of this processing is consent, and you are free to opt in or opt out of that processing at any time in the security panel of your Account.
Please note, Proton VPN is subject to a different policy, please visit protonvpn.com/privacy-policy(new window) for additional details.
2.8 Payment information: We rely on third parties to process credit card, PayPal, and Bitcoin transactions and must therefore share payment information with them. Anonymous cash or Bitcoin payments and donations are accepted. The legal basis of this processing is the necessity to the execution of the contract to provide the Services.
2.9 Native applications: When you use our native applications, we (or the mobile app platform providers) may collect certain information. We may use mobile analytics software (e.g. fabric.io app statistics and crash reporting, Play Store app statistics, App Store app statistics, or self-hosted Sentry crash reporting) to send crash information to our developers in order to rapidly fix bugs. Some platforms, such as Google’s Play Store or Apple’s App Store may also collect aggregate, anonymous statistics, which may be governed by their respective privacy policies and terms and conditions. Such statistics can include most commonly used devices and operating systems (e.g. percentage of Android 6.x v. Android 7.x), total number of installs and uninstalls, and the total number of active users.
Our applications do not access or track any location-based information from your device.
2.10 Import Assistant with “Sign in with Google”: When you use our Import Assistant tool to import your data from Google and authenticate using the “Sign in with Google” option, our Import Assistant’s processing of information received from Google APIs will be performed in accordance with Google API Services User Data Policy, including the Limited Use requirements.
2.11 Import Assistant with a username and password combination: When you use our Import Assistant tool to import your emails from another service provider, the credentials of the email account from which the importation is performed are stored by us for the limited duration of the importation. Once the importation is performed, those credentials are entirely deleted from our systems.
3. Data storage
All servers used in connection with the provision of the Services are wholly owned and operated by the Company or its subsidiaries. Only employees of the Company have physical or other access to the servers. Data is always stored in encrypted format on our servers. Offline backups, which may be stored periodically, are also encrypted. We do not possess the ability to access any user encrypted content on either the production servers or in the backups.
4. Third-party networks
Proton's alternative routing technology allows Proton Services to bypass many censorship blocks, but in doing so your network traffic may go through third-party networks, which we do not control. This could enable a third party to record your IP address or see that you are using Proton apps (the same information that your Internet Service Provider is able to see). These third parties cannot see your actual data, which remains encrypted. By default, alternative routing is not used for Proton apps unless they detect that censorship measures are active on your network. Alternative routing can also be disabled in the Settings panel of our mobile and desktop applications. However, doing so may cause you to be unable to access your Account from a network that is censoring Proton. Learn more(new window)
5. Data subprocessors
To provide the Services, we rely on different data subprocessors, which process different categories of data. Processors never store data outside of the scope of their specific purpose. Notably, they do not store data in relation with the general day-to-day use of your Account and Services, which is exclusively processed by the Company. Subprocessors are as follow:
5.1 Proton Group subprocessors
ProtonLabs DOOEL Skopje
- Purpose: Process data in relation with customer support requests, or other direct communications with the company (section 2.4)
- Data processing location: Macedonia
ProtonLabs Taiwan Co., Ltd
- Purpose: Process data in relation with customer support requests, or other direct communications with the company (section 2.4)
- Data processing location: Taiwan (R.O.C.)
5.2 Third-party subprocessors
Zendesk, Inc.
- Purpose: Provide services in relation with the processing of customer support data (section 2.4)
- Data processing location: United States
Stripe, Inc.
- Purpose: Provide services in relation with the processing of payment data (section 2.6)
- Data processing location: United States
PayPal group
- Purpose: Provide services in relation with the processing of payment data (section 2.6)
- Data processing location: United States, Singapore
6. Data disclosure
We will only disclose the limited user data we possess if we are legally obligated to do so by a binding request coming from the competent Swiss authorities. We may comply with electronically delivered notices only when they are delivered in full compliance with the requirements of Swiss law. Proton’s general policy is to challenge requests whenever possible and where there are doubts as to the validity of the request or if there is a public interest in doing so. In such situations, we will not comply with the request until all legal or other remedies have been exhausted. Under Swiss law, subjects of judicial procedures have to be notified of such procedures, although such notification has to come from the authorities and not from the Company. Under no circumstances can Proton decrypt encrypted message content and disclose decrypted copies. Aggregate statistics about data requests from the competent Swiss authorities can be found in our transparency report.
7. Right to access, rectification, erasure, portability, and right to lodge a complaint
Through your Account interface, you can directly access, edit, delete, or export personal data processed by the Company in your use of the Services.
If your Account has been suspended for a breach of our terms and conditions, and you would like to exercise the rights related to your personal data, you can make a request to our support team.
In case of violation of your rights, you have the right to lodge a complaint to the competent supervisory authority.
8. Modifications to privacy policy
We reserve the right to periodically review and change this policy from time to time and will notify users who have enabled the notification preference about changes to our privacy policy. Continued use of the Services will be deemed acceptance of such changes.