PrivoMail Bootstrap

PrivoMail - About

Welcome to the about page! Here you can find who we are, how our aliasing system works, what we use in the backend, what data we have to collect from our users and more.

Who are we?

When entrusting your online privacy with a third party, you would of course want to know who you're dealing with. Well, in the spirit of transparancy, I will expose my own privacy in the hope that it will enstill trust in our platform!

PrivoMail is a service created by me, Roel Huizing. I am a Dutch national currently working in the IT industry in the Netherlands as a senior digital forensic investigator and eDiscovery consultant at a Big 4 company. I have been passionate about reclaiming some of my online privacy for years now. I have dumped Windows where I can and replaced it with Linux, I use my own mail server and have de-Googled my phone all in the name of reclaiming online privacy where possible.

My passion for privacy started some time after the Snowden leaks which showed the world that anything and everything happening on the internet was being captured and analyzed by large agencies like the CIA and the FBI among others. Now, you might think: "What do you have to be afraid of? You're not interesting enough for them!" And you might be right. I am not interesting enough NOW. But all that can change. Imagine a new government takes control that now criminalizes your previously uncontroversial political opinions. Suddenly, you are interesting!

If you yourself are not that paranoid, you might feel uncomfortable with the idea that all of your personal information that you give to any odd website (like Google, Facebook, X, etc.) may be sold to the highest bidder for "advertizing" purposes. Not to mention that large companies like Google, Meta, Microsoft and Apple are all intelligence partners with the CIA, FBI and others according to various leaks by WikiLeaks.

I believe that personal information should remain just that, personal. And I would like to empower users of PrivoMail to take back some of their online privacy.

Privacy

We at PrivoMail pride ourselves on providing privacy without compromise. We believe in knowing as little as possible about our users so that even when we are faced with cyber attacks or government oversight, we will only expose the least amount of our user's information as possible.

Frontend

The frontend is as simple as it gets. The backend server serves the client with plain old HTML, CSS and JavaScript, the latter is only used to make the website functional and not for any type of tracking.

Frontend - Cookies

Cookies are an integral part of the web-based internet as we know it. Without cookies, you would not be able to stay logged in to any website and your shopping cart on e-commerce websites would vanish the moment you navigate to another page. However, cookies can be used for privacy invading purposes like tracking users across websites.

At PrivoMail, we solely use cookies the way they are meant to be used, as login persistence. PrivoMail makes no use of any sort of tracking cookies what so ever. We do issue a warning to users that our payment processor Stripe does use these kind of trackers. So make sure to use a privacy browser like Brave or get an ad/tracker blocker for your current browser like uBlock Origin.

Backend

The following section will cover which systems are in place on the server side that you interact with directly or indirectly when using PrivoMail.

Backend - Hosting

Our servers are currently hosted by Contabo which is a server hosting company based in Germany which has been in business since 2003. We have personally used Contabo hosting for various other personal projects and have not been let down by them. Since Contabo, and our servers hosted with them, are based in Germany, stringent privacy laws such as the GDPR and other local privacy laws are in effect.

Backend - Mail server

PrivoMail uses the PostFix email server wich has a functionality called virtual aliases. These virtual aliases can be used to immediatly forward an email to a specific forward address.

When forwarding using virtual aliases, the email never touches disk and is only kept in memory for a short period of time, enough time to forward the email to its rightful destination discarding from server memory the email afterwards.

Backend - Webserver

The webserver we use to serve the pages on this website and handle backend operations is Node.JS. We chose Node.JS as our webserver and overal backend provider since we had the most experience with it and since it lets us setup API endpoints with ease.

The entire backend, from serving this webpage to registration, loggin in, creating aliases and more are all programmed from scratch without having to rely on external, privacy invading systems such as OAuth. The only system that we have implemented that may impact your privacy is payment using Stripe.

We then use Nginx as a proxy server to forward any requests coming to the website on the outside to our Node.JS code running on the server. Nginx is a widely used and opensource webserver and proxy that ensures high performace.

Backend - Payment processing

As mentioned before, we currently use Stripe to process payments. The upside of using Stripe is the ease of implementation and for us to have all of our bookkeeping in a place where we can easily export records in order to comply with local taxes. The downside of using Stripe however, is a potential impact to our user's privacy.

Currently, we only supply Stripe with the user's email address that they use to login to PrivoMail. We are in the process of creating an option for a user to use their first alias as the email address that is sent to Stripe. In that case, Stripe will not know any personal information about a user besides their IP address.

We are planning on supporting payments with two cryptocurrencies: Bitcoin and Monero. Once payments with cryptocurrencies are supported we would recommend users to pay with Monero to increase their level of privacy.

Backend - Database server

For our persistent storage of data, we use MariaDB. MariaDB is a relational database that stores the following information:

  • 1. User account information including email, password hash and subscription status
  • 2. Email aliases including forwarding addresses and activation status
  • 3. Logs relating to errors and warnings happening on various systems

We try to keep as little user information in our databases as possible.

The data in the database is regularly backed-up in case of any catastrophic event such as a cyber attack.

Backend - Logging

Logging is a double-edged sword. Logging is important to know when something is wrong with the various systems and in order to see when a potential cyber attack is ongoing. However, logging can impact user privacy. Therefore, we log the minimum amount of personal information where possible. For instance, we do not log the IP addresses of our users. But, we do log IP addresses when security systems are tripped, such as our rate-limiter. Besides that, we also log the user's email address or database ID when an error occurs for troubleshooting purposes.

We do NOT log successful user logins or other successful operations. Furthermore, we only keep logs for 30 days in our database.