TL;DR: VelisMail uses end-to-end encryption. We cannot read your messages. We don't sell
your data. We collect minimal information needed to provide the service.
1. Introduction
VelisMail ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we
collect, use, and safeguard your information when you use our encrypted email service.
By using VelisMail, you agree to the collection and use of information in accordance with this policy.
2. Data We Collect
2.1 Account Information
Email address - For account identification and recovery
Username - For message addressing
Password hash - Securely hashed, never stored in plain text
Public key - For encrypting messages sent to you
2.2 Encrypted Data
Encrypted messages - Stored in encrypted form; we cannot read them
Encrypted private key - Encrypted with your password
Metadata - Sender/recipient usernames, timestamps (necessary for delivery)
2.3 Technical Data
IP address - For security and rate limiting (not logged long-term)
Session tokens - For authentication
3. Data We Don't Collect
Unlike most email providers, VelisMail does NOT collect:
❌ Message contents (encrypted; we can't access them)
❌ Browsing history
❌ Third-party tracking data
❌ Advertising identifiers
❌ Location data
❌ Device fingerprints
4. Encryption & Security
VelisMail implements true end-to-end encryption:
AES-256 - Military-grade symmetric encryption for messages
RSA - Asymmetric encryption for key exchange
PBKDF2 - 100,000 iterations for password-based key derivation
HMAC-SHA256 - Message integrity verification
Your private key is encrypted with your password before storage. We never have access to your unencrypted
private key.
5. How We Use Data
We use your data solely to:
Provide and maintain the email service
Authenticate your identity
Deliver messages to intended recipients
Protect against abuse and security threats
Comply with legal obligations
6. Data Sharing
We do NOT sell, trade, or rent your personal information.
We may share data only in these limited circumstances:
Legal requirements - When compelled by law (even then, we can only provide encrypted
data we cannot read)
Safety - To prevent imminent harm or illegal activity
Service providers - Infrastructure providers bound by strict confidentiality (e.g.,
hosting)
7. Data Retention
Messages - Retained until you delete them, or until self-destruct timer expires
Account data - Retained while your account is active
Session data - 7 days after last activity
Deleted accounts - Data permanently removed within 30 days
8. Your Rights
You have the right to:
Access - Request a copy of your data
Rectification - Correct inaccurate data
Erasure - Delete your account and all associated data
Portability - Export your data in a machine-readable format
VelisMail is not intended for users under 13 years of age. We do not knowingly collect personal information
from children under 13. If you are a parent or guardian and believe your child has provided us with personal
information, please contact us.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new
Privacy Policy on this page and updating the "Last updated" date.
Significant changes will be communicated via email or a prominent notice on our service.
11. Contact Us
If you have questions about this Privacy Policy, please contact us: