Inside out: How Mailbutler respects your privacy
With this blog post I’d like to give you a look behind the scenes of Mailbutler and explain how we are committed to protecting your privacy.
But let me start by introducing myself: My name is Fabian and I am the co-founder and CTO of Mailbutler.
In contrast to many other people in the tech scene, I am convinced that the European approach towards data privacy is an important step forward and is a very strong signal to the world about how everyone’s personality rights should be respected. GDPR might seem like a bureaucracy monster at first, but it’s more of a best effort approach. It’s still flexible enough for most companies to continue doing what they are doing, but with a more focused approach on respecting their users’ privacy rights. In times when companies know more about a person’s behavior, wishes and contacts than their own friends, it’s about time to re-think our understanding of data privacy — and that’s what GDPR is all about.
It’s great to see that the introduction of GDPR now also encourages companies to provide similar means outside of the EU. Big companies, such as Facebook and Apple, are starting to allow full insight into what is actually stored about their users. Even the often cited right-to-be-forgotten is now implemented in more and more services.
Here at Mailbutler, we strongly believe that it is the users’ fundamental right to know how their personal data is used; any business goal should respect and follow this principle at all times. A crucial part of our own belief in privacy (which was established long before GDPR was announced to the public) is having full transparency about the inner workings of our company and its products.
In this blog post we would like to provide you with some better understanding of how we, at Mailbutler, take care of your privacy rights and your personal data.
Before I dive deeper into the actual instruments that we at Mailbutler apply to keep your data private and protected, we need to have a quick look at some general terms that are used throughout this story:
Backend –The backend is the core part of the Mailbutler application and runs on servers located in Germany 🇩🇪 (or more techy: in the cloud ☁️). It takes care of the heavy-lifting when it comes to Mailbutler’s functionality, such as sending an email later or snoozing an email (even when your computer is offline or switched off).
Frontend – Mailbutler’s frontend is what you interact 🕹 with when you use Mailbutler. Our Apple Mail plugin is one of the currently existing frontends to Mailbutler, the Chrome extension for Gmail and our add-in for Outlook is another. All our frontends interact with our backend through an API, which is an interface through which data is exchanged.
We do not have access to the data (including your emails, contacts, etc.) that is accessible by the frontend, because it is not running on our servers, but locally on your own computer.
Message-ID – Every email in your mailbox is identified by a globally unique, random identifier 🔢, which is stored in the (typically hidden) header of a message. Our system (the backend) uses these message-IDs to associate information to your messages, such as attached notes & tasks, tracking information, scheduling & snoozing state, etc. While this concept allows us to easily find this information whenever you need it through one of our frontends, it also makes sure that our system does not know more about your emails than this anonymous identifier.
Now let’s have a closer look at various architectural aspects of Mailbutler that took data privacy into account — from day one!
Data Location – All the data that is required to provide Mailbutler’s functionality is stored in a database located in Frankfurt, Germany. In fact, all the actual processing and the underlying data Mailbutler deals with never leaves data centers in Frankfurt. This is very important to us, but it should also be important to you: As Germany 🇩🇪 has one of the strictest data privacy protection laws in the world and even over-fulfills the GDPR laws required by the European Union 🇪🇺, so you can be assured that your data is very well protected 🔐 in our system.
Privacy-by-design –When we designed and developed Mailbutler’s architecture 🏛, we always had data privacy in mind. Mailbutler’s system works flawlessly without any personal information about your emails, your contacts, etc.
You might still want to enrich some of the Mailbutler information with additional data, such as an email’s subject line or the recipients’ names. This optional (❗️) information helps you when using Mailbutler, because it provides some additional context when Mailbutler displays information about a message.
As you can see, the Mailbutler system (here: notifications) works without any restrictions with respect to functionality when you disable the transmission of optional meta information about your messages. You can change this privacy setting whenever you want from your account settings.
To repeat myself (because this is very important to understand): If you decide to opt-out of sending the optional metadata (or only part of the information), Mailbutler will still work for you — without any restrictions!
Tracking – When it comes to email tracking ✓✓, data privacy could be exploited easily. But we at Mailbutler took some extra effort to make sure that our system is unable to collect personalized reading behaviour of all of our users’ email recipients. To achieve this, we do not store the actual recipient information when setting up email tracking from a message. Instead, we only use the aforementioned message-ID to collect information about whether an email has been opened. Based on this information, our system is unable to know who opened the message, what the message is about, etc. Our system just knows that some message with a certain identifier has been opened. Nothing more.
This basic information is then passed on (through our API) to the frontend you are using with Mailbutler and is combined with the actual message to provide the right contextual information. Only by combining information from the backend with the frontend’s view (which happens locally on your computer), you are finally able to see whether the particular email you sent to your close friend Marc regarding last week’s hiking trip has been opened or not (✓).
Message Content – When designing Mailbutler’s system, we explicitly restricted any operation that might access or rely on your email messages’ contents. We never read, store or process your messages’ content — never!
While this appears very obvious, many of our competitors sadly do the exact opposite: They store your complete messages on their servers (located who knows where in the world) and process them to provide some of their functionality. This leads to some very interesting pieces of advice in their privacy policies, such as:
In keeping with standard online privacy practices, users should not include any highly sensitive information (such as social security numbers, financial information, or “protected health information” (as that term is defined by the Health Insurance Portability & Accountability Act)) in any emails so that such data does not transfer to our servers (even if only temporarily).
Let me apologize for my reaction, but 🤬!?!
In my opinion, a company should not transfer, store or process their users’ emails to their servers at all (even if only temporarily)!
At Mailbutler we strongly believe in email as the number one tool for business communication and there is no way we could require our customers to restrict themselves in such a way!
We clearly demonstrate with our system that by following privacy-by-design principles, it is absolutely possible to provide at least the same functionality while keeping your data private (and outside of our system) at all times.
We never read, analyze or store your messages’ content or attachments!
Server Access (Send Later / Snoozing) – As initially stated, this story is about full transparency and this also includes deeper insights about two of Mailbutler’s features, which require some additional instruments to provide their functionality. For Send Later and Snoozing our system needs to temporarily access your email mailbox to either move messages between mailboxes 📬 →📭 → 📬 (snoozing/un-snoozing) or to send a scheduled 🕰 email at a later point in time. As you can imagine, both actions should happen without any additional user interaction (otherwise Mailbutler would not be a real assistant, right?) and therefore we temporarily store a special access token in our backend, allowing access to your email account to perform the described actions. This token is only stored as long as it is required and is automatically removed from our database afterwards. You are also able to remove the token manually whenever you want through your integrations page.
Important: If you do not use neither Snoozing nor Send Later, all other Mailbutler features still work flawlessly — even without access to your email account.
For the Apple Mail plugin, there is also a special privacy mode (called compatibility mode) which will allow Mailbutler to schedule and snooze messages locally on your computer. That means messages will be kept on your computer until the time of sending or un-snoozing. If you have compatibility mode enabled, we don’t have any access token. Please note that you will have to keep Mail (and your computer) open at the scheduled date and time of sending to ensure these messages get sent.
Data Protection – As previously mentioned, Mailbutler stores and processes as little personal information about you and your email communication as possible, but there is still some data that needs to be stored in our database. This includes your own notes & tasks, basic message information (or more precisely: their message-IDs) and its status regarding snoozing, scheduling or tracking. But it also includes other simpler pieces of data, such as your email address for logging into your Mailbutler account. All types of data that are exchanged with or stored in our backend are encrypted– all the time and according to most advanced encryption mechanisms, which are known to be secure 💂♂️ and are therefore used for protecting highly sensitive information in banks, corporates and governments. No compromises here!
This includes communication between the frontend and the backend through the API, the processing on the backend servers, the communication between our backend and other additional services that you might use (e.g. Evernote for storing notes) and of course it also covers the whole database holding everything Mailbutler requires to provide its services.
Business Model – Last, but definitely not least! Right from the beginning of Mailbutler as a company, we explicitly decided never to sell user data as part of our business model 📈. Our revenue stream is completely based on subscription fees, which are paid by our highly esteemed customers. Our highest goal is to provide Mailbutler as a useful service that saves all its users a lot of time when working with emails in their professional life 👩💻. Based on this idea, we are convinced that our pricing model reflects this time-saving philosophy and that our customers can be assured that there is no good reason for us to use their precious personal data for building up additional revenue through advertising, targeting, etc.
Just a personal advice: Next time you use a service claiming to be “free”, think again what this actually means. How can a “free” service afford well-paid software engineers and other employees to work on this product? 🤔
I hope that you got a solid overview of how important data privacy protection is to us at Mailbutler and how deeply this principle is embedded in our products and the company culture itself.
I am looking forward to reading your comments on this story, your follow-up questions on data privacy aspects, but also requests for more details about certain key aspects of the Mailbutler system and its inner workings.
Find out about the volunteer work Mailbutler's team have been undertaking since the beginning of the coronavirus COVID-19 pandemic.