GDPR Compliance

TempusMail complies with the General Data Protection Regulation (GDPR) for users in the European Union.

1. Data Controller

TempusMail acts as a data controller for account data and as a data processor for email routing metadata.

2. Legal Basis for Processing

We process data based on:

• Contract (providing email services)
• Legitimate interest (security, performance)
• Consent (cookies, optional features)

3. GDPR Rights

EU users can request:

• Access to personal data
• Correction of inaccurate data
• Deletion of data
• Restriction or objection to processing
• Data portability

4. Data Transfers

When transferring data outside the EU, we use secure mechanisms such as Standard Contractual Clauses (SCCs) and other appropriate safeguards.

5. Data Breach Policy

In case of a data breach, affected users will be notified within 72 hours where required by law.

6. Contact

For GDPR-related inquiries, please contact: support@tempusmail.com

We process the following categories of personal data:

• Identity Data: Name, username, email address
• Contact Data: Email address, phone number (optional)
• Technical Data: IP address, browser type, device information, usage data
• Transaction Data: Payment information (processed by our payment processors)
• Communication Data: Email content stored in your temporary mailbox

We work with the following data processors and have Data Processing Agreements (DPAs) in place:

Some of our service providers are located outside the EEA. When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): EU-approved contractual terms with data importers
• Adequacy Decisions: Transfers to countries recognized by the EU as providing adequate protection
• Data Processing Agreements: Binding agreements ensuring GDPR-level protection

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Account Data: Retained while your account is active and for 30 days after deletion
• Email Content: Deleted according to your subscription plan (24 hours to 7 days for temporary emails)
• Transaction Records: Retained for 7 years for legal and tax purposes
• Marketing Preferences: Retained until you withdraw consent or request deletion

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk:

• TLS 1.3 encryption for data in transit
• AES-256 encryption for data at rest
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Employee training on data protection
• Incident response and data breach notification procedures

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay if the breach poses a high risk
• Provide information about the nature of the breach and measures taken to address it
• Document all data breaches, including facts, effects, and remedial action taken

We implement privacy by design and default principles:

• Data minimization: We collect only necessary data
• Purpose limitation: Data is used only for specified purposes
• Privacy-friendly default settings
• Regular Data Protection Impact Assessments (DPIAs)
• Pseudonymization and anonymization where possible

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local supervisory authority:

• You can find your local data protection authority at: European Data Protection Board
• We encourage you to contact us first so we can address your concerns

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

• Posting the updated statement on our website
• Updating the "Last Updated" date
• Sending email notification for significant changes