Privacy Policy
The German version of this privacy notice is the legally binding one. Translations into other languages are provided solely for readability.
Controller
Controller within the meaning of Art. 4 No. 7 GDPR:
Markus Aschl
Steinerkirchen 8
4633 Kematen am Innbach
Österreich
Email: support@getalias.email
No data protection officer has been appointed — solo operator, no core activity involving large-scale regular and systematic monitoring within the meaning of Art. 37(1) GDPR.
Processing activities
| Processing | Legal basis | Retention |
|---|---|---|
| Magic-link authentication | Art. 6(1)(b) | Token 15 min, session cookie 30 days |
| Account management (user, aliases) | Art. 6(1)(b) | until account deletion |
| Mail forwarding (content transient) | Art. 6(1)(b) | not persisted; dead-letter queue 7 days |
| Reply tokens (alias ↔ external contact) | Art. 6(1)(b) | until alias deletion |
| Spam filtering via Rspamd | Art. 6(1)(f) | transient, no content storage |
| Outbound rate counters and reputation | Art. 6(1)(f) | 24-hour rolling window |
| Bounce tokens and bounce statistics | Art. 6(1)(f) | 30 days |
| Server logs (IP, path, status code) | Art. 6(1)(f) | 30 days |
| DMARC reports | Art. 6(1)(f) | 30 days, then aggregated |
| Pro billing via Paddle | Art. 6(1)(b) | until account deletion; Paddle's retention follows their privacy policy |
Legitimate interests in detail
For processing activities based on Art. 6(1)(f) GDPR we pursue the following specific legitimate interests (Recitals 47 and 49 GDPR):
- Spam filtering via Rspamd — protecting our users from unsolicited mail and preserving the reputation of the sender domain.
- Outbound rate counters and reputation — IT security, abuse prevention and protection from reputation harm that would affect all users.
- Bounce tokens and bounce statistics — delivery diagnostics and avoiding repeated delivery attempts to permanently failed addresses.
- Server logs — IT security, error analysis, and forensics in the event of a security incident.
- DMARC reports — authentication monitoring to defend against spoofing and phishing.
Obligation to provide data
Providing your email address is contractually required to create and operate an account; without it no account can be created. Providing further data (aliases, notes, language) is voluntary and remains at your discretion. If you do not provide sufficient data, the contract either cannot come into existence or cannot be performed as intended.
What does not happen with mail content
The product's promise rides on these specific negative statements:
- Mail bodies are not persisted in an application database. Exception 1: the dead-letter queue stores envelope metadata (sender, recipient, size, error reason) — no content — for up to 7 days. Exception 2: technical logs (spam filtering, bounce diagnostics, Postfix queue) may briefly contain header or body fragments of individual messages and are deleted in line with the retention windows in the processing table above.
- Mail bodies are not viewed by humans.
- Mail bodies are processed transiently by Rspamd, with no long-term content storage.
- No content-based advertising, no profiling, no sale to third parties.
Recipients and processors
- Hetzner Online GmbH (Germany/Finland) — hosting; Art. 28 GDPR DPA in place (signed 2026-05-04, available on request to the email address above).
- Paddle.com Market Limited (United Kingdom) — payment processor acting as Merchant of Record for Pro tiers; DPA in place under Paddle's Data Processing Addendum, publicly available at https://www.paddle.com/legal/data-processing-addendum. Paddle is independently responsible for payment data (card number, transaction record) — this data is not transferred to us; we receive only the subscription status, billing period, and a pseudonymous subscription ID.
Third-country transfers
We do not transfer data to third countries (outside the EU/EEA). Hetzner is based within the EU/EEA. Paddle.com Market Limited (United Kingdom) processes payment data under the EU Commission's UK adequacy decision.
Data of external senders and recipients
In operating the forwarding service we also process personal data of third parties who are not themselves account holders with us:
- Email addresses of external senders writing to a user's alias (in
reply_tokens, where a reply via the alias has occurred) - Email addresses of external recipients addressed by a user via an alias (also in
reply_tokens) - Addresses with permanent delivery failures (in
dead_addresses, to avoid repeated delivery attempts) - Header data in technical logs (spam filtering, bounce diagnostics) within the retention windows above
Source of the data: Email headers and envelope data of inbound and outbound messages (Art. 14(2)(f) GDPR).
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in operating a functioning email forwarding service for our users.
Direct information disproportionate (Art. 14(5)(b) GDPR): Direct information of every external sender or recipient would require additional outbound mail from us — increasing internet-wide spam load and contradicting the principle of data minimisation. We satisfy the information obligation through this public privacy notice instead.
External senders and recipients have the same data subject rights (see below) and may exercise them via the email address listed above.
Cookies and tracking
- Session cookie (
sessionid): technically necessary under §96(3) TKG / Art. 5(3) ePrivacy Directive. No consent banner required. - Language cookie (
lang): stores your language choice. Technically necessary for language detection; no personalisation. - Magic-link token: no cookie; single-use URL parameter.
- Paddle.js (Pro checkout): loaded only on the upgrade view and only when you actively open the checkout. Paddle sets its own cookies inside the checkout frame; see Paddle's privacy policy at https://www.paddle.com/legal/privacy.
Automated decision-making
There is no automated decision-making within the meaning of Art. 22 GDPR producing legal effects concerning you or similarly significantly affecting you. The Bayes spam classifier evaluates individual mails without that evaluation amounting to a legal or comparably significant decision concerning the data subject — it influences only the routing decision for the individual message (accept or reject).
Right to object (Art. 21 GDPR)
You have the right at any time, on grounds relating to your particular situation, to object to the processing of your personal data based on Art. 6(1)(f) GDPR (legitimate interest). In the event of an objection, we will no longer process the data concerned, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.
You may submit an objection without specific form to the email address above.
Your rights
You have — in addition to the right to object highlighted above — the right to:
- Access (Art. 15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Lodge a complaint with the supervisory authority competent for you — for Austria: Austrian Data Protection Authority, https://www.dsb.gv.at; in other EU Member States the respective national data protection authority (Art. 77 GDPR).
Response deadline (Art. 12(3) GDPR): Requests are answered within one month. In complex or numerous cases we may extend the deadline by a further two months; we will inform you of the extension within the first month.
Self-service: data export and account deletion are available directly in the dashboard. Requests that cannot be resolved through self-service should be directed to the email address above.