UPDATE February 2023: Fighting hard for the first spot, FastMail is also now Cloudflared.
This is another one of the paid providers which are also absolutely terrible from a privacy standpoint. From their privacy policy:
If you register to use, or use, one of our websites or services [...] personal information that may be collected directly from you includes name, billing address, mobile phone number, organisation name, your own domain name, IP address, browser user-agent and billing details
Name, phone number, address. You're off to a fast start towards privacy hell, FastMail.
We process mail sent and received from your account to block spam and fraud.
The private FastMail scans your mail.
We also store information from your address book, calendar, notes and files on our servers.
Is there anything you guys don't store?
We also collect the email content you create, upload, or receive from others
Guess not - even other people aren't safe from FastMail's prying eyes.
Each time you connect to our service, we log your IP address, your client identifier (browser or mail client information) and your username. If you send mail, we also log the email address you're using to send mail and the email address you're sending to. If you take action on mail in your mailbox, we also log the activities taken.
So literally your every move is being tracked and logged. And now for some humor - look at how they justify themselves:
This is necessary for providing proof of delivery and fraud analysis.
Sure. I wonder why almost no other provider on this list is doing so, then? Now check this admission (from section "How do we use the personal information we collect from you?"):
conduct analytics and measurement to understand how our services are used;
Oh, so it was about analytics all along, instead of "fraud analysis" or some other bullshit excuse. And for something even more damning (from section "Sharing personal information with others"):
We may share your personal information [...] with third parties who help manage our business and deliver services [...] Some of these providers use “cloud based” IT applications or systems, which means that your Personal Information will be hosted on their servers
And now all the stuff I've talked about will be put on some third party servers.
We may use your name and email address to send direct marketing communications to you and let you know more about our services or related services that we believe will be of interest to you
You will also be flooded with directed advertisements. But how does FastMail know what "will be of interest to you"? Of course, it's because of all that collected data - which, remember - includes your mail content! Later they claim that they don't profile you to send targeted advertisements, but that seems to contradict the above - and we should always assume the worst. FastMail also uses the Matomo tracking service, which was described in detail in ProtonMail's section. Anyway, that's quite a lot of data collected - but how long does it stay around?
Where we log information related to your IP address, we retain this information for approximately 90 days.
Where you request that we delete your account from our system, we will immediately lock the account and archive the information, then delete it from our severs within approximately 7 days from the date of your request.
Not bad, I guess. I mean, some other providers take a year or more...But wait:
However, in specific limited circumstances we may store your personal information for longer periods of time
Ha! So the 7 days figure was just for show. Let me quote some related information from another section (archive) (MozArchive):
After an account is terminated, data and backups are purged within a timeframe of between 37 days to 1 year after closure
So you do take a year after all. And you fucking lied straight to our faces with the 7 day thing. This seems more and more like some entry-level trolling...Can we say anything at all positive about FastMail in light of the information presented? I guess this:
Providing secure end-to-end encryption via webmail is impossible. There are basically two options, both flawed:
That's right - it's the same thing I've been speaking about. So at least they don't pretend to have some super-duper in-browser encryption. And maybe another thing:
We won't release any data without the required legal authorisation from an Australian court. As an Australian company, we do not respond to US court orders.
But remember that some of your data will be stored on third party servers in other countries, which might have some different ideas...All in all, I struggle to provide a reason to use this one at all. The amount of stored data is simply massive (and I didn't even cover all of it), it's shared with third parties and used for sending advertisements - and you have to pay for all that.