Privacy policy mail123.click

Who is the data controller

mail123.fr is published by Vincent, an independent developer based in Marseille, France. There is no team, no investor, no third-party company exploiting your data — it is one person coding, hosting and maintaining the service.

For any question regarding your personal data, exercise of your GDPR rights, or complaint: use the contact page. Vincent personally answers each legitimate request, within a maximum of 30 days as per Article 12 of the GDPR.

What data we collect

Here is the exhaustive list of what we collect about you, with no omissions:

📧 Received emails

Full content of emails sent to your temporary inboxes (body, subject, sender, attachments). Stored on our servers only for the duration of the retention period.

🌐 Technical data

IP address, user-agent (browser, OS), URL visited, timestamp. Present in server logs, as on any website.

📊 Anonymous statistics

Aggregated counters: number of emails received, top sender domains, hourly/daily activity. No personal data nor IP is linked to these stats.

🍪 Cookies

Session cookies (CSRF, language, selected domain, theme). See section 5 for the full details.

✉️ Contact messages

If you use the contact form: your email (if provided), your message, time of sending. To be able to respond to you.

🔔 Push notifications (optional)

If you enable browser notifications: VAPID endpoint + public keys. No email or IP is linked. You can revoke at any time in your browser settings.

Why we process this data (GDPR legal bases)

Each processing is based on a specific legal basis, in accordance with Article 6 of the GDPR:

• Temporary email service — performance of the service contract (art. 6.1.b). Without collecting emails, we cannot display them to you.
• Server logs (IP, user-agent) — legitimate interest (art. 6.1.f): security, abuse prevention, spam protection. Minimal strictly necessary duration.
• Aggregated anonymous statistics — legitimate interest (art. 6.1.f): improving the service, publishing transparent public stats. Data already anonymized.
• Google Analytics — explicit consent (art. 6.1.a). Only enabled if you accept it via the cookie banner.
• Targeted advertising — explicit consent (art. 6.1.a). No advertising cookie is set without your clear consent.
• Contact messages — performance of a pre-contractual request (art. 6.1.b): you write to us, we must read and reply.

How long we keep your data

Everything is kept for the strictly necessary duration of the processing purpose, then automatically deleted:

📧 Received emails

Auto-deleted after 7 days. No backup copy, no archive. Once deleted, they cannot be recovered.

🌐 Server logs (IP, user-agent)

Kept 7 days for abuse detection, then automatically purged by log rotation.

📊 Anonymous statistics

Kept without time limit because already anonymized (aggregated counters, no personal data). Publicly visible on the /stats page.

✉️ Contact messages

Kept for a maximum of 1 year for traceability, then purged. If you request immediate deletion, it is applied within 30 days.

🍪 Cookies

Session cookies: browser session duration. Consent cookies: 6 months (re-asked after). See details in section 5.

Cookies and trackers

We use different cookies, grouped in two categories: strictly necessary (we set them without asking because they make the site work) and optional (we only set them with your explicit consent via the banner).

Strictly necessary cookies

Optional cookies (subject to consent)

Subcontractors and recipients

Some third-party services are necessary for the site to work. Here is the complete and honest list:

No other third party receives your data. No data broker, no marketing partner, no resale. If this list changes, this page will be updated and the cookie banner will be reset.

Data transfers outside the EU

By default, your data remains in the European Union: OVH hosts in France, Bunny CDN on European servers. No leak outside the EU for the email service and basic browsing.

Two possible exceptions, only if you accept optional cookies:

• Google Analytics (United States) — Google is certified under the EU-US Data Privacy Framework (DPF), considered adequate by the European Commission since July 2023.
• Advertising networks (variable) — Depending on the network used at a given time, transfers may occur outside the EU. Always framed by the DPF or Standard Contractual Clauses (SCC) from the European Commission.

Your GDPR rights

The GDPR gives you 7 rights, exercisable free of charge and without justification:

• Right of access (art. 15) — obtain confirmation that your data is processed, and get a copy of it.
• Right to rectification (art. 16) — request correction of inaccurate or incomplete data.
• Right to erasure (art. 17, « droit à l'oubli ») — request deletion of your data. For emails, this can be done directly via the « Clear » button in your inbox.
• Right to restriction (art. 18) — freeze processing in case of dispute over data accuracy.
• Right to portability (art. 20) — recover your data in a structured, machine-readable format.
• Right to object (art. 21) — object to processing based on legitimate interest.
• Right to withdraw consent (art. 7) — at any time, without affecting the lawfulness of previous processing.

To exercise one of these rights: use the contact form, clearly specifying your request. Response time: 30 days maximum (Article 12 GDPR). No proof of identity is required unless there is reasonable doubt about your identity.

Data security

We apply reasonable technical and organizational measures to protect your data:

• TLS/HTTPS encryption on the entire site (A+ rating on SSL Labs).
• Standard email anti-spoofing authentication (DKIM, SPF, DMARC).
• Automatic deletion of emails after a few days — less data stored = less risk in case of compromise.
• Server access limited to strict necessity, SSH authentication by key only.
• Encrypted backups, off-site, with regular restoration tests.
• Security updates applied within 48h for critical CVEs.

Minors

mail123.fr is not specifically intended for minors under 15 (digital consent threshold in France). Since no personal data is collected and the service is heavily based on anonymity, there is no specific age verification mechanism. If you are a parent and notice your child using the service, you can contact us with any questions.

Changes to this policy

This policy may change if we add a new subcontractor, change advertising network, or adjust retention periods. In case of substantial change (new processing, new subcontractor), the cookie banner will be reset so you can re-express your informed consent.

The update date is displayed at the top of this page. History of previous versions can be requested via the contact form.

Contact and CNIL complaint

For any question regarding your personal data, exercise of your rights, or deletion request: use the contact page.

If you believe your rights are not respected despite a request from our side, you have the right to lodge a complaint with the competent supervisory authority:

• CNIL (French Commission for Data Protection) — cnil.fr/fr/plaintes — 3 Place de Fontenoy, 75007 Paris