Privacy Policy

Version 1.2 — Effective May 31, 2026

← Back to Legal

The Services at astis.io are provided by ASTIS OÜ (Estonia) or, for customers in the United States, by ASTIS LLC (United States) — the applicable contracting entity, referred to here as "ASTIS", "we", or "us". ASTIS does not store customer business-payload plaintext. On managed plans, cryptographic key material may be processed transiently in memory by ASTIS-managed key-processing components — sKey for Mail onboarding, CVS for organization and workload operations — during approved rewrap or unwrap operations; under HYOK and ASTIS CVS Hybrid this key-processing boundary moves to customer-controlled infrastructure and ASTIS never holds key material. Service metadata and account data are processed by ASTIS in the EU/EEA, regardless of the contracting entity. This Privacy Policy describes how we collect, use, disclose, and retain personal data when you use the Services, our websites, and related support.

1. Key Principles (What We Do / Do Not Do)

Client-side encryption for message content

  • Email message content is encrypted and decrypted within the ASTIS client application (web app, PWA, mobile app, desktop plugin, or other client form factor) using client-side cryptography. Plaintext email content is handled only within the client application on the user's device.
  • ASTIS servers do not see or store plaintext email content.

Session keys (SKEY) and Key Rewrap

  • The Services may store encrypted session-key capsules ("SKEY Capsules") to enable access workflows.
  • We do not store plaintext SKEY.
  • Key Rewrap: When a recipient registers and provides a public key, ASTIS may transiently process SKEY in plaintext in memory solely to re-encrypt (rewrap) the SKEY Capsule to the recipient's newly provided public key. Plaintext SKEY is not persisted.

Pre-registration recipients

  • For recipients who have not yet registered with ASTIS, we store a pseudonymized identifier derived from the recipient's email address (e.g., cryptographic hash or HMAC) together with the encrypted SKEY Capsule.
  • This data is used solely to enable Key Rewrap and policy enforcement once the recipient registers and provides a public key. It is not used for marketing, profiling, or any other purpose.

TTL and data retention

  • TTL (Time-to-Live) controls access expiry: after TTL expires, ASTIS will no longer release or rewrap the SKEY Capsule — the message can no longer be decrypted via ASTIS.
  • TTL expiry does not automatically delete the encrypted capsule record. Retention and deletion of expired records is governed by plan-based retention policies and applicable data protection obligations.

OpenPGP key management

  • Public keys (WKD): ASTIS operates a Web Key Directory (WKD) service on ASTIS infrastructure for distributing users' public OpenPGP keys. Public keys are intended to be shared openly and do not contain private key material.
  • Private keys (CVS): Private OpenPGP keys are managed via the CryptoVault Service (CVS), which runs on ASTIS infrastructure by default. For Enterprise customers with HYOK (Hold Your Own Key), CVS can be deployed on Customer infrastructure for full key custody control.

2. What Personal Data We Collect

(A) Account and subscription data

  • Email address (account/admin)
  • Organization name (if provided)
  • Plan and subscription status
  • Basic account security events (e.g., verification status)

(B) Service operational data (minimal metadata)

Depending on configuration, we may process:

  • Tenant/org identifiers, user IDs
  • Policy/audit events (e.g., allow/deny outcomes for Key Rewrap, timestamps)
  • Security logs (e.g., IP address/user agent) if enabled for abuse prevention and security monitoring

(C) Transactional email data (OTP / verification)

We send authentication and verification emails (e.g., one-time passcodes, sign-in codes, verification links) via a transactional email provider.

  • Recipient email address
  • Message content required to deliver the OTP/code/link
  • Delivery metadata (status, timestamps)

(D) Support communications

If you contact us, we process the information you provide (emails, tickets, attachments you choose to send).

(E) Sanctions and compliance screening

For Account onboarding and ongoing compliance, we process minimal Account, organization, and beneficial-ownership data to screen against sanctions, restricted-party, and adverse-media lists (e.g., US OFAC SDN, EU Consolidated, UK OFSI, UN). Screening is performed at onboarding and periodically thereafter.

Legal basis: legitimate interest in compliance with applicable law and protection of the Services (GDPR Art. 6(1)(c) and 6(1)(f)). Screening logs are retained as required by applicable AML / sanctions regulations.

(F) Website analytics (consent-based)

Our website uses Google Analytics to understand general usage (e.g., page views, referrers/UTM, device/browser category, country/region at a coarse level). Google Analytics sets cookies and is loaded only after you accept analytics via our cookie banner; if you decline, it is not loaded. We enable IP anonymization. See our Cookie & Tracking Policy and the Subprocessors list.

3. How We Use Personal Data

We use personal data to:

  • Provide, maintain, and secure the Services
  • Perform Key Rewrap and generate associated audit events (where enabled)
  • Authenticate users and send OTP/verification emails
  • Provide customer support
  • Prevent fraud/abuse and protect platform security
  • Comply with legal obligations (billing records, lawful requests)

4. Legal Bases (GDPR)

Where GDPR applies, we process personal data under the following bases:

  • Contract: to provide the Services you request
  • Legitimate interests: security, fraud prevention, service improvement (balanced against your rights)
  • Legal obligation: accounting/tax compliance, responding to lawful requests
  • Consent: where required for specific optional activities (if any)

5. Sharing and Disclosures

We share personal data with:

  • Subprocessors (service providers) listed at /legal/subprocessors (e.g., edge/security, billing, transactional email delivery)
  • ASTIS affiliates for payment collection and reconciliation. ASTIS LLC may process limited billing and payment-related account data for payment collection and reconciliation; ASTIS LLC does not receive customer business-payload plaintext or cryptographic key material.
  • Law enforcement/government authorities where required by law
  • Professional advisors (legal/accounting) under confidentiality

We do not sell personal data.

6. Integrations: Customer-Controlled Third-Party Services

If you connect third-party email providers (e.g., Google Workspace/Gmail, Microsoft 365), those providers are chosen and controlled by you (or your organization) under your agreement with them. ASTIS does not provide email hosting and does not control those providers.

OAuth tokens to email providers: When you authorize ASTIS to connect to your email provider (e.g., Gmail, Microsoft 365), OAuth access and refresh tokens are stored client-side on your device (PWA / web / mobile / tablet / PC). ASTIS servers do not store your email provider OAuth tokens. You can revoke access at any time through your provider's settings.

ASTIS authentication tokens: Access and refresh tokens used for authentication to ASTIS internal systems are stored on ASTIS servers, encrypted at rest, as part of standard session management.

7. Google API Services — Limited Use Disclosure

ASTIS Mail's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Gmail Data Usage

ASTIS Mail accesses Gmail data solely to provide email client functionality — reading, sending, and organizing messages on behalf of the authenticated user. Gmail message content is decrypted and processed exclusively on the user's device. No Gmail message content, metadata, or credentials are transmitted to or stored on ASTIS servers.

Gmail data is not used for advertising, not sold to third parties, and not used for any purpose beyond operating the email client.

8. Data Location

ASTIS Services are hosted on dedicated servers. Production data-plane processing takes place in the EU/EEA by default; additional deployment regions may be agreed in the applicable Order Form. For specific data residency needs, contact sales@astis.io. Some subprocessors may process data in other regions as described in their own terms. See /legal/subprocessors.

9. Data Retention

  • Account data: retained while your subscription is active, then typically up to 30 days after deletion/termination (unless legally required to retain longer).
  • Audit/security logs: retained according to plan (e.g., 90 days / 1 year / Enterprise-custom).
  • Backups: encrypted backups may be retained up to 30 days.
  • Transactional email (OTP): retained per operational needs and provider delivery logs for a limited period.

10. Security

We implement technical and organizational measures to protect data, including encryption in transit, access controls, logging, and incident response processes. See /security.

11. Your Rights

Depending on your location, you may have rights to:

  • Access, correct, delete, or export your personal data
  • Object to or restrict certain processing
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with a supervisory authority

To exercise rights, contact privacy@astis.io.

12. International Transfers

Where personal data is transferred internationally, we use appropriate safeguards (e.g., Standard Contractual Clauses) where applicable. See our DPA for details.

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: You may request what personal information we collect, use, disclose, and sell (if applicable).
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: ASTIS does not sell personal information and does not share personal information for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact privacy@astis.io. We will verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

14. Children's Privacy

ASTIS is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy and updating the version number. Continued use of our Services after changes constitutes acceptance of the revised policy.

16. Contact

ASTIS OÜ