Mailbox

Right off the bat you get smacked with Google's recaptcha; this is an absolute injustice as Google is the epitome of spyware companies. The service also demands your full name and country. They do allow signup and use through TOR. I was prompted for SMS or email verification for the purpose of password reset, this was however, optional.

The privacy policy states that they use Matomo spyware; it is self hosted, however, this does not redeem them. It is still possible for this data to be leaked or handed to law enforcement. They collect a plethora of data:

• the browser types and versions used
• the operating system used by the accessing system
• the website from which an accessing system reaches our website (so-called referrer)
• the sub-websites which are accessed via an accessing system on our website
• the date and time of access of the website
• an internet protocol address (IP address)
• the internet service provider accessing system

And "other similar data and information" for "security purposes"; there should be absolutely no ambiguity in a privacy policy.

They say they collect this data expressly to provide it to law enforcement. They will erase data if requested; they also detail the erasure period of particular data:

• WEBMAIL: IP address and access time retained for 4 days, then erased.
• SMTP: Message metadata (sender, recipient, message ID and size of a sent or received email) is retained for 7 days, then erased
• POP3/IMAP: Account, IP address, ID and size of erased messages, ID and size and locations of moved emails; all retained for 4 days, then erased
• Remote POP3 server, login, password, log of recent POP3 retrievals; retained for 7 days, then erased
• WEBSITE: log data with logins + source IP addresses in the last few hours; retained for 4 days, then erased

The german public prosecutor's office and police have "easy" access to their database. "Simple" requests do not need a court order. They are not legally allowed to inform the customer to any information request. They are also not allowed to dispute the request, and as such you have no protection.

Access to the log data of mail or web servers or the email content of a mailbox requires a judge’s decision, unless the investigating authorities can directly establish “imminent danger”, in other words the police can just cry terrorist and they can get any of your data.

They claim they will only disclose data to mandatory requests, "Such requests for information from the police without a court order will definitely be rejected by us."

Playing around with the web interface, there is not a single third party request.

All in all mailbox.org is absolutely abysmal for privacy. Not only do they retain an exorbitant amount of data, they bend over backwards for the authorities and don't try to (or legally can't) protect you whatsoever. NOTE: this entry has been submitted by Oreamnos; I only did grammar / structure improvements. Thanks, Oreamnos!