Privacy Policy

Last updated: February 25, 2026

1. Introduction

IronMail ("we", "us", "our") operates a self-hosted corporate email platform at ironmail.email. This Privacy Policy explains how we collect, use, and protect your information when you use our services, including email hosting, file storage (Drive), and the web/mobile dashboard.

2. Information We Collect

Account Information

  • Name, email address, and password when you create an account or your administrator creates one for you.
  • Domain name and DNS records for email configuration.

Email Data

  • Email messages, attachments, folders, and metadata (sender, recipient, subject, timestamps) stored on our dedicated mail server.
  • Email signatures configured through the dashboard.

Drive Storage

  • Files you upload to IronMail Drive, including file names, sizes, and folder structure.
  • Sharing preferences and public link settings.

Technical Data

  • IP addresses, browser type, and device information for security and authentication purposes.
  • Push notification tokens (Firebase Cloud Messaging) for the mobile app.
  • Session data and authentication tokens to maintain your login state.

3. How We Use Your Information

  • Provide the service: Send and receive emails, store files, manage mailboxes and domains.
  • Security: Anti-spam filtering (Rspamd), antivirus scanning (ClamAV), and authentication enforcement.
  • Notifications: Send push notifications for new emails via Firebase Cloud Messaging.
  • Administration: Enable domain administrators to manage mailboxes, aliases, and DNS records.
  • Deliverability: Maintain SPF, DKIM, and DMARC records to ensure emails reach their destination.

4. Data Storage & Security

  • All email data is stored on a dedicated server — your data is never co-mingled with other customers on shared infrastructure.
  • All connections are encrypted with TLS (HTTPS, IMAPS, SMTPS).
  • Passwords are hashed and never stored in plain text.
  • Drive files are stored securely and accessible only to authorized users or through explicit sharing.
  • We do not sell, rent, or share your data with third parties for marketing purposes.

5. Mobile App & On-Device Data

When you use the IronMail mobile app, the following data is stored locally on your device:

  • Biometric Data (Face ID / Touch ID): If you enable biometric authentication, your encrypted login credentials are stored securely on your device using the operating system's secure enclave. Biometric data never leaves your device and is not transmitted to our servers.
  • Authentication Tokens: Your session token is stored in encrypted device storage (Keychain on iOS, Keystore on Android) to keep you signed in.
  • Cached Data: Email lists and folder data may be cached locally for offline access and performance. This cache is encrypted and automatically cleared when you sign out.
  • Push Notification Tokens: A device token is generated by Firebase Cloud Messaging and stored on our server to deliver push notifications. No email content is included in push notification payloads.

6. Third-Party Services

We use the following third-party services:

  • Firebase Cloud Messaging (Google): For push notifications on the mobile app. Only device tokens are shared; email content is not sent through Firebase.
  • Hetzner & Oracle Cloud: Infrastructure providers for server hosting. Servers are fully managed by us.

7. Your Rights

You have the right to:

  • Access your personal data through the dashboard or by contacting us.
  • Export your emails and files at any time using the built-in import/export tools.
  • Delete your account and all associated data by requesting your administrator or contacting us directly.
  • Correct inaccurate personal information through your account settings.

8. Data Retention

We retain your data for as long as your account is active. When an account or domain is deleted by an administrator, all associated emails, files, and personal data are permanently removed from our servers within 30 days.

9. Cookies

We use essential cookies only for authentication (session tokens). We do not use tracking cookies, analytics cookies, or advertising cookies. No third-party trackers are present on our platform.

10. Children's Privacy

IronMail is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy or your data, contact us at admin@ironmail.email.