Privacy Policy
Effective May 17, 2026
We collect the minimum data needed to operate the service.
1. Who we are
Temp Mail Now is operated from Germany. References to "we", "us", and "our" mean the operator of temp-mail-now.com. For privacy questions, contact [email protected].
2. What we collect & why
Free tier (no account)
- Incoming messages sent to your disposable address are stored in memory (Redis) for six (6) hours, then unconditionally deleted. Lawful basis: legitimate interest in providing the service you requested.
- IP address — captured in standard server access logs and used to rate-limit abuse. Rotated every 14 days.
- Locale cookie (
tmnLocale) — remembers your language choice. First-party, 1-year expiry. No tracking.
Paid plans (Basic, Plus, Pro)
- Email address & password hash — to sign you in. Passwords are hashed with argon2id; we never store plaintext.
- Payment provider customer ID (Paddle or NOWPayments). We never see your card or wallet details — those live with the payment provider.
- Subscription state — plan, cycle, billing dates.
- Premium messages — kept in PostgreSQL for the retention period of your plan (30 days to 1 year), plus attachments in Cloudflare R2.
- Audit log — admin and security-sensitive actions (API key rotations, subscription changes) are logged for security and dispute resolution.
3. What we do not collect
- No advertising-network tracking cookies without your explicit consent.
- No analytics that identify individual users without consent. If you accept cookies, Google Tag Manager may load aggregate analytics (page views, feature interactions). No email addresses, message content, or personally identifying information is ever sent to analytics providers.
- No name, phone, address, or billing details (those live with Paddle/NOWPayments).
- No content of your messages for marketing, profiling, or ML training. Ever.
4. Third-party processors
| Provider | Purpose | Data shared |
|---|---|---|
| Paddle.com Market Ltd (UK) | Card payments, VAT | Email, billing details you enter on Paddle |
| NOWPayments (Estonia) | Crypto invoicing | Order ID, amount |
| Resend (USA) | Outbound transactional email + forwarding | Recipient email, message content |
| Cloudflare (USA / global) | CDN, DNS, R2 storage | IP address, request metadata, attachment files |
| Hetzner Online (Germany) | VPS hosting | Server-side data |
| Sentry (USA) | Application error tracking | Stack traces, scrubbed request metadata |
| Google AdSense (USA) | Ads on free plan, with consent | Standard AdSense cookies, only after consent |
| Google Tag Manager / Analytics (USA) | Aggregate analytics, with consent only | Page views, feature interactions — no PII, no email content |
5. International transfers
Some processors above are based outside the EU/EEA. Where required, transfers are protected by the European Commission's Standard Contractual Clauses (2021/914) and equivalent safeguards published by each processor.
6. How long we keep data
- Free inbox messages: 6 hours (TTL).
- Free-tier attachments in R2: deleted within 6 hours by a cron, and unconditionally within 7 days by R2 lifecycle.
- Premium messages: retention of your plan (30 / 180 / 365 days).
- Server access logs: 14 days.
- Audit log: 2 years.
- Account data after deletion: 30 days grace period, then erased except where law requires retention (e.g., invoices for 10 years per German HGB §257).
7. Your rights (GDPR / UK GDPR / CCPA)
If you are in the EU/EEA, UK, Switzerland, or California, you have the right to:
- Access your personal data.
- Correct inaccurate data.
- Erase your data ("right to be forgotten").
- Restrict or object to processing.
- Receive your data in a portable format.
- Withdraw consent at any time (does not affect prior processing).
- Lodge a complaint with your local data-protection authority. In Germany this is your state DPA; you can also contact the BfDI.
Exercise these rights by emailing [email protected]. We respond within 30 days.
8. Cookies
tmnLocale— language preference. First-party. 1 year.tmn_session/tmn_admin— sign-in session. First-party. 30 days. HttpOnly, SameSite=Lax.tmnCookieAck— remembers you dismissed the cookie banner. First-party. 1 year.- AdSense cookies — only set after you grant consent on the free tier.
9. Children
We do not knowingly collect data from children under 16. If you believe a child has provided data to us, write to [email protected] and we will delete it.
10. Changes
Material changes will be posted here with a new effective date and announced in the dashboard at least 14 days in advance.