Here at ox.io (Heinlein Support GmbH), data privacy is something we take very seriously. We have been specializing in secure data exchanging and privacy protection. To us, data privacy is not a necessary evil but a service we provide out of conviction; in fact, it’s our stated mission.
Still, even at ox.io, there is some customer data that we need to capture and store in order to guarantee seamless server operation, and with it, top security for your data. We also need to be able to show you that our systems are working as intended and that we are fulfilling our services to you as agreed.
Below, we describe in full exactly which data needs to be stored, where, for how long, and for what purpose it will be stored.
You need to provide details such as your name, your address, and optionally your bank details for direct debits, when you open an e-mail account with us. We cannot verify whether this data is correct. We are required to store this user data for as long as your ox.io account is active. If, on registering, you additionally let us know your telephone password, an alternative external e-mail address, or a telephone number, we also store this data for the eventuality that we need to help you in an emergency or send you a link for a password reset.
All the e-mails that you send and receive while using our mail platform, as well as all contacts, addresses, and files managed by our groupware, are stored on our servers’ encrypted file systems.
Where possible, certain data such as passwords is hashed for extra protection (i.e., encrypted without a decryption option), which means that no one here at ox.io is able to view this data.
After you terminate your contract and after any related issues have been resolved, we irreversibly delete all of your data stored in our system.
Exception: Like any other business, we are obliged by the tax office to retain invoice data within our accounting system for ten years. This means we need to store information about when we billed what amount to whom. Within the German tax code, there is no exception to this. This data can be accessed by the following: our administrators and support team. Some of this data may also be accessed by our accountants.
Some of our servers store log files, i.e., temporary data about who did what when, in order to monitor the operation of our servers for error tracing and for ensuring there is no unauthorized outside access to our systems.
Type: web server
Type: mail server SMTP
Type: mail server POP3/IMAP
Type: Customer management
On our https://ox.io website, we use Piwik, an open-source solution for analyzing visitor statistics. The reason we are using Piwik is that we do not want to be connected to the standard solution for web traffic analysis, Google Analytics.
We use Piwik to analyze where our website visitors come from, which contents are most relevant to them, and where there might be issues with our website. We never observe any of our visitors as identifiable persons. All data, including IP addresses, is exclusively stored as anonymized data.
We do not use Piwik at all on the web pages of ox.io Office, i.e., the pages where our users log in and communicate.
You can configure your web browser to reject cookies, but we’d like to point out that this may prevent you from using all the features provided on our website.
Storing parts of your data exclusively serves the purpose of letting us operate your mailbox securely. This data will never be used, analyzed, or shared for any other purpose. We have no interest in using your data for any advertising or market research purposes. We will not share any of your data with any third parties.
It is our aim to protect free communication through capturing as little customer data as possible, through technological measures such as consistent encryption to prevent surveillance, and through encouraging our customers to widely use the protective technologies available to them.
According to TKG Section 113 (German Telecommunications Law), the public prosecutor and the police can access the user data held by telecommunications providers such as ourselves relatively easily. A simple information request suffices; no court order is needed. According to TKG Section 113, a telecommunications provider has no legal recourse against such a request; it must comply. It should also be noted that according to TKG Section 113 (II), the provider is required to treat such a request confidentially, and that the affected customer must not be informed about the request.
Access to the log data of mail and web servers and to the e-mails contained in a mailbox, on the other hand, requires a search and seizure warrant signed by a judge, unless the investigative authorities can claim exigent circumstances. Telecommunications providers again have no legal recourse against search warrants; seizure of the log data cannot be denied.
In such a case, Heinlein Support, i.e., ox.io, has no choice but to hand over the data in question to the investigative authorities. If we failed to do so, we would face the seizure of entire servers when being searched, as well as our employees being arrested for contempt of court.
Conversely, we will never hand over any data unless the legal conditions for such a request or seizure are presented beyond doubt (so-called ‘anticipatory obedience’). We will unequivocally reject any police requests if they have insufficient legal backing, as it would be illegal for us to comply with such requests. All requests and pertaining issues are checked diligently and critically by us and our lawyers.
We have no way to determine whether the user details you have provided to us during registration are correct and relevant. If you encrypt your e-mail correspondence with GPG, we will furthermore be unable to make the contents of such e-mails readable.
If you have any further questions or concerns, please contact our Data Privacy Officer Peer Hartleben at firstname.lastname@example.org. We are additionally intending to employ a third-party data protection officer in the near future for added security.