Gm Dear Readers !
As I just promised here is the second part of the article, originally coming from dev.to. This is the last part and it will explain private mails. So let's discover them now !
Emails
Alright forwards we go ! We have now private OS, Private Browser, so we reduced successfully amount of spyware on our day-to-day activity on the internet. We keep our messages secure, by using Signal or SimpleX, but what if we want to receive mails and send mails in a more private way ? For that there is also a couple of solutions and for that I highly recommend checking out the Privacy Savvy article. I think this blog is a huge source of knowledge when it comes to privacy (So shout out to them :D):
- ProtonMail
- TutaMail
- StartMail
- MailFence
- AtomicMail
Server Location: Germany
Founded: 2011
Business Model: Private company, no outside investors, subscription-based
Free Tier: Yes (very limited)
Privacy Tech Stack
Tuta's doing it right here. They encrypt everything – emails, subject lines, calendar events, contacts. Most providers skip subject lines (that's a metadata vector), but Tuta's like "nah." They've implemented TutaCrypt, a proprietary hybrid system using:
CRYSTALS-Kyber (post-quantum key exchange) + X25519
AES encryption for content Zero-access architecture – they literally can't read your stuff, even if they wanted to.
They don't use PGP (which has known weaknesses), so no pulling of Google Play services like ProtonMail does.
Government Interventions & Data Compliance
No major data breaches on record.
Transparency Report (Jan-Dec 2025):
Received: 389 total requests from German courts
Complied: Only ~75 cases out of ~389 (they rejected 75% of requests)
Key insight: Tuta can only be compelled by German courts under German law. No backdoors, no FISA orders ever received. They publish a warrant canary confirming this.
What they CAN release: Metadata (sender/receiver emails, timestamps, IPs), NOT encrypted content
Notable incident (2019-2021): A German court tried to force Tuta to capture unencrypted incoming emails before they encrypted them – essentially creating a backdoor.
Tuta appealed, saying this violates German law. Court still ordered it, but Tuta refused to implement system-wide monitoring, only complying for specific cases. They appealed to German Federal Court and stood firm. No data was handed over that compromised encryption.
False Accusations (2023): A former Canadian RCMP officer claimed Tuta was a "storefront" for Five Eyes intel agencies. Completely false. Tuta denied it, published their entire codebase on GitHub for peer review, and pointed out they've zero FISA orders.
Availability
They support mobile apps for android and IOS, they have also proton mail desktop app but this one is paid and is available for Linux, windows and IOS.
Free Tier Details
Storage: ~1 GB
Aliases: 15-30 depending on plan
Accounts deleted after 6 months inactivity (this is intentional for privacy – they don't want ghost data)
Support: Forum-only for free users
Custom domain: No
IMAP: Not supported (design choice, not a limitation)
ProtonMail
Server Location: Switzerland
Founded: 2013
Business Model: NOT a non-profit – it's a for-profit company funded by investors. This matters because pressure to monetize is real.
Free Tier: Yes (extremely limited)
Privacy Tech Stack
End-to-end encryption for user-to-user emails (between ProtonMail accounts)
Zero-access encryption – they encrypt with your public key, can't decrypt
AES encryption for storage - Supports PGP for external recipients (standard, but not as comprehensive as Tuta's approach)
Does NOT encrypt subject lines – metadata leakage
Uses Google Play Services on Android (Tuta doesn't)
Government Interventions & Data Sharing – THIS IS CRITICAL
Confirmed data breaches to law enforcement:
2021 French Climate Activist Case:
French police obtained ProtonMail user's IP address via Swiss legal channels. Activist was identified and arrested.
ProtonMail did comply – they had no "legal possibility to appeal"
2022-2023 FBI Case:
FBI obtained recovery email address and phone number from ProtonMail
User in US harassment investigation was de-anonymized
Again, ProtonMail complied
Transparency Report (2022):
5,957 data requests received
Complied with significant portion – they don't break down exact numbers clearly.
They contest requests they can legally contest (~750 in 2022), but they will hand over metadata if Swiss courts order it
The Real Talk: ProtonMail markets itself with "Swiss privacy laws" but:
They can be legally compelled to enable real-time IP logging for specific users
They will share recovery emails, phone numbers, payment info, IP addresses
Swiss courts work with other governments – their "strict Swiss law" claim is marketing BS
They have secondary offices in the US, which complicates jurisdiction
No warrant canary. They don't publish a statement saying they've never received FISA orders (unlike Tuta).
Availability
They support PWAs, mobile apps for android and IOS, they have also proton mail desktop app but this one is paid and is available for Linux, windows and IOS.
Free Tier Details
Storage: 500 MB (brutally limited)
1 email address only
No folders (can't organize)
Limited sending (cap per day)
Paid plans start at $4.99/month – one of the most expensive
To me proton is like "private google", as they are the most well known company and the most visible (advertised) one, that provides private mail services and generally cloud-services as well.
MailFence
Server Location: Belgium
Founded: 2013
Business Model: Subscription-based
Free Tier: Yes (limited)
Privacy Tech Stack
OpenPGP encryption (industry standard, not proprietary)
Encrypts emails, calendar, contacts
Zero-knowledge architecture
IMAP/SMTP support (unlike Tuta, easier migration)
Belgian servers under GDPR
Government Interventions
No major breaches reported.
Mailfence doesn't publish as detailed a transparency report as Tuta or ProtonMail, but they're transparent about responding to valid Belgian court orders and cannot decrypt encrypted content.
Availability
They support only PWAs and mobile apps for android and IOS.
Free Tier Details
Storage: 500 MB
1 email address
Limited folders
Paid plans start at €2.75/month (cheaper than Proton)
StartMail
Server Location: Netherlands
Founded: 2013
Business Model: Subscription (no free plan)
Free Tier: No (7-day trial only)
Privacy Tech Stack
OpenPGP encryption (standard)
IMAP/SMTP support (great for external clients)
Dutch servers under GDPR
Unlimited aliases even on base plans
Government Interventions
Netherlands has reasonable privacy laws, but they can be compelled by Dutch courts. No major incidents reported.
Pricing
Starts at $5-7/month (no free option, disqualifying for your "free only" requirement)
Honorable Mentions (Active but Limited Free Tiers)
Atomic Mail – The New Kid on the Block
Founded: 2024
Server Location: Germany
Free Tier: Yes (generous – unlimited storage, rare for new providers)
Availability
They have only a PWA support, so you can see the icon of them and it will bring you to your mail in browser, which I find cool and I really appreciate them to implement PWA.
Very new, so limited track record
Claims to have passed 1M users in <1 year
Offers unlimited storage free (vs. competitors' 500 MB-1 GB)
No security incidents yet (new service)
Cons: In beta, unproven long-term
Atomic Mail (The Underdog )
Location: Headquarters in Estonia , Servers in Germany
Founded: 2024 (launched by a team of privacy advocates and cybersecurity engineers)
Company Structure: AtomicMail Systems OÜ (private company, not a non-profit)
Current Status: Beta release (actively in development, iterating fast)
Growth Rate: Hit 1 million users in <1 year (straight up aggressive expansion)
Privacy & Encryption Tech Stack
Core Encryption Primitives:
ECIES (Elliptic Curve Integrated Encryption Scheme) – Asymmetric key exchange between Atomic users. Fast, modern, not some legacy PGP garbage.
AES-256 – Symmetric content encryption (industry standard, trusted by security researchers globally)
SHA-256 – Cryptographic hashing for data integrity verification
TLS 1.3 – In-transit encryption (TLS 1.2 is dated, they went for the newest standard)
BIP39 seed phrases – THIS IS THE CRYPTO TOUCH. Users recover accounts with a 12-word seed phrase (like a blockchain wallet), NOT a phone number or backup email. That's genuinely novel for email. No five-eyes backdoor through phone carriers.
Zero-Access Architecture (The Real Deal):
Here's the trick – Atomic Mail uses a client-side encryption model:
Client encrypts before upload – Your plaintext message is encrypted on YOUR device
Server only sees ciphertext – It gets transmitted and stored as meaningless scrambled data
Only recipient decrypts – Private keys never leave your device
Atomic Mail literally can't read encrypted messages – Even if hackers breach them, or a government issues a court order, the data is mathematically useless without your private key
This is fundamentally different from ProtonMail (which CAN decrypt if forced) because the architecture prevents them from having the keys in the first place.
Data-at-Rest + Data-in-Transit Protection:
All emails encrypted at rest (AES-256)
All communication encrypted in transit (TLS 1.3)
7-day log retention for IP addresses and SMTP metadata (troubleshooting + spam/phishing detection). Logs auto-delete after 7 days.
User vault storage – All messages sit in encrypted user vaults on secure servers.
Government Compliance & Legal Requests
Atomic Mail's Policy (From Official Privacy Policy, Last Updated: March 3, 2026):
"We will only comply with requests from Estonian judicial authorities and will not honor requests from other authorities. Atomic Mail does not cooperate with voluntary surveillance programs."
So only Estonian courts can force Atomic Mail to comply
No FBI, no GCHQ, no Five Eyes – They explicitly refuse non-Estonian requests. No secret surveillance programs – No FISA, no Tempora, no bulk metadata tapping.
Real-World Application:
If a US court demands data on an Atomic Mail user, Atomic Mail's legal stance is: "Get an Estonian court order or nothing happens." Since the US and Estonia don't have an automatic data-sharing treaty that works like that, this is effectively a firewall.
Third-Party Requests:
"We will not comply with requests for user information from private third parties unless we receive a valid court order from an Estonian court."
So even if Facebook or your ex's lawyer demands user data – no way. Only Estonian courts.
Data Breach History
As of April 2026: ZERO confirmed security incidents or data breaches on record.
Why does this matter?
They're new enough (founded 2024) that they haven't had time to accumulate the baggage of older providers.
Their encryption design means even if they were breached, attackers get useless ciphertext.
They practice extreme data minimization – less data = less to leak
Comparison: Tuta (been around since 2011) has no breaches. ProtonMail has complied with government data requests multiple times and handed over metadata. Atomic Mail's track record is clean, and the architecture prevents worst-case scenarios.
Unique Features (The Tech Deep Dive)
1. Seed Phrase Recovery (Borrowed from Crypto)
Instead of:
SMS OTP (SIM swap vulnerable)
Recovery email (metadata leakage)
Secret questions (brutalizable)
Atomic Mail uses BIP39-compliant seed phrases – a 12-word mnemonic that only you hold. Even Atomic Mail's admins can't reset your password. This is inspired by blockchain wallet design (think MetaMask, hardware wallets).
Why it matters: No phone carrier backdoor, no recovery email dependency, mathematically sound.
2. Multiple Encryption Options for External Recipients
Can't encrypt to Gmail users with ECIES (they're not on Atomic).
Solutions:
Password-Protected Email – Send encrypted message, recipient enters password
Encrypted as File – Send encrypted .zip file via any channel
TLS – Standard in-transit encryption (basic, but better than plaintext)
3. AI Suite (Privacy-First)
The Plus plan includes AI tools:
Writing assistant
Grammar checker
Summarizer
Translator
Security Helper (flags sensitive content in drafts, suggests encryption)
Text-to-voice
Critical: These AI tools can only process unencrypted drafts. They can't touch your encrypted emails. Zero training data on user messages.
4. Anonymous Email Aliases
Create up to 10 free unique email addresses from one account. Use them for:
Newsletter signups (throwaway)
Financial accounts (separate identity)
Work vs. personal (compartmentalization)
If one alias gets compromised in a data breach, you know exactly which service leaked it, and you can nuke that alias without affecting your main inbox.
5. Availability
They have for now available apps for IOS, Android, MacOS and Windows. What actually surprised me that they do not have a linux version yet and I really would love to have one. What is yet disappointing to me is that they do not support PWA, so I can have an icon on my screen for quicker access.
To be honest I have the account on 3 of the mails provided Tuta, Atomic Mail and Proton and atomic mail appears to become my favorite mail from them all. Their UI is slick, they have nice privacy policy. Surely it's yet quite young but I root for them to have even a billion users.
Summary
This is 2/8 of our privacy journey, I hope you enjoyed it this time and I convinced you to switch over to any of either Messengers or Mail Providers.
Let me know down in the comments. In the next post there will be more info on AI and payments. I rearranged the order with Firewalls and VPNs, because I'm almost done with full research on this part.
So stay tuned because things might get much more interesting in the future than before and I will have surprise for you.
Don't forget to leave like and follow my account for more privacy-focused content. Also please share the article with your fellows (devs) or family to spread more awareness on privacy in the internet.
That's it for today, hope you'll have a great time and until next time.
Cheerio !