The General Data Protection Regulation (GDPR) is a new European Union law about now companies deal with user data. While we are not a EU company and do not currently have any European customers, we wanted to take this opportunity to make our practices clear.
Covisp does not process any payment information directly, and stores no information about credit cards, bank accounts, or any other kind of financial data. We will send bills only to local email accounts, so do not store any other email accounts.
Passwords are stored only encrypted using SHA-256 encrypting with a random salt. Account details, including email addresses and real names as well as other email addresses are entirely under the user;s control through Postfix Admin.
Users can delete their email accounts at any time, which will irrevocably remove their email and password from our database. At this time that will not remove any stored email, websites, or backups automatically, but these will all be removed (or archived and sent to the user if requested) as soon as requested.
For active accounts all email is under the users control, and can be deleted from the mail server or moved to local storage, but backups of the email are stored locally. The backup period is variable, but currently is at least 7 days. Non-spam mail is generally stored for longer.
We no longer allow forwarding mail to other providers, but providers are free to use standard IMAP tools to collect your email. That will be the responsibility of those providers. POP3 access is only available for users who are transferring all of their mail to another provider. While this means mail will not be stored long-term in user accessible storage, it may be backed up with all other mail, but there is no guarantee that POP3 mail will be backed up at all.
Email is stored in plain text, and is accessible to anyone with admin access to the mail server. Databases and website data is not encrypted by default, though a user is free to do so. ALL data belongs to the owner of the account which that data is under (for example, an email account for a user's friend the user creates belongs to the user, not the friend) and will be deleted at the sole discretion of the account owner. Archives of the data will be provided to the account owner using standard formats (generally a compressed tar archive of all files).
Only the person who establishes an account with us is authorized to delete or change the account, or a previously authorized representative for that account. If the owner of the account is not available we will need documentation to transfer ownership of an account to someone else. Accounts established in the name of a business are owned, as far as we are concerned, in joint ownership by the representative who established the account and the primary person at that company (CEO, President, Senior Partner, etc). In practice, anyone who has access to the admin password for the account has the ability to delete the account, and that password is assumed to be secured and available only to authorized representatives. A strong password is the user's responsibility. We provide tools for generating secure passwords and provide top-level encryption. A reasonable password will take millions of years, if not more, to decrypt.