Privacy Policy
Last updated: March 30, 2026
1. Data Controller
Lazy (Einzelunternehmen)
Max Hufschlag
Martinstraße 10-12
52062 Aachen
Deutschland
Email: contact@lazy.space
USt-IdNr: DE449897418
2. Scope
This privacy policy applies to the FAE mobile app (iOS) and the website fae-mail.com. It describes which personal data we collect, how we process it, the legal basis for processing, and the rights available to you.
3. Legal Basis for Processing
We process personal data on the following legal bases under Art. 6(1) GDPR:
| Legal Basis | Processing Activity |
|---|---|
| Art. 6(1)(b) — Contract performance | Account creation, email alias management, email receiving and delivery, reply functionality, subscription management |
| Art. 6(1)(f) — Legitimate interest | Abuse prevention, rate limiting, bounce and complaint management, infrastructure security |
| Art. 6(1)(a) — Consent | Push notifications (revocable at any time via device settings) |
| Art. 6(1)(c) — Legal obligation | Tax retention obligations, regulatory disclosure requests |
4. Data We Process
App usage:
- Account email address (for authentication and alias mapping)
- Created alias addresses and their status (active/paused)
- Email metadata (sender, recipient, timestamp, subject line)
- Email content — solely for delivery, display, and reply functionality
- Subscription metadata: pseudonymous user identifier, subscription status, expiry date (processed by subscription management service)
- Device token for push notifications (only with consent)
Website (fae-mail.com):
- Contact form: name, email address, message
- Technically necessary cookies for language setting
IP addresses are processed solely for technical delivery and are not stored persistently. We do not create user profiles or use any analytics or advertising tools.
Providing your email address is required to use the FAE service (contract performance under Art. 6(1)(b) GDPR). Without it, no account can be created and the service cannot be provided. Consent to push notifications is voluntary and does not affect your use of the service.
5. Purpose of Processing
- Providing the email alias service (creating, receiving, displaying, replying)
- Managing user accounts and subscriptions
- Delivering push notifications (with consent)
- Abuse detection and rate limiting
- Processing bounce and complaint reports (see Section 11)
- Responding to support requests
We do not sell data and do not operate a tracking-based advertising model.
6. Data Storage and Location
Email content, aliases, and metadata are stored in the European Union:
- Email infrastructure: AWS eu-central-1 (Frankfurt)
- Relational database (PostgreSQL): EU (Frankfurt)
Subscription metadata (pseudonymous user identifier, subscription status) is processed by the subscription management service in the US. Email content and addresses do not leave the EU.
7. Encryption
Data is encrypted at rest with AES-256 and in transit with TLS 1.2+. FAE is not an end-to-end encrypted messenger — email content is processed server-side to enable delivery and reply functionality.
8. Sub-processors
We use the following sub-processors. Services are described by category; certifications are as of last review.
| Category | Purpose | Location | Certifications |
|---|---|---|---|
| Cloud infrastructure (AWS) | Email receiving, delivery, storage | EU (Frankfurt) | ISO 27001, SOC 2 Type II |
| Relational database (PostgreSQL) | User accounts, alias management, authentication | EU (EU (Frankfurt)) | SOC 2 Type II |
| Subscription management (RevenueCat) | In-app purchases, subscription status | US | SOC 2 Type II |
| Push notifications (Apple APNs) | App notifications | Global | ISO 27001 |
| Website hosting (Vercel) | Marketing website, contact form | EU (serverless functions: Frankfurt) | ISO 27001, SOC 2 Type II |
A complete and current list of our sub-processors can be requested at any time at contact@lazy.space.
9. International Data Transfers
Email content and addresses are exclusively processed and stored in the EU. For services that process data outside the EEA, the following safeguards apply:
| Service | Data Transferred | Transfer Mechanism |
|---|---|---|
| Subscription management (US) | Pseudonymous user identifier, subscription status | Standard Contractual Clauses (SCCs) per EU Commission Decision 2021/914 |
| Push service (global) | Device token (pseudonymous) | Standard Contractual Clauses (SCCs) |
10. Data Retention
| Data Category | Retention Period |
|---|---|
| Active account | As long as the account exists |
| Disabled aliases | Data retained until account deletion |
| Account deletion | Access ends immediately; remaining data removed within 30 days |
| Contact form | 90 days after request is resolved |
| Server logs | Automatically purged after 14 days |
| Billing records | Per tax retention obligation (§ 147 AO): 10 years |
11. Email Delivery and Complaint Handling
FAE operates its own email infrastructure. To maintain delivery quality and comply with our email provider's requirements, we process bounce and complaint reports as follows:
- Hard bounces: Recipient addresses that hard-bounce are automatically suppressed and cannot receive further replies.
- Complaints: Recipient addresses that report a FAE message as spam are added to the suppression list. Further replies to those addresses are blocked.
- Monitoring: Bounce and complaint rates are continuously monitored to protect delivery reputation.
Abuse can be reported at abuse@fae-mail.com.
12. Cookies and Tracking
The FAE website does not use tracking cookies, analytics tools, or retargeting. Only technically necessary cookies for language settings are used (Art. 6(1)(f) GDPR, § 25(2) TDDDG). The FAE app does not set cookies and contains no tracking SDKs.
13. Data Sharing
We only share personal data when:
- required to provide the service (see sub-processors, Section 8)
- required by legal obligation (e.g., court order)
We do not sell personal data. We do not share data with advertising networks or data brokers.
14. Automated Decision-Making
We do not use automated decision-making including profiling within the meaning of Art. 22 GDPR. No decisions are made that are based solely on automated processing and that produce legal effects concerning you or similarly significantly affect you.
15. Your Rights (GDPR)
You have the following rights regarding your personal data:
- Access (Art. 15) — Obtain a copy of your stored data
- Rectification (Art. 16) — Correct inaccurate data
- Erasure (Art. 17) — Request deletion of your data
- Restriction (Art. 18) — Request restriction of processing
- Data portability (Art. 20) — Receive your data in a machine-readable format
- Objection (Art. 21) — Object to processing based on legitimate interests
- Withdrawal of consent — Withdraw given consent at any time with future effect
- Complaint (Art. 77) — Lodge a complaint with the competent supervisory authority (see Section 17)
To exercise your rights, contact us at contact@lazy.space. We will respond within 30 days.
16. Data Breach Notification
In the event of a data breach that is likely to pose a risk to your rights and freedoms:
- We will notify the competent supervisory authority within 72 hours (Art. 33 GDPR).
- In cases of high risk, we will notify affected users without undue delay via email (Art. 34 GDPR).
17. Supervisory Authority
The competent supervisory authority is:
State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW)
Kavalleriestr. 2–4
40213 Düsseldorf
Germany
www.ldi.nrw.de
18. Changes
We reserve the right to update this privacy policy as needed. Material changes will be communicated through the app or via email. The current version is always available at fae-mail.com/en/privacy.
19. Contact
For privacy-related questions:
Lazy
Attn. Max Hufschlag
contact@lazy.space