fae.

Security is not a feature. It is our architecture.

Privacy was not bolted on as an afterthought. This is how FAE was built from the ground up.

AES-256EU-onlyReply-OnlyGDPR-compliant
01 / Architecture

How emails flowthrough FAE

FAE operates as a proxy between the internet and you. No email provider is replaced, none is bypassed. Your real email address exists exclusively in our auth system — it is never exposed to any sender or recipient.

The entire mail flow runs through AWS SES (Simple Email Service) with EU infrastructure. Every incoming message passes through the following stages:

Inbound Email Flow

What happens when someone emails your alias

Sendere.g. Netflix
SMTP
MX Recordfae-mail.com
TLS 1.2+
AWS SESReceiving
Encrypted
S3 + DBAES-256
Push
FAE AppYour Device

Reply Flow (reversed)

FAE AppYour Reply
Validated
ValidationInbound Check
TLS 1.2+
AWS SESSending
SMTP
RecipientSees Only Alias

Your real email appears nowhere in the flow.

Neither the original sender nor the recipient of your reply ever sees your real address. It exists exclusively in our encrypted auth system.

02 / Reply-Only Constraint

Replies only.No spam. By design.

FAE users cannot compose new emails or send to arbitrary addresses. The only outbound path is replying to an already received message. This is not a limitation — it is a deliberate architectural decision.

Every outgoing message is programmatically validated against the corresponding incoming message. Without a valid inbound original, there is no outbound. This makes FAE systemically incapable of being abused as a spam tool.

The reply-only principle makes FAE a privacy tool — not a spam platform.

What the reply-only principle guarantees

  • Users cannot send to arbitrary addresses
  • Every outgoing message is bound to an inbound original
  • Validation is server-side — not bypassable in the client
  • Rate limiting: 20 replies per alias/day, 2 per inbound message
  • Mass emails are architecturally impossible
03 / Encryption

AES-256 at rest.TLS 1.2+ in transit.

Every email stored in FAE is encrypted with AES-256 — the same standard used by financial institutions and governments worldwide. In transit, TLS 1.2+ secures every connection.

AspectStandardDetails
Storage (at rest)AES-256All email content, metadata, and attachments in S3 and database
Transmission (in transit)TLS 1.2+All connections: SES receiving, API communication, app sync
Auth dataHashed + saltedPasswords are never stored in readable form
API communicationHTTPS onlyStrict HSTS enforced
Push notificationsAPNs (TLS)Apple Push Notification Service with encrypted connection

We don't read your emails. We don't analyze them. We don't sell anything. Our only source of revenue is your subscription.

04 / GDPR Compliance

GDPR is not a feature.It is the foundation.

All data is stored in the European Union — AWS eu-central-1 (Frankfurt). Subscription metadata is processed via RevenueCat (USA); email content does not leave the EU. GDPR rights under Articles 15-20 are built directly into the app — no support ticket needed.

Right of Access

See what data we store about you at any time — accessible directly in the app.

GDPR Art. 15

Rectification

Correct inaccurate data yourself at any time through your profile.

GDPR Art. 16

Right to Erasure

Delete your account and all data — Access ends immediately. Remaining data is removed within 30 days.

GDPR Art. 17

Data Portability

Export all your data in a machine-readable format.

GDPR Art. 20
RequirementStatusImplementation
EU data storageActiveExclusively AWS eu-central-1 (Frankfurt)
Data Protection OfficerContactcontact@lazy.space
DPA (Data Processing Agreement)AvailableOn request for B2B customers by email at contact@lazy.space
Privacy by DesignImplementedMinimal data collection, purpose limitation, alias isolation
Consent managementImplementedOpt-in for push notifications, granular settings
05 / Infrastructure

Who processesyour data?

Transparency is non-negotiable. Every service involved in processing your data — visualized with data flow, purpose, and location.

EU Data Space

Email Pipeline

EU
AWS SES

Email receiving & sending

MX ReceivingSMTP SendingTLS 1.2+
eu-central-1 (Frankfurt)
EU
AWS S3

Email storage

AES-256Encrypted at rest
eu-central-1 (Frankfurt)
EU
AWS Lambda

Serverless logic

ValidationRoutingReply Check
eu-central-1 (Frankfurt)

Database & Auth

N
EU
Neon

Database & authentication

PostgreSQLAuth (JWT)Serverless
EU (Frankfurt)
V
EU
Vercel

Website hosting

Static/SSGCDN
EU (fra1)
Outside EU

Payments & Distribution

R
Limited
RevenueCat

Subscription management

Subscription statusTransaction IDs
US

No email content. Limited subscription metadata with pseudonymous user identifier.

Global
Apple

Push & distribution

APNsApp Store
Global (Apple infrastructure)

Device token + app metadata. No email content.

Your Device

FAE App · iOS · Encrypted connection

All email data stays in the EU.

The entire email pipeline — receiving, storage, processing, sending — runs exclusively on EU infrastructure (AWS eu-central-1, Frankfurt). Services outside the EU receive no email content. Subscription metadata is processed via RevenueCat (USA).

06 / Report Abuse

Zero tolerancefor abuse.

FAE is a privacy tool — not a vehicle for spam, harassment, or illegal activity. We take every abuse report seriously and act quickly.

Report abuse from a @fae-mail.com address

If you have received unwanted emails from a @fae-mail.com address, report it to us:

contact@lazy.space

Please include the following information:

  1. 1The full email headers of the unwanted message
  2. 2The @fae-mail.com address the message came from
  3. 3A brief description of the issue
  4. 4Your contact details for follow-up (optional)

We respond to all abuse reports within 24 hours. Violations of our terms of service result in immediate account suspension.

More questions about security?

Our team is happy to help.

contact@lazy.spaceRead Privacy Policy
Security — Architecture & GDPR at FAE | FAE