Privacy Policy
This page explains what Elusive collects, what it genuinely cannot see, and what it will never do. It matches how the product actually works. When the code changes, this page changes.
01 What we collect
We keep only what the service needs to work:
- Account details. Your username, a securely hashed password, and an optional nickname. No outside email address is required to sign up.
- Your addresses. The master and disposable addresses you create, their expiry timers, and which persona group they belong to.
- Delivery metadata. Who a message is from or to, and when it arrived. Delivery does not work without this, so we can see it. In end-to-end mode subject lines are encrypted, and message length is padded so ciphertext size does not hint at the content.
- Message contents, in server-managed mode only. Stored encrypted at rest with a key we hold. This is the trade you accept for convenient recovery and search.
We do not keep access logs of your requests, and message contents are never written to a log, on disk or in the console.
02 What we cannot see
When you turn on end-to-end encryption, your key is generated in your browser and never leaves it in a form we can use. From that point:
- We cannot read your message bodies.
- We cannot read your subject lines.
- In keyfile mode we hold no copy of your key at all, so there is nothing we could be forced to hand over.
This is not a promise to behave. It is a limit built into how the system works.
03 What we never do
- No ads, no trackers, no profiling. Your mail is not a product.
- No selling or sharing your data, to advertisers or to anyone else.
- No backdoor in keyfile mode. If you hold the only key, we cannot read your mail for anyone who asks.
- No logging of message contents. It is built in, not a toggle you have to trust.
04 Disposables and deletion
Disposable aliases are built to disappear. When one reaches its timer, or when its mail is first opened if you chose burn-on-read, the alias and every message it holds are permanently deleted. We do not retain a shadow copy. You can also delete any address or message yourself at any time, which removes it for good.
Account data that we do hold stays only as long as your account exists. Close your account and it is removed.
06 Mail you send out
Mail to addresses outside Elusive leaves over standard email transport. It travels encrypted in transit where the receiving server supports it, but once it arrives we cannot control what that server does with it. End-to-end protection only holds while your mail stays on Elusive.
07 Your choices
You control how private your mail is, and you can change it at any time from your settings. You can edit your profile, delete addresses and messages, enable two-factor authentication, and export your key in end-to-end mode. If you want your account and its data removed, closing the account does exactly that.
08 Security
Passwords are hashed with bcrypt. Private keys are locked with Argon2id, a memory-hard function that is slow to brute-force. Mail at rest is encrypted, and end-to-end mail is stored as armored PGP we cannot read. Our full security model, including its honest limits, lives on the security page. If you believe you have found a vulnerability, that page is the place to start.