mailbox.org

mailbox.org is a privacy-focused email service operated by Heinlein Support GmbH, a German company based in Berlin. Since its founding, mailbox.org has positioned itself as Germany’s digitally sovereign workplace—a comprehensive communication platform that combines secure email with cloud storage, office tools, video conferencing, and calendar functionality, all running exclusively from German data centers.

What distinguishes mailbox.org is its recent achievement of BSI C5 certification in January 2026, confirming full compliance with Germany’s Federal Office for Information Security cloud security criteria. This rigorous certification validates mailbox.org’s security practices at a level typically seen only in enterprise solutions, making it an attractive option for businesses and privacy-conscious individuals who need official security attestation.

All mailbox.org services run on servers located exclusively in Berlin, Germany, ensuring that user data never leaves German jurisdiction. The company is fully GDPR compliant and operates under German data protection law (Bundesdatenschutzgesetz). Unlike ad-supported email providers, mailbox.org’s business model is based entirely on subscriptions, eliminating any incentive to monetize user data.

The platform offers a complete productivity suite: email with PGP encryption support, cloud storage, online office tools (documents, spreadsheets, presentations), video conferencing, calendar, and contacts. The entry-level Light plan at just €1/month provides 2GB of email storage with full security features, while Standard and Premium plans add cloud storage, multiple aliases, and external mailbox integration.

mailbox.org allows anonymous registration—users don’t need to provide their real name. However, the privacy policy notes that IP addresses are stored at registration for anti-abuse purposes and compliance with criminal investigation requirements under German telecommunications law.

Key Features

• BSI C5 Certified: German Federal security certification achieved January 2026
• Complete Office Suite: Email, cloud storage, documents, video conferencing in one platform
• PGP Support: Built-in encryption for secure email communication
• Anonymous Registration: No real name required to create an account
• Berlin Data Centers: All data stored exclusively in Germany
• External Mailbox Integration: Fetch email from up to 25 external POP3 accounts
• 30-Day Free Trial: Test all features before committing

Privacy Highlights

mailbox.org operates on a strict data minimization principle. The privacy policy clearly explains what data is collected, how long it’s retained, and how it’s used. Metadata is kept for only 4-7 days. The company does not pass personal data to third parties, affiliates, or advertisers.

The service supports PGP encryption for emails, providing end-to-end encryption when communicating with other PGP users. Guard, their encryption feature, allows users to manage PGP keys through a web interface, though keys are stored on mailbox.org servers for convenience.

Privacy Breakdown

Data Residency (Score: 100)

Pros:

• All servers located in Berlin, Germany
• Full GDPR and German BDSG compliance
• BSI C5 security certification (January 2026)
• Data never leaves German jurisdiction

Cons:

• None identified

Confidence: High — BSI certification publicly documented.

Open Source (Score: 55)

Pros:

• Most frontend code is open source
• Uses open source components (Roundcube, Open-Xchange)
• Transparency reports published

Cons:

• Backend infrastructure code is proprietary
• Internal API and automation systems closed source
• Less auditable than fully open source alternatives

Confidence: Medium — confirmed via mailbox.org documentation.

Privacy Policy (Score: 82)

Pros:

• Clear, GDPR-compliant privacy policy
• Metadata retained only 4-7 days
• No data sold to third parties or advertisers
• Anonymous registration supported

Cons:

• IP address stored at registration for compliance
• Subject to German TKG Section 113 data access requirements

Confidence: High — policy reviewed January 2026.

Trackers (Score: 90)

Pros:

• Ad-free service
• No third-party advertising trackers
• No user tracking for marketing purposes

Cons:

• Some analytics may be present for service improvement

Confidence: Medium — based on service documentation.

Terms of Service (Score: 70)

Pros:

• Clear service terms
• User data ownership respected
• GDPR rights fully supported

Cons:

• German TKG compliance obligations for law enforcement
• Standard limitations of liability
• Account termination provisions for abuse

Confidence: Medium — ToS reviewed January 2026.