How does ASTIS work with my existing email provider?

ASTIS integrates seamlessly with your current email setup through our plugins for Outlook and Thunderbird. You continue using your existing email address and provider - ASTIS handles the encryption and decryption in the background.

What is the difference between BYOK and HYOK?

BYOK (Bring Your Own Key) means your encryption keys are stored in ASTIS-managed infrastructure, but you retain full control and ownership. HYOK (Hold Your Own Key) means the keys never leave your infrastructure - perfect for highly regulated industries that require on-premises key management.

Is there a free trial available?

Yes! We offer a free tier for individual users or small teams getting started with encrypted email. No credit card required.

How do I send encrypted email to someone who doesn't use ASTIS?

ASTIS supports secure escrow onboarding: the encrypted capsule is protected during delivery and re-wrapped to the recipient's key once they register. Recipients can install a free ASTIS plugin to decrypt messages. A web-based decryption option is on our roadmap.

What happens to my emails if I cancel my subscription?

You retain access to all your encrypted emails during your data retention period. You can export your keys and encrypted messages before canceling. We provide migration tools to help you transition smoothly.

Is ASTIS compliant with GDPR, HIPAA, and other regulations?

ASTIS is designed with compliance in mind. We provide audit logs, data retention controls, and encryption aligned with GDPR requirements. For HIPAA, ASTIS supports aligned controls and can sign a BAA on Enterprise plans. SOC 2-aligned controls are in progress.

Privacy Policy

Version 1.0 — Effective February 20, 2026

← Back to Legal

ASTIS LLC ("ASTIS", "we", "us") provides the Services at astis.io. This Privacy Policy describes how we collect, use, disclose, and retain personal data when you use the Services, our websites, and related support.

1. Key Principles (What We Do / Do Not Do)

Client-side encryption for message content

Email message content is encrypted and decrypted within the ASTIS client application (web app, PWA, mobile app, desktop plugin, or other client form factor) using client-side cryptography. Plaintext email content is handled only within the client application on the user's device.
ASTIS servers do not see or store plaintext email content.

Session keys (SKEY) and Key Rewrap

The Services may store encrypted session-key capsules ("SKEY Capsules") to enable access workflows.
We do not store plaintext SKEY.
Key Rewrap: When a recipient registers and provides a public key, ASTIS may transiently process SKEY in plaintext in memory solely to re-encrypt (rewrap) the SKEY Capsule to the recipient's newly provided public key. Plaintext SKEY is not persisted.

Pre-registration recipients

For recipients who have not yet registered with ASTIS, we store a pseudonymized identifier derived from the recipient's email address (e.g., cryptographic hash or HMAC) together with the encrypted SKEY Capsule.
This data is used solely to enable Key Rewrap and policy enforcement once the recipient registers and provides a public key. It is not used for marketing, profiling, or any other purpose.

TTL and data retention

TTL (Time-to-Live) controls access expiry: after TTL expires, ASTIS will no longer release or rewrap the SKEY Capsule — the message can no longer be decrypted via ASTIS.
TTL expiry does not automatically delete the encrypted capsule record. Retention and deletion of expired records is governed by plan-based retention policies and applicable data protection obligations.

OpenPGP key management

Public keys (WKD): ASTIS operates a Web Key Directory (WKD) service on ASTIS infrastructure for distributing users' public OpenPGP keys. Public keys are intended to be shared openly and do not contain private key material.
Private keys (CVS): Private OpenPGP keys are managed via the CryptoVault Service (CVS), which runs on ASTIS infrastructure by default. For Enterprise customers with HYOK (Hold Your Own Key), CVS can be deployed on Customer infrastructure for full key custody control.

2. What Personal Data We Collect

(A) Account and subscription data

Email address (account/admin)
Organization name (if provided)
Plan and subscription status
Basic account security events (e.g., verification status)

(B) Service operational data (minimal metadata)

Depending on configuration, we may process:

Tenant/org identifiers, user IDs
Policy/audit events (e.g., allow/deny outcomes for Key Rewrap, timestamps)
Security logs (e.g., IP address/user agent) if enabled for abuse prevention and security monitoring

(C) Transactional email data (OTP / verification)

We send authentication and verification emails (e.g., one-time passcodes, sign-in codes, verification links) via a transactional email provider.

Recipient email address
Message content required to deliver the OTP/code/link
Delivery metadata (status, timestamps)

(D) Support communications

If you contact us, we process the information you provide (emails, tickets, attachments you choose to send).

(E) Website analytics (cookieless)

Our website may use cookieless analytics to understand general usage (e.g., page views, referrers/UTM, device/browser category, country/region at a coarse level). This analytics is designed to avoid tracking cookies. See our Cookie & Tracking Policy.

3. How We Use Personal Data

We use personal data to:

Provide, maintain, and secure the Services
Perform Key Rewrap and generate associated audit events (where enabled)
Authenticate users and send OTP/verification emails
Provide customer support
Prevent fraud/abuse and protect platform security
Comply with legal obligations (billing records, lawful requests)

4. Legal Bases (GDPR)

Where GDPR applies, we process personal data under the following bases:

Contract: to provide the Services you request
Legitimate interests: security, fraud prevention, service improvement (balanced against your rights)
Legal obligation: accounting/tax compliance, responding to lawful requests
Consent: where required for specific optional activities (if any)

5. Sharing and Disclosures

We share personal data with:

Subprocessors (service providers) listed at /legal/subprocessors (e.g., edge/security, billing, transactional email delivery)
Law enforcement/government authorities where required by law
Professional advisors (legal/accounting) under confidentiality

We do not sell personal data.

6. Integrations: Customer-Controlled Third-Party Services

If you connect third-party email providers (e.g., Google Workspace/Gmail, Microsoft 365), those providers are chosen and controlled by you (or your organization) under your agreement with them. ASTIS does not provide email hosting and does not control those providers.

OAuth tokens to email providers: When you authorize ASTIS to connect to your email provider (e.g., Gmail, Microsoft 365), OAuth access and refresh tokens are stored client-side on your device (PWA / web / mobile / tablet / PC). ASTIS servers do not store your email provider OAuth tokens. You can revoke access at any time through your provider's settings.

ASTIS authentication tokens: Access and refresh tokens used for authentication to ASTIS internal systems are stored on ASTIS servers, encrypted at rest, as part of standard session management.

7. Google API Services — Limited Use Disclosure

ASTIS Mail's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Gmail Data Usage

ASTIS Mail accesses Gmail data solely to provide email client functionality — reading, sending, and organizing messages on behalf of the authenticated user. Gmail message content is decrypted and processed exclusively on the user's device. No Gmail message content, metadata, or credentials are transmitted to or stored on ASTIS servers.

Gmail data is not used for advertising, not sold to third parties, and not used for any purpose beyond operating the email client.

8. Data Location

ASTIS Services are hosted on dedicated servers. Deployment regions are configured based on Customer requirements (e.g., EU, US, or other regions as agreed). For specific data residency needs, contact [email protected]. Some subprocessors may process data in other regions as described in their own terms. See /legal/subprocessors.

9. Data Retention

Account data: retained while your subscription is active, then typically up to 30 days after deletion/termination (unless legally required to retain longer).
Audit/security logs: retained according to plan (e.g., 90 days / 1 year / Enterprise-custom).
Backups: encrypted backups may be retained up to 30 days.
Transactional email (OTP): retained per operational needs and provider delivery logs for a limited period.

10. Security

We implement technical and organizational measures to protect data, including encryption in transit, access controls, logging, and incident response processes. See /security.

11. Your Rights

Depending on your location, you may have rights to:

Access, correct, delete, or export your personal data
Object to or restrict certain processing
Withdraw consent where processing is based on consent
Lodge a complaint with a supervisory authority

To exercise rights, contact [email protected].

12. International Transfers

Where personal data is transferred internationally, we use appropriate safeguards (e.g., Standard Contractual Clauses) where applicable. See our DPA for details.

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: You may request what personal information we collect, use, disclose, and sell (if applicable).
Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: ASTIS does not sell personal information and does not share personal information for cross-context behavioral advertising.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact [email protected]. We will verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

14. Children's Privacy

ASTIS is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy and updating the version number. Continued use of our Services after changes constitutes acceptance of the revised policy.

16. Contact

ASTIS LLC

Privacy: [email protected]
Security: [email protected]