Privacy Policy

Last updated: 20.04.2026

1. Introduction

This Privacy Policy explains how Bjoern Olausson trading as BEO ("Provider", "we", "us") collects, uses, and protects personal data in connection with our software products: Android Sync for Proton and Mail Checker for Proton Mail. We are committed to protecting your privacy in compliance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telemedia and Telecommunications Data Protection Act (TDDDG).

2. Data Controller

Bjoern Olausson trading as BEO
Martha-Brautzsch-Str. 13
06108 Halle (Saale)
Germany
Email: mail+legal@olausson.de
Website: https://olausson.de

3. Data We Collect

3.1 Purchase and Account Data (processed by Paddle)

When you purchase our products, our payment processor Paddle.com Market Limited ("Paddle") collects and processes the following data as an independent data controller:

- Name and email address
- Billing address
- Payment information (credit card, PayPal, etc.)
- Transaction details and invoice data
- IP address and device information for fraud prevention
- VAT/tax identification numbers where applicable

Paddle's privacy policy applies to this data: https://www.paddle.com/legal/privacy

We receive from Paddle: your email address, country, transaction ID, product purchased, and subscription status. We use this data to manage your license and provide customer support. The legal basis is Art. 6(1)(b) GDPR (performance of a contract).

3.2 Android Sync for Proton

This app processes the following data locally on your device. We distinguish between what is encrypted at rest, what is stored as plaintext in Android's system-level databases, and what is held only in memory during a sync cycle:

Encrypted at rest (AES-256-GCM via the Android Keystore, hardware-backed on supported devices):
- Mailbox passphrase
- Access and refresh tokens (held in Android's AccountManager, additionally protected by Android's file-based encryption while the device is locked)

Plaintext at rest (in Android's standard system databases):
- Synced Proton contacts (names, phone numbers, email addresses, addresses, photos, organizations, birthdays, notes, and other contact fields) – written to Android's ContactsProvider, the same system database used by Google Contacts, Samsung Contacts, and every other Android sync adapter
- Synced Proton calendar events (event titles, descriptions, locations, dates, times, recurrence rules, reminders, attendees) – written to Android's CalendarProvider, the same system database used by Google Calendar and other sync adapters

Because these items live in Android's system-level providers after sync, they are accessible to any other app on your device that you have granted the READ_CONTACTS or READ_CALENDAR permission to – exactly as with any other Android account that syncs contacts or calendar. This is how the integration with your phone's dialer, lock screen, watch, and other calendar/contact apps is made possible.

In memory only (never persisted on disk by the app):
- Decrypted contact and event content during the sync cycle (released as soon as the sync finishes)
- Unlocked PGP private keys (re-derived fresh from the encrypted mailbox passphrase on each sync; not cached across syncs)

Important: All contact and calendar data is transmitted exclusively between your device and Proton's servers using end-to-end encryption (PGP for contacts, calendar-specific keys for events). We do not have access to, collect, store, or process any of your contact, calendar, or authentication data on our servers. The app does not contact any third-party servers, does not contain any analytics, telemetry, or tracking functionality, and does not share data with advertisers or other third parties.

3.3 Mail Checker for Proton Mail

This extension processes the following data locally in your browser. We distinguish between what is encrypted at rest, what is stored as plaintext in the browser's extension storage, and what is held only in memory during an active session:

Encrypted at rest (stored in browser.storage.local, AES-256-GCM):
- Mailbox key password (used to unlock your PGP keys)
- Access and refresh tokens

Plaintext at rest (stored in browser.storage.local):
- Account metadata (email address, user ID, display name)
- Message metadata (unread counts, message IDs, folder state, subject lines, sender addresses, timestamps, read status, labels)
- Extension settings and preferences (notification preferences, polling intervals, UI settings)

In memory only (never written to disk):
- Decrypted PGP private keys (held only while the background script is running)
- Decrypted message bodies and short preview snippets used by the popup
- Contact data used for recipient autocomplete when composing (per-account cache with a 5-minute time-to-live)
- Attachments (fetched on demand, never cached)

Important: Authentication uses Proton's Secure Remote Password (SRP-6a) protocol; your password is never transmitted in plaintext. All OpenPGP decryption happens locally in your browser using OpenPGP.js. The extension does not include analytics or telemetry, does not track your browsing activity, and does not share data with advertisers or other third parties.

Network destinations: The extension contacts Proton's servers (*.proton.me) for all mail, calendar, authentication, and contact traffic. During Proton's human-verification flow, the extension may load hCaptcha resources from *.hcaptcha.com as required by Proton's login process. For Pro subscriptions, the extension additionally contacts a license-validation endpoint at mcpm-license.olausson.de operated by us, which receives the license key and a purchase identifier for verification purposes only (no mail, contact, or calendar data is transmitted to this endpoint).

4. Data We Do NOT Collect

To be explicit, we do NOT:

- Operate any servers that receive, store, or process your personal mail, contact, or calendar data. The only servers operated by us are the license-validation endpoint for Mail Checker Pro subscriptions (mcpm-license.olausson.de), which receives only a license key and purchase identifier. Payment processing is handled by Paddle as described in Section 3.1.
- Collect analytics, telemetry, or usage statistics
- Track your location or browsing behavior
- Share, sell, or transfer personal data to third parties (other than Paddle as described above)
- Use cookies or similar tracking technologies
- Process data for profiling or automated decision-making

5. Purpose and Legal Basis for Processing

We process data for the following purposes:

(a) License management and customer support – We use transaction data received from Paddle to verify your license and provide support. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

(b) Communication – We may use your email address to send important product notifications (security updates, breaking changes, end-of-life notices). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in keeping customers informed about critical product matters).

(c) Legal compliance – We may process data as required by German tax and commercial law. Legal basis: Art. 6(1)(c) GDPR (legal obligation).

6. Data Retention

- Transaction data received from Paddle: Retained for the duration of your license and for up to 10 years thereafter as required by German tax retention obligations (Section 147 AO, Section 257 HGB).
- License-validation data (mcpm-license.olausson.de): License key and purchase identifier retained for the duration of your active subscription plus up to 90 days after cancellation for refund and reactivation handling. Request logs (timestamp, license key) retained for up to 30 days for abuse prevention.
- Support correspondence: Retained for up to 3 years after the last interaction, unless longer retention is required by law.
- Local app/extension data: Stored on your device only. Deleted when you uninstall the app or extension, or remove your account from the app.

7. Data Sharing

We share personal data only with:

(a) Paddle.com Market Limited – Our Merchant of Record for payment processing. Paddle acts as an independent data controller for payment data. Paddle is based in the UK and complies with GDPR through UK adequacy arrangements.

(b) Law enforcement or regulatory authorities – Only if required by applicable German or EU law.

We do not sell personal data. We do not share personal data with advertisers or marketing companies.

8. International Data Transfers

Your purchase data may be processed by Paddle in the United Kingdom. The European Commission has recognized the UK as providing an adequate level of data protection. No other international data transfers occur, as our products process all user data locally on your device.

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

(a) Right of access (Art. 15 GDPR) – You may request information about what personal data we process about you.

(b) Right to rectification (Art. 16 GDPR) – You may request correction of inaccurate data.

(c) Right to erasure (Art. 17 GDPR) – You may request deletion of your data, subject to legal retention obligations.

(d) Right to restriction of processing (Art. 18 GDPR) – You may request that we restrict processing of your data under certain circumstances.

(e) Right to data portability (Art. 20 GDPR) – You may request your data in a structured, commonly used, machine-readable format.

(f) Right to object (Art. 21 GDPR) – You may object to processing based on legitimate interests at any time, for reasons arising from your particular situation.

(g) Right to withdraw consent (Art. 7(3) GDPR) – Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at mail+legal@olausson.de. We will respond within one month as required by law.

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The competent authority is the Landesbeauftragter fuer den Datenschutz Sachsen-Anhalt, Leiterstr. 9, 39104 Magdeburg, Germany (https://datenschutz.sachsen-anhalt.de).

11. Data Security

We implement appropriate technical and organizational measures to protect data:

- All data transmission between our products and Proton's servers uses end-to-end encryption (OpenPGP for mail and contacts, calendar-specific keys for events) in addition to TLS.
- Authentication credentials on your device are encrypted using platform-provided security mechanisms: AES-256-GCM via the Android Keystore (hardware-backed on supported devices) for the Android Sync app, and AES-256-GCM in browser.storage.local for the Mail Checker extension.
- Your mail, contact, and calendar content never touches servers operated by us. The only server we operate is the license-validation endpoint for Mail Checker Pro subscriptions (mcpm-license.olausson.de); it receives only a license key and purchase identifier over TLS.
- We regularly update our products to address security vulnerabilities.

12. Children's Privacy

Our products are not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through our product interfaces at least 30 days before taking effect. The date at the top of this policy indicates the most recent revision.

14. Contact

For questions about this Privacy Policy or to exercise your data protection rights:

Bjoern Olausson trading as BEO
Martha-Brautzsch-Str. 13
06108 Halle (Saale)
Germany
Email: mail+legal@olausson.de
Website: https://olausson.de