Privacy Policy

The independently-operated entity running TempoMailer at tempomailer.com ("the Operator") is the data controller for all personal data processed through the Service within the meaning of Article 4(7) GDPR. Contact details are provided at the end of this policy and on the About page.

The Service is privacy-first by design. We process only the minimum data strictly required to operate a disposable inbox:

• Disposable email addresses that you generate or customise, and the messages received on those addresses.
• A random session identifier stored in an HTTP-only cookie, used to tie your browser to its current inbox across page reloads.
• Your interface language and visual theme preference, stored in a cookie on your device.
• Your cookie-consent choice, stored in a cookie so we can honour your preference.
• Inbound SMTP connection metadata (sender IP address, timestamps, envelope headers) kept strictly for security and abuse prevention.

We rely on the following legal bases under Article 6 GDPR:

• Legitimate interests (Art. 6(1)(f)) to operate the Service, protect it from abuse, and maintain its essential functionality.
• Consent (Art. 6(1)(a)) for optional cookies linked to advertising or non-essential analytics; you may withdraw consent at any time via the cookie banner.
• Legal obligations (Art. 6(1)(c)) to respond to lawful requests from competent public authorities.

We use a minimal set of technical identifiers. Essential cookies are required for the Service to function; optional cookies are loaded only after you select "Accept all" in the cookie banner.

• lbd_session (essential, HTTP-only, 30 days) — random session identifier linking your browser to its current inbox.
• lbd_locale (essential, 12 months) — the display language you have selected.
• lbd_consent (essential, 12 months) — the cookie preference you have set.
• lbd-theme (essential, local storage) — your light/dark theme preference.
• Advertising cookies (optional, third-party) — loaded only if advertising is active and you have granted consent.

When advertising is enabled and you have granted consent, the Service uses Google AdSense. Google and its partners may place cookies or similar identifiers to deliver personalised advertising based on your visits to this and other websites. You can opt out of personalised advertising at any time at https://www.google.com/settings/ads. If you withdraw consent through our cookie banner, advertising cookies will no longer be loaded.

We may use aggregated, privacy-respecting analytics that do not set identifying cookies and do not profile individual users. Should the Service later adopt an analytics provider that relies on identifying cookies, that provider will be loaded only after you grant consent.

Personal data is retained only for the minimum time necessary:

• Disposable mailboxes and received messages: deleted automatically 24 hours after creation via a database TTL index.
• Session cookie: up to 30 days.
• Locale, theme, and consent cookies: up to 12 months.
• Inbound SMTP connection and abuse logs: up to 30 days.
• System backups, where present, are purged within seven days.

Service data is accessible only to the Operator. We rely on the following sub-processors, each bound by appropriate contractual safeguards:

• Hetzner Online GmbH (Germany) — infrastructure hosting.
• Cloudflare, Inc. (United States / Ireland) — DNS and CDN for the website.
• Google LLC (United States) — advertising delivery, only when enabled and consented to.

Some sub-processors may transfer data outside the European Economic Area. Where this occurs, transfers rely on the Standard Contractual Clauses approved by the European Commission and, where applicable, on supplementary technical and organisational measures intended to preserve the level of protection required by EU law.

Under the GDPR and equivalent laws you have the right to:

• access the personal data we hold about you;
• request rectification of inaccurate data;
• request erasure of your data;
• restrict or object to processing;
• receive your data in a portable format where technically feasible;
• withdraw any consent you have previously granted;
• lodge a complaint with the data protection authority of your member state (in Italy: Garante per la Protezione dei Dati Personali, www.gpdp.it).

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will take prompt steps to delete it.

Traffic between your browser and the Service is encrypted in transit with TLS. Data at rest is stored on a privately-operated server with access limited to the Operator. The short retention periods described above further reduce risk. No system can be made completely secure; by using the Service you acknowledge this residual risk.

We may update this Privacy Policy to reflect changes to the Service or to legal requirements. The "Last updated" date at the top of this page indicates the most recent revision. Material changes will be announced through the Service.

For privacy inquiries, data-subject requests, or to withdraw consent, contact the Operator via the details published on the About page. We aim to respond within 30 days.