// Threat Model

Last updated: June 2025

This threat model outlines what [@fuck.it] protects you from - and what we don’t. We believe in honesty, not false promises.

1. What We Protect Against

• Email interception via insecure protocols (we use TLS)
• Unauthorized access to your inbox (we enforce strong login security)
• Spam, phishing, and account abuse (through filters and abuse systems)
• Server-side attacks (we harden our infrastructure)
• Metadata collection by advertisers (we don’t use ads or trackers)

2. What We Don't Protect Against

• Stupid passwords (use a password manager, please)
• Local malware or keyloggers on your device
• Your friend peeking over your shoulder
• Governments with access to your unlocked device
• The consequences of emails you send

3. End-to-End Encryption

We do not provide built-in end-to-end encryption. Your data is encrypted in transit and at rest on our servers, but [@fuck.it] staff with elevated access can access your inbox if required by law. If that bothers you, use additional encryption tools.

4. Legal Access

We comply with valid legal requests. If we’re allowed, we’ll notify you. We do not build backdoors or offer mass access to anyone.

5. Third-Party Services

We work with a hosting company and payment provider. These services only have the data needed to do their jobs. We vet their security but can’t guarantee perfection.

6. What You Can Do

• Use a strong password (and don’t reuse it)
• Enable any optional security features
• Encrypt sensitive messages manually
• Log out on shared devices
• Enable two-factor authentication if we offer it

7. Security Philosophy

Security isn’t a product - it’s a posture. We do our part. You do yours. Together, it works.

No bullshit.
No guarantees.
Just good security sense.