Privacy by default, security you can verify
EvilMail is built so your real identity never has to touch a signup. Here is exactly what we do with data, how long we keep it, and how we keep the service safe.
Last reviewed: July 2026
Our commitments
Data minimization
We collect the least we can. No real name, no phone, no tracking profile to use a temp inbox.
Auto-expiry
Disposable inboxes and their messages are purged automatically when their TTL ends. Nothing lingers.
Receive-only
Temp inboxes cannot send mail. The service can not be used to blast spam from our domains.
Encrypted in transit
Every request is TLS/HTTPS. Passwords are bcrypt-hashed; API keys are yours to rotate anytime.
What we store — and what we do not
To run a disposable inbox we store only the address, the messages it receives, and a session token — for the lifetime of that inbox. For registered accounts we keep your username, email, a bcrypt-hashed password and your API key. We do not store your real name, we do not require a phone number, and we do not build an advertising profile of you. Payment is handled by our processors (Stripe / crypto) — we never see or store full card numbers.
How long your data lives
A temporary inbox and every message in it are deleted automatically when the TTL you chose expires (from 10 minutes up to 24 hours on the free flow). There is no hidden archive. Registered accounts keep custom-domain mailboxes for as long as the plan is active; you can delete an email address, a domain, or your whole account at any time, which removes the associated data.
Privacy by default
Using a burner inbox needs no account, no personal details and no app. We do not sell or rent data, and analytics only run with your cookie consent. The entire point of the product is to keep your primary identity out of databases and breach lists — so we hold ourselves to the same standard with the little data we do handle.
Preventing abuse
Disposable email can be misused, so we design against it: inboxes are receive-only (no outbound spam), rate limits and a captcha gate protect the API and tools, and we act on abuse reports quickly. Known-bad patterns are blocked, and we cooperate with legitimate abuse and legal requests. Custom domains are verified via DNS before they can send or receive.
Infrastructure & encryption
All traffic is served over HTTPS/TLS with HSTS. Application secrets and session keys are environment-only, never in the codebase. Passwords use bcrypt, sessions use signed cookies, and CSRF protection guards state-changing requests. API access is per-key and revocable — regenerate a key from your dashboard and the old one stops working immediately.
Compliance & your rights (GDPR / KVKK)
We follow data-minimization and purpose-limitation principles. You have the right to access and delete your data: temporary data self-deletes on expiry, and account data is removed when you delete your account. For any data request, contact us and we will respond. We process data only to provide the service you asked for.
Responsible disclosure
Found a vulnerability? We want to hear from you. Report it privately to the address below and give us a reasonable window to fix it before any public disclosure. We do not pursue good-faith security researchers who follow responsible disclosure.
Privacy is the product.
Spin up a disposable inbox in one click — no signup, nothing to clean up.

