Private & Secure Email Providers
EU and privacy-focused email services that go beyond the defaults, with encryption options, clearer data handling, and jurisdictions worth understanding before you switch.
Private and secure email providers treat inbox confidentiality as a core feature, not an afterthought, typically offering encryption at rest, clearer data-handling statements, and subscription funding rather than advertising. The key decision criterion is what you are actually protecting: for legal jurisdiction, filter by EU or Swiss hosting and review the DPA; for provider-side read access, look for zero-access encryption — Proton Mail and Tutanota both offer it.
Private and secure email providers are services that treat the confidentiality of your inbox as a core feature rather than an afterthought. Compared with the large default webmail services, they tend to offer stronger encryption options, clearer statements about what data they hold, hosting in specific jurisdictions, and a funding model based on subscriptions rather than advertising or data analysis.
This hub covers the private-email category of the directory. The filterable matrix below lists individual providers with their hosting region, ownership signals, and compliance details; this page is here to frame the topic and help you decide what you are actually looking for before you compare options.
The category is broad. It includes EU-based providers, Switzerland-based providers, services built around open standards like IMAP and PGP, and services that prioritise anonymous signup. These are different propositions, and the right one depends on whether your priority is legal jurisdiction, technical openness, ease of use, or minimising the personal data tied to your account.
Email remains one of the most sensitive accounts most people and organisations hold. It is the recovery channel for other services, the archive of years of correspondence, and often the place where contracts, invoices, and personal information accumulate. The provider you choose has technical access to that archive unless encryption is specifically designed to prevent it.
For organisations, the choice also has a compliance dimension. Where email is hosted, who can be compelled to disclose it, and what contractual terms govern its processing are all relevant to data protection obligations. A provider's marketing language about "privacy" does not answer these questions on its own; the Data Processing Agreement, the sub-processor list, and the stated hosting region do.
It is worth being precise about what a private email provider can and cannot do. Encryption designed so the provider cannot read your messages addresses one specific risk. It does not change the fact that email is an open, federated system: messages you send to other providers leave your provider's protection, metadata is generated by the protocol itself, and subject lines are often not covered. Understanding these limits is what makes a switch worthwhile rather than a false sense of security.
Jurisdiction is the other axis that matters. An EU-based provider operates under the GDPR and EU legal process. A Switzerland-based provider operates under Swiss law, which is widely regarded as privacy-protective and is recognised by the EU as adequate, but which is a separate framework. Neither is automatically "better"; the relevant question is which legal environment fits your requirements.
-
Proton Mail
Swiss end-to-end encrypted email by Proton AG (Geneva); 100M+ users, Foundation-controlled since June 2024.
E2E Public DPA Sub-processors Open sourceEU-BASEDCH · 7 sub-procs · 4 US Open ↗ -
Tuta
Hannover-based end-to-end encrypted mail (formerly Tutanota); post-quantum crypto, own DE data centre, ISO 27001.
E2E Public DPA Sub-processors Open sourceEU-SOVEREIGNDE · 0 sub-procs Open ↗ -
Mailbox.org
Berlin-based private email + drive + meet + office bundle (Heinlein Support GmbH); ISO 27001 + BSI C5, €1/mo entry.
E2E Public DPA Sub-processors Open sourceEU-SOVEREIGNDE · 0 sub-procs Open ↗ -
Posteo
Berlin one-person-shop privacy email at €1/mo (Posteo e.K., since 2009); anonymous signup, BSI TR-03108 certified.
E2E Public DPA Sub-processors Open sourceEU-SOVEREIGNDE · 0 sub-procs Open ↗ -
Mailfence
Belgian secure email + calendar + docs (ContactOffice, est. 1999); browser-side PGP, donates 15% to EFF + EDRi.
E2E Public DPA Sub-processors Open sourceEU-SOVEREIGNBE · 0 sub-procs Open ↗ -
StartMail
Dutch private email (StartMail B.V., est. ~2014, by Startpage founders), NL-hosted, one-click PGP, unlimited aliases, USD-priced from $4.99/mo annual.
E2E Public DPA Sub-processors Open sourceEU-BASEDNL · 0 sub-procs Open ↗ -
Infomaniak Mail (kSuite)
Swiss email + groupware (Infomaniak Group SA, Geneva, since 1994), own Swiss DCs, ISO 27001 + B Corp 2025, free tier with @ik.me address.
E2E Public DPA Sub-processors Open sourceEU-SOVEREIGNCH · 0 sub-procs Open ↗ -
Kolab Now
Swiss open-source Kolab groupware SaaS (Apheleia IT AG, Bern; Kolab Systems since 2010, Kolab Now since 2013), board incl. FSF Europe founder Georg Greve.
E2E Public DPA Sub-processors Open sourceEU-SOVEREIGNCH · 0 sub-procs Open ↗ -
Mailo
French family-owned email since 1998 (Mail Object; founders Voyat & Lenoir, reacquired from Lagardère 2007), French-hosted, Free tier €0 + Premium from €1/mo.
E2E Public DPA Sub-processors Open sourceEU-SOVEREIGNFR · 0 sub-procs Open ↗ -
Runbox
Norwegian private email since 1999 (Runbox Solutions AS), own NO data centre, 100% renewable hydro, PGP + 2FA + PFS, double carbon-negative.
E2E Public DPA Sub-processors Open sourceEU-SOVEREIGNNO · 0 sub-procs Open ↗ -
Soverin
Independent Dutch paid email (from €3.25/mo); ISO 27001 + NIS2 Ready, all data in Netherlands, full IMAP/SMTP/CalDAV/CardDAV compatibility.
E2E Public DPA Sub-processors Open sourceEU-SOVEREIGNNL · 0 sub-procs Open ↗
| Compare | Sovereignty | Cert. | Pricing | Signals | Open | ||
|---|---|---|---|---|---|---|---|
|
Swiss end-to-end encrypted email by Proton AG (Geneva); 100M+ users, Foundation-controlled since June 2024.
|
GENEVA · CH
Switzerland
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
ISO/IEC 27001
|
Freemium
€4 /mo
|
E2E
Public DPA
Sub-processors
Open source
|
→ | |
|
Hannover-based end-to-end encrypted mail (formerly Tutanota); post-quantum crypto, own DE data centre, ISO 27001.
|
HANNOVER · DE
Germany
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
ISO/IEC 27001
|
Freemium
€3 /mo
|
E2E
Public DPA
Sub-processors
Open source
|
→ | |
|
Berlin-based private email + drive + meet + office bundle (Heinlein Support GmbH); ISO 27001 + BSI C5, €1/mo entry.
|
BERLIN · DE
Germany
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
ISO/IEC 27001
C5
|
Paid
€1 /mo
|
E2E
Public DPA
Sub-processors
Open source
|
→ | |
|
Berlin one-person-shop privacy email at €1/mo (Posteo e.K., since 2009); anonymous signup, BSI TR-03108 certified.
|
BERLIN · DE
Germany
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
— |
Paid
€1 /mo
|
E2E
Public DPA
Sub-processors
Open source
|
→ | |
|
Belgian secure email + calendar + docs (ContactOffice, est. 1999); browser-side PGP, donates 15% to EFF + EDRi.
|
BRUSSELS · BE
Belgium
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
— |
Freemium
€3 /mo
|
E2E
Public DPA
Sub-processors
Open source
|
→ | |
|
Dutch private email (StartMail B.V., est. ~2014, by Startpage founders), NL-hosted, one-click PGP, unlimited aliases, USD-priced from $4.99/mo annual.
|
NL
Netherlands
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
— |
Paid
€5 /mo
|
E2E
Public DPA
Sub-processors
Open source
|
→ | |
|
Swiss email + groupware (Infomaniak Group SA, Geneva, since 1994), own Swiss DCs, ISO 27001 + B Corp 2025, free tier with @ik.me address.
|
GENEVA · CH
Switzerland
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
ISO/IEC 27001
ISO9001
+2 more
|
Freemium
€6 /mo
|
E2E
Public DPA
Sub-processors
Open source
|
→ | |
|
Swiss open-source Kolab groupware SaaS (Apheleia IT AG, Bern; Kolab Systems since 2010, Kolab Now since 2013), board incl. FSF Europe founder Georg Greve.
|
CH
Switzerland
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
— |
Paid
€5 /mo
|
E2E
Public DPA
Sub-processors
Open source
|
→ | |
|
French family-owned email since 1998 (Mail Object; founders Voyat & Lenoir, reacquired from Lagardère 2007), French-hosted, Free tier €0 + Premium from €1/mo.
|
FR
France
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
— |
Freemium
€1 /mo
|
E2E
Public DPA
Sub-processors
Open source
|
→ | |
|
Norwegian private email since 1999 (Runbox Solutions AS), own NO data centre, 100% renewable hydro, PGP + 2FA + PFS, double carbon-negative.
|
NO
Norway
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
— |
Paid
€2 /mo
|
E2E
Public DPA
Sub-processors
Open source
|
→ | |
|
Independent Dutch paid email (from €3.25/mo); ISO 27001 + NIS2 Ready, all data in Netherlands, full IMAP/SMTP/CalDAV/CardDAV compatibility.
|
NL
Netherlands
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
ISO/IEC 27001
|
Paid
€3 /mo
|
E2E
Public DPA
Sub-processors
Open source
|
→ |
Start by naming your priority. If your concern is legal jurisdiction and compliance, filter by hosting region and look closely at the documentation each provider offers: a real Data Processing Agreement, a published sub-processor list, and a clear statement of where data is stored. If your concern is technical control, prioritise open standards (IMAP, SMTP, and PGP support) so you are not locked in and can migrate later.
Consider the funding model. A subscription-funded provider has a commercial incentive that aligns with keeping your data private; a free service has to be funded somehow, and it is worth understanding how. This is not a hard rule, but it is a useful signal when weighing options that otherwise look similar.
Think about who you email. If most of your correspondence is with people on mainstream providers, end-to-end encryption will only apply to a fraction of your messages, and the value is more about your provider's access and jurisdiction than about message-level encryption. If you exchange sensitive material with a defined group, provider-to-provider or PGP encryption becomes more practical.
Finally, plan the switch realistically. Check whether you can bring a custom domain, how import and forwarding work, and whether your mail clients and devices are supported. The matrix below lets you compare providers on these points, and each listing carries its own independently-checked data on hosting, ownership, and compliance so you can verify claims rather than take them on trust.
Frequently asked questions
What makes an email provider 'private' or 'secure'?
Does email encryption hide everything about my messages?
Is a Swiss email provider the same as an EU one?
Can I keep my existing email address when switching?
Does using a private email provider make me anonymous?
What should a business check before adopting a secure email provider?
How we verified every listing here.
For each product we read the public DPA, sub-processors document, hosting region declaration, certifications, and corporate ownership records. Each is timestamped. Signals are editorial, re-verified quarterly. We never accept self-attestation.