Maskbox does not collect, transmit, or sell any personal data to us or to any third party. We run no servers and have no accounts. The app talks only to Fastmail, using credentials you provide that stay on your device.
What we collect
Nothing. No analytics, no telemetry, no advertising, no account. We have no view of your aliases or how you use the app.
Your Fastmail API token
The token you provide is stored locally in your device’s keychain. It’s used only to communicate directly with Fastmail’s JMAP API over HTTPS. On a single device it’s shared with Maskbox’s widgets and Shortcuts through a private, on-device app group so they can act on your behalf. It is never sent to Kojya and never shared with any other third party.
Cached aliases
Maskbox keeps a local cached copy of your masked email aliases in the app’s shared container on your device, so widgets and Shortcuts work offline. A sort-order preference is also stored locally. This data never leaves your device, and removing the app removes it.
Network requests
Maskbox connects only to Fastmail’s JMAP API (api.fastmail.com) over HTTPS, plus Apple services for the things iOS handles for us (Keychain, app delivery). There is no Kojya backend.
Third parties
No SDKs, no analytics, no advertising, no data brokers, no crash reporters. The only third party involved is Fastmail, the service you connect to.
Data handled by Fastmail
Because Maskbox works with your Fastmail account, your masked email aliases and related account data are handled by Fastmail and governed by Fastmail’s privacy policy. Maskbox is an independent third-party app and is not affiliated with or endorsed by Fastmail.
Changes to this policy
If we make material changes, we’ll update the effective date below and post the revised policy on this page.
Contact
Effective June 21, 2026.