@
Privacy

Privacy policy

Last updated: 2026-04-22

TL;DR

emailforward.xyz is a free email alias forwarding service. We store only what's necessary to route mail: alias identifiers, verified recipient addresses, and (while the alias exists) the bodies of emails that pass through. No account, no tracking pixels, no ads, no third-party analytics other than anonymous Core Web Vitals.

Who this applies to

This policy covers every visitor to emailforward.xyz and every inbound message received for aliases on that domain. Creating an alias requires no account, so there are no authenticated user records for regular visitors.

What we collect

  • Aliases you create. A random identifier on @emailforward.xyz, plus timestamps.
  • Forwarding recipients. The email addresses or Telegram chat IDs you add, their verification state, and the tokens we issue to verify them.
  • Inbound mail. For every message addressed to one of your aliases, we store headers and body until we've forwarded it — and only while the alias still exists, for history display.
  • Telegram chat state. When you pair a chat we record its Telegram chat ID and, for groups, the member who paired it.
  • API tokens. When you create an API token we store a SHA-256 hash (never the raw token), the label you gave it, the email it's tied to, and usage timestamps. Revoke at any time from /manage-email.
  • Custom domains. If you bring your own domain, we store the domain name, the verification token, and the email that owns it. We do not query your DNS beyond the one TXT lookup you ask us to perform on verify.
  • Reply tokens. For every forwarded email we mint a short-lived routing token so you can reply through us without leaking your real address. The token maps to the alias and the original sender; it expires after 60 days.
  • Cloudflare Turnstile. A challenge token is generated on alias creation. Cloudflare may see your IP; we never store it ourselves.
  • Server logs. Standard web and mail server access logs — kept for 7 days and rotated.
  • Performance data. Anonymous Core Web Vitals metrics. No cookies, no personal data.

What we don't collect

No account, no password, no personal profile. No cross-site tracking pixels. No marketing email — we don't have an email list because we don't have your email.

Third parties

  • Our outbound mail provider sends verification, management and forwarded emails on our behalf and briefly sees the content in transit. It's a reputable commercial provider with a published privacy policy.
  • Telegram — when you pair a chat, forwarded content is delivered to Telegram's servers via Bot API.
  • Cloudflare — DNS, tunnel and Turnstile challenge.

Retention

Alias records and forwarded-message bodies persist until you delete the alias, at which point the row is removed. Recipient verification tokens expire in 24 hours. Management links expire in 24 hours.

Your rights

You can delete any alias at any time from /manage-email, and recipients can unsubscribe via the link in every forwarded email. For a full data export or out-of-band deletion, email [email protected].

Location & law

The service operates under GDPR. We don't voluntarily share data with third parties and respond to lawful orders through established EU channels.

Changes

If this policy changes materially, we'll bump the "last updated" date at the top and post a note on the homepage for a week.