Where your email lives matters

Your email metadata reveals who you talk to, when, and how often. Where that data is stored determines who can legally access it — with or without your knowledge.

Most email providers are headquartered in the United States, where federal law allows warrantless surveillance of non-US persons' communications and compels companies to hand over data stored anywhere in the world. Others operate in countries that share intelligence across alliances of 5, 9, or 14 nations.

RacterMX stores your data in Iceland — outside all surveillance alliances, with full GDPR protection by law.

Jurisdiction comparison

How email providers compare on jurisdiction, surveillance exposure, and privacy law.

Provider	Jurisdiction	Data Storage	Surveillance Exposure	Privacy Laws
RacterMX	🇮🇸 Iceland (Texas LLC)	Iceland	None — outside all Eyes alliances	Icelandic Data Protection Act, GDPR via EEA, strongest internet freedom rating globally
Resend	🇺🇸 United States	United States	FISA 702, CLOUD Act, NSLs, Patriot Act	Limited federal privacy law, no comprehensive data protection
SendGrid (Twilio)	🇺🇸 United States	United States	FISA 702, CLOUD Act, NSLs, Patriot Act	Limited federal privacy law, no comprehensive data protection
Mailgun (Sinch)	🇺🇸 United States	United States	FISA 702, CLOUD Act, NSLs, Patriot Act	Limited federal privacy law, no comprehensive data protection
Postmark (ActiveCampaign)	🇺🇸 United States	United States	FISA 702, CLOUD Act, NSLs, Patriot Act	Limited federal privacy law, no comprehensive data protection
Amazon SES	🇺🇸 United States	Multiple US regions	FISA 702, CLOUD Act, NSLs, Patriot Act	Limited federal privacy law, no comprehensive data protection
ImprovMX	🇫🇷 France	France / EU	French intelligence laws (DGSI), EU data retention directives	GDPR, but France is a Nine Eyes member
Fastmail	🇦🇺 Australia	Australia / US	Australia's Assistance and Access Act (AA Act), Five Eyes	AA Act allows compelled backdoors with gag orders
ProtonMail	🇨🇭 Switzerland	Switzerland	Swiss intelligence cooperation agreements	Strong privacy laws, but Swiss MLAT allows cooperation
Tutanota (Tuta)	🇩🇪 Germany	Germany	German intelligence (BND), Nine Eyes via EU cooperation	GDPR, but Germany is a Fourteen Eyes member
Forward Email	🇺🇸 United States	United States	FISA 702, CLOUD Act, NSLs	Limited federal privacy law, no comprehensive data protection
SimpleLogin (Proton)	🇨🇭 Switzerland / 🇫🇷 France	Switzerland	Swiss MLAT, French Nine Eyes membership	Mixed — Swiss hosting but French parent company context

The Problem with US-Hosted Email

The majority of email infrastructure companies — Resend, SendGrid, Mailgun, Postmark, Amazon SES, Forward Email — are incorporated in the United States and store data on US soil. This subjects them to a set of federal surveillance laws with no equivalent in most democracies.

50 U.S.C. § 1881a

FISA Section 702

Allows the NSA to conduct warrantless bulk collection of communications involving non-US persons. In practice, US persons' data is routinely swept up through "incidental collection" — and can be searched by the FBI without a warrant. Reauthorized in April 2024 with expanded definitions of "electronic communications service provider."

18 U.S.C. § 2713

CLOUD Act (2018)

Compels US companies to hand over data stored anywhere in the world, regardless of where the data is physically located or what local privacy laws apply. A US company hosting data in Germany must still comply with a US government order — even if doing so violates GDPR.

18 U.S.C. § 2709

National Security Letters

The FBI can demand customer data — including email metadata, account records, and transaction history — without judicial approval. NSLs come with a gag order: the company cannot tell you they received one, cannot tell you your data was disclosed, and faces criminal penalties for doing so.

No Federal Equivalent to GDPR

No Comprehensive Federal Privacy Law

Unlike the EU (GDPR), Iceland (Icelandic Data Protection Act), or even Brazil (LGPD), the United States has no comprehensive federal data protection legislation. Privacy protections are fragmented across sector-specific laws (HIPAA for health, FERPA for education) with no general right to data protection.

The Problem with Five/Nine/Fourteen Eyes Countries

The "Eyes" alliances are intelligence-sharing agreements between nations that cooperate on signals intelligence (SIGINT) collection. If your email provider operates in any member country, your data can be shared across the alliance — without your knowledge or consent.

Five Eyes

🇺🇸 United States · 🇬🇧 United Kingdom · 🇨🇦 Canada · 🇦🇺 Australia · 🇳🇿 New Zealand

The core alliance. Members share raw signals intelligence freely, including intercepted communications and metadata. Originated from the post-WWII UKUSA Agreement (1946).

Nine Eyes

Five Eyes + 🇩🇰 Denmark · 🇫🇷 France · 🇳🇱 Netherlands · 🇳🇴 Norway

Extended partners with access to shared intelligence. France's DGSI and Denmark's FE have been documented participating in joint surveillance operations.

Fourteen Eyes

Nine Eyes + 🇩🇪 Germany · 🇧🇪 Belgium · 🇮🇹 Italy · 🇸🇪 Sweden · 🇪🇸 Spain

Formally known as SIGINT Seniors Europe (SSEUR). Members cooperate on signals intelligence collection and analysis. Germany's BND has been documented sharing bulk metadata with the NSA.

If your email provider is headquartered in any of these 14 countries, your data can be accessed and shared across the alliance through intelligence cooperation agreements — without a warrant, without notification, and without your consent.

Iceland is not a member of any Eyes alliance.

Why Iceland

RacterMX chose Iceland because no other jurisdiction offers a comparable combination of privacy law, independence from surveillance alliances, and internet infrastructure.

Outside all Eyes alliances. Iceland is not a member of the Five Eyes, Nine Eyes, or Fourteen Eyes intelligence-sharing agreements. There is no obligation to share data with foreign intelligence agencies.
EEA member — full GDPR compliance by law, not by contract. Iceland adopted GDPR into national law through the Icelandic Data Protection Act (No. 90/2018). This isn't a contractual promise or a self-audit — it's the law of the land, enforced by an independent authority (Persónuvernd).
Icelandic Data Protection Act provides additional protections beyond GDPR. Iceland's national implementation includes provisions specific to Icelandic constitutional law, including explicit privacy protections rooted in Article 71 of the Icelandic Constitution.
No data retention mandates for email providers. Unlike EU member states that have implemented data retention directives, Iceland has no mandatory data retention requirement for email service providers.
Ranked #1 globally for internet freedom. Iceland scored 94/100 in the Freedom House "Freedom on the Net" report — the highest score of any country assessed.
Constitutional protection of privacy as a fundamental right. Article 71 of the Icelandic Constitution guarantees the right to privacy, including the privacy of correspondence and communications.
No history of mass surveillance programs. Iceland has no documented mass surveillance infrastructure, no bulk data collection programs, and no equivalent to the NSA, GCHQ, or BND.
FlokiNET hosting. RacterMX infrastructure runs on FlokiNET — an Icelandic hosting provider known for defending customer privacy and resisting takedown pressure from foreign governments.

For a deeper look at Iceland's privacy infrastructure, renewable energy, and data center advantages, see our dedicated Iceland page.

Ready to move your email to Iceland?

Start forwarding email through the world's most privacy-friendly jurisdiction. Free tier available, no credit card required.

Get Started Free →