koalo.cc koalo.cc
Home

Security & transparency

How koalo keeps your messages private — and the honest limits of what's possible. Hover any highlighted term for the details.

A real, permanent inbox — not a temp mail

koalo is not a disposable or throwaway service. Your @koalo.cc address is yours to keep, your messages stay until you delete them, and you can send and receive for as long as you have an account. We built koalo to replace your inbox — not to burn one.

End-to-end encryption

Every message between koalo users is encrypted on your device with AES-256-GCM and can only be decrypted by the intended recipient. Recipients are reached using ECDH P-256 key exchange, so a shared secret is established without a private key ever leaving your device — we never see the contents of your email.

Zero-knowledge architecture

You shouldn't have to trust us — you should have proof. Your keys are derived from your master password with PBKDF2-SHA256 entirely in your browser. We never store your master password or private keys. This is what zero-knowledge means: if we can't see it, we can't leak it, and we can't be compelled to hand it over.

No personal data

Your identity is your business. Registration requires no phone number, no backup email, and no real name. We don't log IP addresses or track your location.

No tracking pixels

Remote images and sender logos are never loaded from the open web. Avatars are generated locally on your device, so opening a message never pings a third party — there are no read-receipts or tracking pixels.

Under the hood

The exact primitives koalo runs on. No proprietary crypto — only standards trusted across the industry.

Message encryption
AES-256-GCM
Key exchange
ECDH P-256
Key derivation
PBKDF2-SHA256 · 310k
Trust model
Zero-knowledge

Who's behind koalo

koalo is built and operated from Germany by a small independent team — no investors, no ads, no data resale. We're real people who think private email shouldn't be a luxury.

A note on external email

Email to outside providers (Gmail, Outlook, and others) cannot be end-to-end encrypted — that's a limit of how email works everywhere, not just here. Those messages are protected in transit, but once they reach an external inbox they follow that provider's standards. koalo ↔ koalo messages are always fully private.

Create your account