Their privacy policy states the obvious, and repeats what’s in the SMTP RFC (821). I can only guess this is because of transparency. All email providers have access to that information. I would actually argue for them that they are better at letting people know which kind of data they do and don’t have access to.

Every (email) service is bound to the law of the country they reside or operate in. Proton has part of its offerings in Switzerland, part in EU (Germany if I recall well). Swiss FADP is very close to GDPR. Also when it comes to privacy protection. Every company bound to GDPR (or FADP) has to abide to the law, and when law enforcement has a good reason to check out user data, and the judge agrees, any company has to provide evidence. Even non-EU based companies offering services in EU. With their transparency report they are providing a tool to their users to know and understand what happens to their data in a lawful manner. And I see that as a win for transparency.

But this is just my opinion, and it is ok to not agree with how I see the world.

Source, pretty please? I’d like to read up.