Skip to main content
Insights & Trends
Blog

Free email: What Gmail and the like really cost

Reading time: 6 minutes

Millions of people use free email services every day, like Gmail, GMX or WEB.DE. What looks like a good deal at first glance is actually based on a business model that primarily benefits the provider. If you understand how the business model behind free email providers works, you can make more informed decisions. In this article, you’ll find out what lies behind supposedly free services, where the specific data protection risks lie, and what you should bear in mind when switching to a secure, ad-free email account.

mailbox Blog Kostenlose E-Mail-Anbieter Datenschutz Wechsel

What your inbox says about you

Take a look back at your email account over the past few months: It contains personal correspondence with family and friends, as well as booking confirmations and payslips, possibly job application documents, and correspondence with doctors, insurance companies or solicitors.

Your email account is one of the most private digital spaces there is. The question of who you entrust this account to, and what financial interest the provider has in exploiting its contents, thus becomes a decision about your own digital sovereignty.

The business model behind free email

When a service is free, an obvious question arises: How does the provider make money? In Google’s case, the answer is clear: three-quarters of Alphabet’s total revenue comes from Google advertising. For the full year 2025, Alphabet’s revenue stood at just under 403 billion US dollars. Advertising is not a sideline, but forms the foundation of the US corporation.

This lucrative business thrives on one raw material: knowledge about users that is as precise as possible: Who are they? What are they interested in? How do they behave online? – The more a provider knows about the users of its service, the more valuable an advert placement becomes. An email account used daily, containing personal correspondence, order confirmations and appointment reminders, is a rich source of information in this context, enabling personalised advertising.

Google and data protection: What Google does with your emails and data

Google offers a comprehensive suite of services including email, calendar, cloud storage, login and other services. When you use these services, Google collects the content that is created, uploaded or received from others, including emails sent and received. This means that even if you do not use Gmail yourself, but are merely the sender, the content you send is still collected and processed by Google.

Emails themselves are not specifically searched or read for the purpose of displaying personalised adverts. Personalised adverts are based on online activities that users carry out whilst signed in to Google. This is because Google collects metadata such as location or devices used, from which personal profiles can be created.

The aforementioned ecosystem comprising email, the cloud, YouTube, Google Maps, Android and login services is therefore the level at which the actual data potential for Google unfolds: For personalised advertising, activities are analysed in order to present tailored adverts across Google services such as Search and YouTube.

All these touchpoints feed into an account-linked user profile. Anyone with a Gmail account is therefore constantly under the scrutiny of a commercial profiling system – even if the actual content of their emails is officially left out of the equation. This is precisely why the term ‘free email’ is not accurate in this context: ultimately, within the Google ecosystem, you pay with your own user data, which Google turns into hard cash for itself.

GMX and WEB.DE: European, but funded by advertising

Those who have concerns about Google’s data protection policies often switch to a German email provider, such as WEB.DE or GMX. Both are owned by the German company United Internet AG, are subject to German data protection law and are regarded as an alternative to US corporations.

Many people overlook the fact that free email accounts with GMX and WEB.DE are also funded by advertising. According to United Internet’s annual report, in 2025 around 39 million ad-supported free accounts formed a large pool for monetisation through advertising and e-commerce. The further development of data-driven business models is explicitly cited in the report as a key focus of the previous year. The more precise a user profile is, the more money can be generated through the sale of advertising space. The same therefore applies to GMX and WEB.DE: here, an email service is provided in exchange for data analysis.

The US CLOUD Act and the GDPR: Why the location of the headquarters is crucial

For users in the EU, the GDPR provides important safeguards – but it does not apply fully in every scenario. The crucial point regarding email data protection concerns the origin of the providers: the US CLOUD Act allows US authorities to access data stored by US companies – regardless of where it is stored. Even if data is stored in a data centre in Germany or elsewhere in Europe, US authorities can access it as long as the provider is a US company or is under US control.

US CLOUD Act requests are often accompanied by non-disclosure orders. The US provider is legally prohibited from informing the European customer whose data is affected. For German email providers such as GMX and WEB.DE, this specific US risk does not apply. However, the core problem of advertising-based funding remains.

Identifying European alternatives to Google and Microsoft

Leave the US cloud now
mailbox Blog Europäische Alternativen zu Microsoft und Google

A different approach is possible: privacy-friendly email providers

The business model of privacy-friendly email providers is based on a monthly subscription. There is no tracking, no advertising-based funding and no data-driven marketing. Because operations are not cross-subsidised by advertising, there is no structural incentive to exploit data. The headquarters and data centres of independent providers are located in Europe – or, better still, within the EU – meaning they are subject to strict EU data protection regulations, such as the GDPR.

As a German, tracking-free provider, mailbox also follows this model: our data centres are located exclusively in Germany and we are subject solely to German and EU law. As part of the Heinlein Group, we have been committed to secure and independent communication, data protection and information security for over 30 years.

Switching email providers: How to make the transition

Anyone who decides to switch to a privacy-friendly email provider in order to use an ad-free email account faces a practical question: How do I go about it without losing anything? With the right steps, the switch can be easily planned and carried out:

1. Choosing the right email provider

The operator should be based in a country with robust data protection legislation and its business model should be transparently based on a subscription, not on advertising. A look at the privacy policy and the company’s history will provide further information.

2. Back up your data & set up a new account

Back up what’s important to you from your old account: export your emails, contacts and calendar entries, and import them into your new provider. Many email services offer free migration tools to handle this transfer for you.

3. Set up forwarding & inform your contacts

Set up an automatic forwarding from your old email account to your new address. Then work your way through your services systematically: banks, insurance companies and payment services take priority, followed by subscriptions, online shops, etc.

4. Allow for a transition period & close your old account

Allow for a generous transition period. This will ensure you don’t overlook any services that haven’t yet been migrated. Only close the old email account once this is complete. You also have the option of requesting GDPR-compliant data deletion for this purpose.

Tip: Don’t rush into anything. If you close your old email account too soon, you risk losing access to services that are still linked to your old address.

Conclusion: Digital sovereignty starts in your inbox

There are differences between a US corporation that displays adverts based on cross-account user profiles and a German email provider that does the same to fund its advertising, but without being subject to US jurisdiction. Nevertheless, the underlying principle is the same: users are used to generate advertising revenue.

Your email account contains a wealth of sensitive data and provides insights into your personal and professional life. So make an informed and critical decision about whose hands you entrust this data to.

Your move to mailbox

Migrating emails securely
Envelope

Insights & Trends

Discover more articles on the topic of data protection.
All articles
You can see a young man with short hair and a beard. He is wearing glasses and a shirt. The young man is sitting at a desk in an office, with a laptop in front of him and a notepad and smartphone on the table. The man smiles directly into the camera.
Data protection

GDPR violations: 5 common mistakes to avoid

Read more about GDPR violations: 5 common mistakes to avoid
Smiling woman with laptop on her lap
Data protection

European alternatives for business emails

Read more about European alternatives for business emails
mailbox Mail: Übersicht des Posteingangs

At a glance: Overview of all modules

To the overview →
mailbox Blog Kostenlose E-Mail-Anbieter Datenschutz Wechsel

Free email: What Gmail and the like really cost

Learn more →
mailbox
Start now