Tuta

What Is Tuta?

The conventional wisdom says you cannot have both usability and strong encryption. That encryption is something for security specialists and whistleblowers, not ordinary email users. That the trade-offs — no IMAP, no third-party integrations, limited search — make encrypted email impractical for daily use.

Tuta challenges this assumption. Founded in 2011 in Hanover, Germany (originally as Tutanota, rebranded to Tuta), this end-to-end encrypted email service has spent over a decade proving that encrypted communication can be accessible, affordable, and genuinely usable for everyday correspondence. The free tier provides 1 GB of encrypted storage. Paid plans start at EUR 3 per month. And the encryption covers everything — email bodies, subject lines, contacts, and calendar entries — with zero-access architecture that means even Tuta's own servers cannot read your data.

That subject line detail matters. ProtonMail, Tuta's most prominent competitor, encrypts email bodies but leaves subject lines unencrypted on their servers. Tuta encrypts them. It is a small technical distinction with a meaningful privacy implication: metadata about your communication — who you are writing to and what the conversation is about — remains protected even from the service provider.

Tuta's client applications are fully open-source, auditable on GitHub. The company is bootstrapped, privately held, and headquartered in Germany. There are no investors, no advertising revenue, and no data monetisation. Revenue comes from paid subscriptions. The business model and the product are aligned — a rarity in the email market where "free" typically means "your data is the product."

Key Features

End-to-End Encryption for Everything

Tuta encrypts email bodies, subject lines, contact data, and calendar entries using end-to-end encryption. The encryption happens client-side — data is encrypted before it leaves your device and can only be decrypted by the recipient. Tuta's servers store only encrypted data, implementing a zero-access architecture. Even under legal compulsion, Tuta cannot provide readable email content because they do not hold the decryption keys.

Tuta uses its own encryption protocol rather than PGP. The company argues that PGP is dated, does not encrypt metadata, and has usability issues that prevent mass adoption. Tuta's protocol encrypts more comprehensively and is integrated seamlessly into the client applications. The trade-off is interoperability — you cannot use PGP-encrypted email within Tuta, which limits communication with users of PGP-based systems.

Post-Quantum Encryption

Tuta is actively upgrading its encryption to be resistant to quantum computing attacks. As quantum computers advance, current encryption standards risk becoming breakable. Tuta's post-quantum encryption upgrade ensures that emails encrypted today cannot be retroactively decrypted by future quantum computers — a forward-looking security measure that few email providers are addressing.

Anonymous Sign-Up

You can create a Tuta account without providing a phone number, personal name, or any identifying information. This level of anonymity is rare and particularly valuable for journalists, activists, and individuals in environments where communication privacy is a safety concern. Most email providers, including ProtonMail, require either a phone number or an alternative email for account creation.

Encrypted Calendar

Tuta's calendar is fully encrypted with the same zero-access architecture as the email service. Calendar entries, event descriptions, and attendee lists are encrypted end-to-end. Event sharing between Tuta users maintains encryption. For teams coordinating sensitive activities — legal proceedings, medical appointments, business negotiations — an encrypted calendar prevents schedule metadata from being exposed.

Desktop and Mobile Apps

Tuta provides native desktop clients for Windows, macOS, and Linux, and mobile apps for iOS and Android. The applications are open-source and available on GitHub. Two-factor authentication supports both TOTP (authenticator apps) and U2F/FIDO2 (hardware security keys), providing strong account protection.

Pricing

The free tier includes 1 GB of encrypted storage, one calendar, a Tuta domain email address (@tuta.com or @tutanota.com), and limited search history. It is functional for personal use but constrained for professional correspondence.

The Revolutionary plan at EUR 3 per month provides 20 GB of storage, unlimited calendars, custom domain support, unlimited search, and five email aliases. The Legend plan at EUR 8 per month expands to 500 GB of storage, multiple custom domains, unlimited aliases, and priority support. The Business plan at EUR 7 per user per month adds per-user pricing for organisations, an admin console, shared calendars, and custom branding.

The pricing is remarkably affordable for the level of encryption provided. ProtonMail's comparable plans are priced higher, though ProtonMail offers a broader ecosystem (VPN, cloud storage, password manager) that justifies the premium for users who want multiple privacy tools from one provider.

EU Compliance & Privacy

Tuta operates from a position of structural privacy. Tutao GmbH is based in Hanover, Germany, with all data stored exclusively in German data centres. The company complies with GDPR and German data protection law (BDSG). The zero-access encryption architecture means GDPR compliance is reinforced by technical impossibility — Tuta cannot access user data even if requested.

There is no tracking, no advertising, no profiling, and no data sharing. The open-source clients allow independent verification of privacy claims. The company publishes transparency reports detailing government data requests and their responses.

With an EU compliance rating of 9.5, Tuta achieves one of the highest scores across all product categories — a reflection of its privacy-first architecture and German jurisdiction.

Who It's Best For

Privacy-conscious individuals who want encrypted email without the complexity of manually managing PGP keys. Tuta makes strong encryption accessible to non-technical users.

Journalists and activists who need anonymous communication with end-to-end encryption and no metadata exposure, including subject line encryption.

Small businesses and professionals in regulated industries (legal, medical, financial) who need encrypted correspondence and calendar with custom domain support at an affordable price point.

Users leaving Gmail or Outlook for privacy reasons who want an EU-hosted alternative that does not monetise their data. The transition requires accepting the trade-offs of no IMAP and no third-party integrations.

The Verdict

Tuta is the most privacy-focused email service you can use today. The subject line encryption, zero-access architecture, anonymous sign-up, post-quantum encryption roadmap, and open-source clients represent a comprehensive commitment to communication privacy that goes beyond what any competitor offers. The trade-offs are real — no IMAP means no third-party email clients, no API means no integrations, and search limitations arise from the encryption architecture itself. These are not bugs; they are the consequences of genuine zero-knowledge design. For users who prioritise privacy above convenience features, Tuta is the clear choice. At EUR 3 per month for the Revolutionary plan, it is also one of the most affordable.

Frequently Asked Questions

Is Tuta really end-to-end encrypted?

Yes. Tuta encrypts all email content, subject lines, contacts, and calendar entries using end-to-end encryption with a zero-access architecture. Even Tuta's own servers cannot read your data — encryption and decryption happen exclusively on your device.

Can I use my own domain with Tuta?

Yes. Custom domain support is available on all paid plans, starting from the Revolutionary tier at EUR 3 per month. You can use your existing domain for encrypted email while maintaining Tuta's full encryption capabilities.

Does Tuta support IMAP or POP3?

No. Tuta does not support standard email protocols like IMAP or POP3 because these protocols cannot maintain end-to-end encryption for stored messages. You must use Tuta's own desktop, mobile, or web applications to access your encrypted mailbox.

How does Tuta compare to ProtonMail?

Both offer end-to-end encrypted email, but Tuta encrypts subject lines (ProtonMail does not), offers more affordable paid plans, uses its own encryption protocol (not PGP), and allows anonymous sign-up. ProtonMail has a larger ecosystem including VPN, cloud storage, and password manager, more integrations, and supports PGP interoperability.

Is Tuta open source?

Yes. Tuta's client applications for all platforms are fully open-source and available on GitHub. The server-side code is not open source, but because encryption is client-side, the open-source clients allow independent verification of the encryption implementation.