[Kimmono]

It does, but they dont offer email or phone services. So they are also exempt. We use Blix: https://www.blix.com/

What you call a loophole, was no secret in the hearings about the new law. The government wanted this implemented mainly for the phone providers. They understood that foreign email providers like Gmail and Hotmail that most use in Norway, could not be under the law in any practical way, so they restricted who this is applicable to.

[tombrossman]

I read your website and tried your service for a few days this past April. I cancelled immediately after you emailed both my web hosting and support account credentials. In plain text. That is egregious.

I mention this only to point out that without proper security procedures your data privacy policy is irrelevant. Not one-way hashing and salting passwords negates everything else you do.

I'm happy to try again some day but you really have to have airtight security at a minimum to appeal to privacy-conscious users. Password reset is one of the first things we test for any new service.

[mpyne]

If you're worried about the NSA or other nation-states then I wouldn't stop with hashing+salting. You need to be using something like scrypt/bcrypt/PBKDF2. cperciva has a paper about scrypt, bcrypt is at least widely known for this use case, and PBKDF2 is even a "certified" way to do that.

[Kimmono]

Both your web hosting and support account credentials are encrypted. I see you point not sending them to you when you setup the services, but you have to understand that we do offer services for a wide range of people. Some really want a copy of their login in their email that they have locally.

But I take your point about this and we will try to make that optional. It is optional when you setup email sub-accounts for the administrator.