Privacy Policy

SuperMail ("we", "us", "the service") is an email client that stores and processes messages on your behalf. This policy explains what data we collect, why, and how we handle it.

1. What data we store

When you connect an email account, we store:

• Mailbox metadata - sender / recipient / subject / timestamp / thread IDs / read state / label assignments. Used to render the inbox and power search.
• Message bodies and attachments - the full content of messages you receive or send through the service, stored on our object storage with server-side encryption.
• Credentials to third-party providers - Gmail OAuth refresh tokens, and app-specific IMAP/SMTP passwords for Outlook, Yahoo, iCloud, Fastmail, and any other IMAP provider you connect. These live in a dedicated secrets manager.
• Account info - your email address, display name, profile picture (if provided by your identity provider), billing identity, and subscription state.
• Operational logs - request method, path, status code, latency, user ID. Message bodies are redacted from logs.

2. Why we store it

• To operate the service: display your mail, send on your behalf, sync new messages, match attachments.
• To secure the service: detect abuse, debug outages, ship fixes.
• To bill you: our billing processor (a third-party payments provider) handles card data; we only see masked descriptors and subscription state.
• To communicate with you: transactional emails (receipts, password resets, security notices), and occasional product announcements you can opt out of.

3. What we never do

• Sell, rent, or share your personal data with advertisers.
• Train machine-learning models on your messages.
• Serve ads inside the product.
• Scan your mail for commercial intent.

4. Third-party subprocessors

SuperMail runs on third-party cloud infrastructure. We use subprocessors for compute, storage, databases, outbound email delivery, payments, identity / authentication, mobile push notifications, error reporting, and analytics. We select subprocessors that provide customary security practices (encryption at rest, encryption in transit, access controls, documented incident response). The current list of subprocessors is available from [email protected] on request and is updated when we add or replace one.

5. Data location and retention

Mailbox data is stored in our hosting region (currently United States). We retain message bodies as long as your account is active. When you cancel, we delete stored message bodies and attachments within 30 days and mailbox metadata within 90 days. Billing records are retained as required by law (typically 7 years).

6. Your rights

You can export your data at any time (standard .mbox format), delete individual messages, or delete your entire account from settings. EU / UK residents have the right to access, correct, erase, and port their data; California residents have analogous rights under the CCPA. To exercise any of these, email [email protected]. We'll respond within 30 days.

7. Children

SuperMail is not directed at children under 13. We do not knowingly collect personal data from children.

8. Security

We use TLS for all network traffic, encrypt storage at rest, keep credentials in a separate secrets manager, and restrict internal access to a minimum set of engineers. See our Security page for details. Report a vulnerability to [email protected].

9. Changes

We'll update this page and email users if we make material changes to how data is handled. The "Last updated" date at the top reflects the most recent revision.

10. Contact

Privacy inquiries: [email protected].