easyoutlook

Privacy Policy

Effective: 5/13/2026

This Privacy Policy describes what data easyoutlook collects from you, how it's stored, and how it's used. We designed the system to keep the minimum data needed to operate — message bodies in particular are NOT cached long-term, on purpose.

1. Data we collect from you

Account data

  • Username, email address, password hash (managed by Supabase Auth)
  • Optional display name and avatar URL
  • A recovery code hash (scrypt) for password reset

Mailbox connection data

  • IMAP host, port, TLS setting, email address
  • Encrypted mailbox credentials (password OR OAuth refresh token + access token), encrypted at rest using AES-256-GCM with a server-held key. We never log decrypted credentials.
  • OAuth client ID + tenant ID for OAuth-connected mailboxes (encrypted at rest where sensitive)

Message data

For each message in your connected mailboxes, we cache:

  • Folder path and IMAP UID
  • RFC 5322 Message-ID, sender name and address, recipient list, subject, internal date
  • A short text snippet (preview) extracted at sync time
  • Read / starred / has-attachments flags
  • Folder counts (total messages, unread)

We do NOT cache message bodies or attachments long-term. When you open a message, the body is fetched directly from your IMAP server. When you download an attachment, the bytes stream from your IMAP server through our service to your browser without persistence on our side.

Billing data

  • OxaPay payment records (track ID, amount, currency, status, transaction ID) for deposits you make
  • Transaction history for every credit and debit on your account
  • Order and subscription records linking purchases to those transactions

We don't store payment card or wallet credentials — OxaPay handles the payment flow on its own infrastructure.

Operational data

  • Rate-limit counters (per-user, per-host) stored in a short-TTL cache
  • Server logs of API errors and sync failures (no message contents, no decrypted credentials)

2. How we use your data

  • Authenticate you to the Service
  • Connect to your IMAP mailboxes on your behalf to keep our local cache in sync with your inboxes
  • Power the search, filter, and reading UI
  • Process payments and apply credits/debits to your balance
  • Enforce rate limits and abuse protections
  • Diagnose service issues from server logs

We do not sell your data, train AI models on your messages, or share your message contents with third parties for advertising or any other purpose.

3. Third parties we share data with

Operating this Service requires sharing limited data with infrastructure providers:

  • Supabase — hosts our authentication and database. Sees account data, encrypted mailbox credentials (which they can't decrypt without our server key), and message metadata.
  • Vercel — runs our application. Sees request logs and any data passing through API routes.
  • OxaPay — processes crypto deposits. Sees your email address (in the deposit description) and the deposit amount.
  • Upstash — Redis for rate-limit counters. Stores ephemeral hashed identifiers; no message data.
  • Your email providers — Microsoft, Google, Apple, etc. We connect to their IMAP servers using your credentials. Standard mail-protocol exposure.

4. Data retention

  • Account data: retained while your account is active.
  • Message metadata: retained while the mailbox is connected. Removing a mailbox deletes its cached metadata. Account deletion removes all metadata.
  • Encrypted mailbox credentials: retained while the mailbox is connected. Deleted on mailbox removal or account deletion.
  • Financial records (orders, transactions, subscriptions, payments): retained indefinitely for accounting and compliance, even after account deletion. Anonymized after deletion (your email is captured as a snapshot for attribution; user_id is set to NULL).
  • Server logs: retained for up to 30 days for debugging.

5. Account deletion

You can permanently delete your account from Settings → Danger Zone. Deletion removes:

  • Your authentication and profile records
  • All connected mailboxes and their cached metadata
  • All saved filters and mailbox groups
  • Encrypted mailbox credentials

Financial records (orders, transactions, subscriptions, payment receipts) are retained as described above. If you had a positive balance, a final "balance forfeited on account delete" transaction is posted before deletion for accounting traceability.

6. Security

  • IMAP credentials encrypted at rest with AES-256-GCM
  • Recovery codes hashed with scrypt
  • IMAP host validation blocks SSRF to internal IPs and cloud metadata endpoints
  • Database access controlled by row-level security policies; you can only read your own data
  • Rate limiting on auth endpoints, sync endpoints, and payment endpoints

7. Your rights

Depending on your jurisdiction (GDPR, CCPA, etc.), you may have rights to:

  • Access the data we hold about you
  • Request correction of inaccurate data
  • Request deletion (see Section 5)
  • Request export of your data in a portable format
  • Object to certain types of processing

Contact us at support@easyoutlook.app to exercise these rights.

8. Cookies

We use cookies for authentication (Supabase session) and theme preference. We do not use third-party advertising or analytics cookies.

9. Children

easyoutlook is not intended for users under 18. We don't knowingly collect data from children.

10. Changes to this policy

We may update this policy as the Service evolves. Material changes will be announced in-app or by email. Continued use constitutes acceptance.

11. Contact

Questions about this policy or your data? Contact us at support@easyoutlook.app.