Security & Privacy

Readonly Access Only

UnclutterMail uses readonly OAuth permissions for both Gmail and Microsoft 365. This means:

• We can never send emails on your behalf
• We can never delete or modify your emails
• We can never access your contacts or calendar

When we generate reply drafts, they're shown to you in our interface - you copy them to your email client and send them yourself.

What We Access

Token Security

Your OAuth tokens (the credentials that let us access your email) are:

• Encrypted with AES-256 using a dedicated encryption key separate from our application key
• Never logged or exposed in error reports
• Automatically refreshed before expiration
• Instantly revocable from your email provider's security settings

What We Store

We store only the minimum data needed to provide our service:

• Email metadata: Sender, subject, date, and a short snippet (first ~200 characters)
• Classification data: Category (newsletter, update, etc.) and relevance scores
• Your rules: Which senders to mute, include, or route differently

We do not store full email bodies. When you view an email in The Feed, we fetch it live from your email provider.

Infrastructure

• Encryption in transit: All connections use TLS 1.3
• Encryption at rest: Database and backups are encrypted
• Security headers: HSTS, CSP, X-Frame-Options, and more
• Audit logging: All sensitive actions are logged for security review

Your Rights

You have full control over your data:

• Disconnect anytime: Remove any connected account instantly
• Export your data: Download all data we have about you
• Delete everything: Request complete deletion of your account and all associated data

Questions?

If you have any security questions or want to report a vulnerability, please contact us at [email protected].