Privacy Policy

Last updated: April 2026

Mailz.ai ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights.

1. Data We Collect

  • Google account info — your email address, name, and profile photo, provided by Google when you sign in.
  • Email metadata — sender, subject, date, and labels of emails processed by Mailz. We retain processing logs (metadata only) for up to 10 days.
  • Email content — the body of incoming emails is read in real-time to evaluate your instructions. Email content is not stored permanently. It is held in memory during processing and discarded immediately after.
  • OAuth tokens — encrypted access and refresh tokens for your Gmail account, stored using AES-256-GCM encryption at rest.
  • Standing instructions — the plain-English rules you write to tell the AI how to handle your email.
  • Payment info — handled entirely by Stripe. We never see or store your card number.

2. How We Use Your Data

  • To process incoming emails according to your instructions (labeling, archiving, starring, drafting replies, forwarding, notifications).
  • To display your activity log so you can review AI decisions.
  • To manage your subscription and trial status.

We do not use your email content to train AI models. We do not sell, share, or monetize your data in any way.

3. Third-Party Services

  • Google — OAuth authentication and Gmail API access.
  • AI providers — we use third-party AI models to evaluate emails against your instructions. Email content is sent to the AI provider's API for processing. The provider's API terms apply.
  • Stripe — payment processing. See Stripe's privacy policy.
  • Supabase — authentication and session management.

4. Data Retention

  • Email content — not stored permanently. Email bodies are included in processing logs for AI evaluation and automatically deleted after 10 days.
  • Processing logs (sender, subject, AI decision, and evaluation prompt) — retained for up to 10 days, then automatically deleted.
  • Account data (instructions, subscription) — retained while your account is active.
  • OAuth tokens — deleted when you close your account or revoke access via Google. Signing out of the browser does not delete tokens or stop email processing.

5. Security

We use industry-standard security practices including encrypted token storage (AES-256-GCM), HTTPS for all communications, and server-side session management. OAuth tokens are never exposed in browser cookies or client-side code.

6. Your Rights

  • Access — view your processing logs and instructions in the dashboard.
  • Close account — use the Close Account option in Settings to cancel your subscription, revoke Gmail access, and permanently delete all your data.
  • Revoke — you can also revoke Mailz.ai's access via your Google Account settings.

7. Google API Services User Data Policy

Mailz.ai's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

8. Contact

Questions about this policy? Email us at privacy@mailz.ai.