Privacy Policy

Effective date: TBD — launch date · Last updated: 2026-05-23

This document mirrors the authoritative source in our repository. It is written by a solo developer and is not legal advice; items marked like this will be finalized before official publication. In case of any discrepancy, the Korean version governs.

At a glance

MailMail is a watch email app that makes privacy a design principle, not a feature.

📭 Your email body, subject, and sender never leave your device. Every AI summary is processed by Apple's on-device model (Apple Intelligence / Foundation Models) on your device.
🔒 Email passwords and login tokens are stored only in the device keychain and are never sent to our servers or to your Apple Watch.
🚫 No ads. We use no third-party advertising or tracking SDKs whatsoever.
📊 We don't track you. Usage statistics are limited to anonymous aggregate counters (who read what cannot be identified).

1. What we do not collect

The following is never transmitted to our servers, stored by us, or written to our logs in any form:

Email body
Email subject, sender, recipient
Email account passwords, app passwords, OAuth login tokens
AI-generated summary content
Contacts, location, phone number, advertising identifier (IDFA)

Mail-related data is not written to debug logs either. The only things we record for diagnostics are metadata that contain no body (for example, a sender hash or an action type).

2. What we process and how

2.1 Mail account credentials (app password / OAuth token)

Purpose: to connect to the mail service you choose (Naver, Daum, Gmail, generic IMAP, Outlook, etc.) and fetch your mail.
Where stored: only in your iPhone keychain (kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly — accessible only after device unlock, not synced off the device).
Transmission scope: credentials are sent only to your mail service provider directly (IMAP / Microsoft Graph, TLS encrypted). They are never sent to our servers, Cloudflare, or your Apple Watch.
Retention: removed from the keychain when you delete the account in the app or delete the app.

2.2 Email body, subject, sender (summary processing)

Purpose: to turn mail into an AI summary card you can grasp in three seconds.
Where processed: entirely on your device. Fetching the body is a direct connection (TLS) between your device and your mail provider, and the summary is generated by Apple's on-device model. The body is never sent to our servers or to any external AI service for summarization.
Where stored: metadata needed to display summaries and cards, and a body cache, are stored encrypted in an on-device database (SwiftData).
Transmission to Apple Watch: only body-free summary cards are sent to the watch. The card data structure itself has no body field.
Retention: removed from the device cache when you archive/delete mail or delete the app.

2.3 Push-notification device token (APNs)

Purpose: a content-free "wake-hint" silent push that wakes the app to check for new mail quickly. This push carries no mail content whatsoever (content-free).
What's collected: exactly two values — the Apple push token and the environment (development/production). The format blocks mail data from ever being included.
Where stored: a temporary key-value store (KV) on the push relay server (Cloudflare Worker). Tokens are deleted automatically when they expire (APNs 410).
Note: MailMail works even without notification permission.

2.4 Outlook / Microsoft 365 account (if applicable)

If you connect an Outlook account, we authenticate via Microsoft sign-in (OAuth) and create a Microsoft Graph subscription for new-mail notifications.
Subscription identifiers are mapped on the push relay server, but the verification secret is sent only as a hash (SHA-256), never the original, and no mail content is included.
Microsoft auth tokens are stored only in the device keychain.

2.5 Anonymous usage statistics

Purpose: minimal metrics for product improvement, such as which mail-provider connections fail often.
Method: only anonymous aggregate counters in Cloudflare KV. We collect no personal identifiers, session IDs, or timestamps. We do not use third-party analytics SDKs such as Mixpanel, Firebase, or Google Analytics.
Onboarding diagnostic events contain only closed classification values (provider, step, result code) with no free-text input.

2.6 Payment information

Paid (Pro) purchases are handled by the Apple App Store (StoreKit). We do not access payment-method information such as card numbers. Receipt verification is performed on-device, with no separate server.

2.7 Reminders integration (Pro, optional)

When you use the "to-dos → Reminders" feature, only the extracted to-do title and the mail-subject metadata are written to your Apple Reminders app (no body). This is data you own, not on our servers, and it happens only when you add it yourself with a single tap.

3. When information leaves the device (summary)

Data	To where	What	Notes
Mail credentials	Your mail provider	Login info	Direct TLS. Never our servers
Mail body/subject	Your mail provider ↔ device	Mail data	Fetch only. Summary stays on device
APNs token	Apple → push relay server	Token + environment	No mail content
Reminders	Apple Reminders (yours)	To-do title	Only on your one-tap
Payment	Apple App Store	Payment processing	No access by us
Anonymous stats	Cloudflare KV	Aggregate counters	Not personally identifiable

Email body, subject, sender, and credentials never reach us (the MailMail operator).

4. Third parties (processors and integrated services)

Apple Inc. — App Store, StoreKit (payments), APNs (push), Reminders (iCloud), on-device AI models. (Apple Privacy Policy)
Your mail service provider — Naver, Daum/Kakao, Google (Gmail), Microsoft (Outlook), or an IMAP server you enter directly.
Microsoft — Microsoft Graph, only if you connect an Outlook/Microsoft 365 account.
Cloudflare, Inc. — wake-hint silent push relay and anonymous aggregate counters. Mail credentials and bodies do not pass through it. (Cloudflare Privacy Policy)

We do not sell or provide your information to third parties for any purpose other than those above.

5. Retention and use period

Credentials, body cache, summaries: exist only on your device and are removed when you delete the account or the app.
APNs token: deleted from the relay server when the token expires or the app is deleted.
Anonymous statistics: kept only as aggregate figures that cannot identify an individual.

6. Security measures

Credentials and auth tokens are stored in the iOS keychain (device-only, sync disabled).
On-device data such as the body cache is encrypted at rest.
All external communication is encrypted with TLS.
AI inference runs only on the device, so the body never crosses the network.
Email bodies are never written to logs.

7. Your rights as a data subject

Access, correction, deletion, suspension of processing: in-app data lives on your device, so you can exercise these directly by deleting the account or the app. For other requests, contact us below and we will act without undue delay.
Withdrawing consent: permissions such as notifications and Reminders can be revoked at any time in iOS Settings.

8. Children under 14

MailMail is not directed to children under 14, and we do not knowingly collect personal information from children.

9. Privacy officer and contact

Privacy officer: Name — TBD
Contact email: [email protected] — TBD

You may also report privacy concerns to the Korean authorities below:

Privacy Infringement Report Center (privacy.kisa.or.kr / dial 118)
Personal Information Dispute Mediation Committee (kopico.go.kr / 1833-6972)
Supreme Prosecutors' Office Cyber Investigation / National Police Agency Cyber Bureau

10. Changes to this policy

If this policy changes, we will post the effective date and the changes on this page. For significant changes, we will provide additional notice via in-app announcements or update notes.

← MailMail home