Privacy Policy

Last updated: January 31, 2026

1. Who we are

MailAI ("we", "us") is an email management service operated by Jairo Caro. Contact: kidandcat@gmail.com.

2. What data we collect

• Account data — your email address, used for authentication via magic link.
• Email metadata — subject, sender, date, and a short snippet (first ~500 characters) of each email processed.
• OAuth tokens — access and refresh tokens from Google or Microsoft, used exclusively to connect to your mailbox via IMAP. Stored encrypted (AES-256) at rest.
• IMAP credentials — if you connect manually, your password is stored encrypted (AES-256) at rest.
• AI-generated data — summaries, classifications, and importance scores produced by our AI processing.
• User-defined rules — custom instructions you write to guide AI classification.
• Billing data — managed entirely by RevenueCat/Stripe. We do not store credit card numbers or payment details.

3. What we do NOT store

• Full email bodies — only a short snippet for context.
• Attachments — we do not download or store attachments.
• Payment card numbers — handled by our payment processor.

4. How we use your data

• To connect to your mailbox and fetch new emails.
• To generate AI-powered summaries and classifications.
• To execute email actions (archive, delete) on your behalf based on your rules.
• To authenticate you and manage your session.

5. Third-party services

We share data with the following services, solely for the purposes described:

• OpenRouter / AI providers — receives email subject, sender, and body snippet to generate summaries. Processed per their privacy policy.
• Google — OAuth authentication and IMAP access to Gmail.
• Microsoft — OAuth authentication and IMAP access to Outlook.
• Resend — sends magic link login emails.
• RevenueCat / Stripe — processes payments and subscriptions.
• Fly.io — hosts the application and database.

6. Data security

• All credentials and tokens are encrypted at rest using AES-256.
• All connections use HTTPS/TLS.
• IMAP connections use TLS.
• Sessions expire after 30 days.

7. Data retention

• Email summaries are retained until you delete your account or remove the connected email account.
• Login sessions expire after 30 days.
• Magic links expire after 15 minutes.

8. Your rights

You can at any time:

• Disconnect an email account from Settings, which stops all polling and removes stored tokens.
• Request deletion of your account and all associated data by contacting us.
• Revoke OAuth access from your Google or Microsoft account settings.

9. Cookies

We use a single session cookie for authentication. We do not use tracking cookies, analytics, or advertising cookies.

10. Children

MailAI is not intended for use by anyone under the age of 16.

11. Changes to this policy

We may update this policy from time to time. Changes will be posted on this page with an updated date.

12. Contact

For any questions about this policy or to request data deletion, contact us at kidandcat@gmail.com.