Privacy Policy

MailPlate is a unified inbox service operated by MailPlate Inc. (“MailPlate,” “we,” “us,” or “our”). This policy explains what information we collect, how we use it, who we share it with, and the controls you have over your data. It applies to the MailPlate web application and any related services that link to this policy.

If you have questions, contact us at hello@mailplate.com.

Information you provide directly

• Account details: email address, hashed password (or your identity provider’s subject identifier if you sign in with Google), display name.
• Mailbox credentials: OAuth tokens for Gmail, or IMAP/SMTP server hostnames, ports, usernames, and passwords for any custom email accounts you connect. Mailbox passwords and OAuth refresh tokens are encrypted at rest with AES-256-GCM before being written to our database.
• Support correspondence: any messages you send us when contacting support.

Information accessed from your mailbox

When you connect a mailbox, MailPlate accesses, displays, and (for actions you initiate) sends or modifies email on your behalf. This includes:

• Email metadata: From / To / Cc / Bcc addresses, Subject, Date, folder/label, message ID, thread ID, read state, attachment names and sizes.
• Email body content: plain-text and HTML message bodies of emails in folders you have authorized us to read.
• Attachments: streamed on demand from your mail provider; we do not permanently store full attachment contents on our servers (size and filename are cached for the inbox UI).

Information collected automatically

• Telemetry: page views, error reports, request timings, browser user agent, and IP address. We use this to keep the service running and to investigate abuse.
• Cookies: a session cookie issued by our authentication provider (Supabase) and a short-lived OAuth state cookie used solely to prevent CSRF on the Gmail connect flow. We do not use third-party advertising or tracking cookies.

MailPlate’s use and transfer to any other app of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements.

Specifically, when you connect a Gmail account, MailPlate requests the following OAuth scopes:

• gmail.readonly — to display your messages, labels, and threads in the unified inbox.
• gmail.send — to send replies, forwards, and new messages on your behalf when you click Send.
• gmail.modify — to mark messages as read/unread, archive, label, or trash messages on your behalf when you take those actions in the UI.
• userinfo.email — to identify which Google account is connected.

We commit that:

• We do not use Gmail data to train generalized or large language models.
• We do not sell Gmail data, transfer it for advertising, credit, or any unrelated purpose, or allow humans to read it except (a) with your explicit consent, (b) for security investigations, (c) to comply with applicable law, or (d) where the data is anonymized and aggregated for service-wide analytics.
• We use Gmail data only to provide and improve the unified inbox features users see in the MailPlate UI.

• Provide the service: render your inbox, sync new messages, deliver messages you send, search your mail, and apply your read/archive/label actions back to your provider.
• Operate and secure the service: rate-limit abuse, detect misuse, debug failures, and back up our own service-level metadata.
• Communicate with you: send transactional emails about your account (sign-in confirmations, security alerts, billing if applicable). We do not send marketing email without your opt-in.
• Comply with the law: respond to lawful requests from public authorities.

We share data only with the service providers we depend on to run MailPlate:

• Supabase — managed Postgres, authentication, and storage. Hosts our application database and your encrypted mailbox credentials.
• Vercel — application hosting, edge network, and serverless functions.
• Google — Gmail API and Google Sign-In, when you connect a Gmail account or sign in with Google.
• Your IMAP/SMTP providers — directly contacted from our servers when you connect a non-Gmail account, using the credentials you provided.

We do not sell your personal data. We do not share Gmail or mailbox content with advertisers, data brokers, or unrelated third parties.

• Account record: retained as long as your account is active.
• Cached message metadata and body content: retained for as long as the underlying email exists in the connected mailbox, plus a short cache window so the inbox loads quickly. When you delete a message in MailPlate (which deletes it at the provider), the cached copy is purged within 30 days.
• Encrypted mailbox credentials: retained until you disconnect the account, at which point they are deleted from our database.
• Server logs and telemetry: retained up to 90 days for security and debugging, then purged.

• Disconnect a mailbox at any time from the MailPlate dashboard. We immediately stop syncing that account and delete the stored credentials.
• Revoke Google access from https://myaccount.google.com/permissions. Revocation invalidates our refresh token immediately.
• Delete your account by emailing hello@mailplate.com. We will delete your account record, all encrypted credentials, and all cached mailbox data within 30 days, except where retention is required by law.
• Access, correct, port, or restrict processing of your personal data — if the GDPR, UK GDPR, CCPA, or another applicable law gives you those rights, contact us at the address above and we will respond within the statutorily required window.
• Lodge a complaint with your local data-protection authority if you believe we have mishandled your data.

• All traffic to MailPlate is served over HTTPS / TLS.
• IMAP and SMTP connections from our servers to your mail provider use TLS.
• Mailbox passwords and OAuth refresh tokens are encrypted at rest with AES-256-GCM using a key held outside the database.
• Database access is restricted by row-level security policies tied to your authenticated user ID.
• We rate-limit authentication and OAuth callback endpoints to limit credential stuffing and replay.

No system is perfectly secure. If you suspect unauthorized access to your account, email hello@mailplate.com immediately.

MailPlate is operated from the United States. By using the service from outside the US, you consent to your data being transferred to and processed in the United States and other jurisdictions where our service providers operate.

MailPlate is not directed to children under 13 (or under 16 in the EEA), and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact us so we can delete it.

We may update this policy from time to time. Material changes will be announced via email or an in-app notice at least 30 days before they take effect. The “Last updated” date at the top reflects the most recent revision.

MailPlate Inc.
Email: hello@mailplate.com