Privacy Policy

1.1 Email Metadata

When you connect your email account, we collect and analyze metadata including:

• Email sender addresses and display names
• Email subject lines
• Timestamps (when emails were sent/received)
• Email headers and routing information
• Attachment names (but not content)

Important: We do NOT access, read, or store the body content of your emails.

1.2 Account Information

We collect basic account information including:

• Name and email address (from your authentication provider)
• Profile picture (optional)
• Account preferences and settings

1.3 Usage Data

We automatically collect information about how you use ZeppMail:

• Pages visited and features used
• Actions taken (e.g., creating filters, deleting emails)
• Device information (browser type, operating system)
• IP address and approximate location

We use your information to:

• Detect email bombing attacks: Analyze patterns to identify suspicious email floods
• Provide personalized insights: Show you statistics about your email activity
• Improve our service: Understand usage patterns and fix bugs
• Communicate with you: Send important updates and security alerts
• Ensure security: Prevent fraud and unauthorized access

We use machine learning models to analyze email metadata patterns, but these models run on aggregated, anonymized data and never on email content.

We do NOT sell, rent, or trade your personal information. We only share data in these limited circumstances:

3.1 Service Providers

We work with trusted third-party services that help us operate ZeppMail:

• Authentication: Clerk for user authentication and session management
• Database: Supabase for secure data storage
• Analytics: Privacy-focused analytics to improve our service

All service providers are contractually obligated to protect your data.

3.2 Legal Requirements

We may disclose your information if required by law, such as to:

• Comply with legal processes or government requests
• Protect our rights and property
• Prevent illegal activity or security threats

When you connect your email account, we request the following OAuth permissions. We never send emails on your behalf.

4.1 Google (Gmail) Scopes

• gmail.readonly — Read email metadata (sender, subject, timestamps) to detect email bomb attacks, spam floods, and phishing patterns
• gmail.modify — Move, label, or delete emails identified as threats when you use the cleanup feature. We only modify emails you explicitly approve for cleanup
• gmail.settings.basic — Read your Gmail filter settings to avoid conflicts with existing rules when applying threat-blocking filters

4.2 Microsoft (Outlook) Scopes

• Mail.Read — Read email metadata to detect threats
• Mail.ReadWrite — Move or delete emails identified as threats during cleanup
• MailboxSettings.Read — Read mailbox settings to check existing rules
• MailboxSettings.ReadWrite — Apply threat-blocking rules to your mailbox when you configure filters

4.3 How We Use This Access

• We scan email metadata (sender, subject, timestamps) to detect email bomb attacks and phishing — we do NOT read email body content
• We only modify or delete emails when you explicitly trigger the cleanup feature from your ZeppMail dashboard
• We store OAuth tokens securely and encrypted; tokens are deleted when you disconnect your account
• We do NOT use your email data for advertising, profiling, or any purpose unrelated to email security

4.4 Revoking Access

You can revoke access at any time through:

• ZeppMail's account management page (Dashboard → Accounts)
• Google Account permissions: myaccount.google.com/permissions
• Microsoft Account permissions: account.microsoft.com/privacy

When you revoke access, we immediately stop accessing your email account and delete stored OAuth tokens within 24 hours.

We implement industry-standard security measures to protect your data:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Strict role-based access controls for our team
• Regular Audits: Security audits and vulnerability assessments
• Secure Infrastructure: Hosted on secure, compliant cloud infrastructure

However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

We retain your data for as long as your account is active or as needed to provide services:

• Email Metadata: Retained for analysis and incident detection (30-90 days)
• Account Information: Retained until you delete your account
• Usage Logs: Retained for up to 90 days for security and debugging

When you delete your account, all your data is permanently removed within 30 days, except where we're required by law to retain certain information.

You have the following rights regarding your data:

• Access: Request a copy of your data
• Correction: Update or correct inaccurate data
• Deletion: Request deletion of your data
• Export: Download your data in a portable format
• Revoke Access: Disconnect your email accounts at any time
• Opt-out: Unsubscribe from marketing communications

To exercise these rights, contact us at support@zeppmail.com

We use essential cookies and similar technologies to:

• Keep you logged in
• Remember your preferences
• Understand how you use our service

You can control cookies through your browser settings, but disabling them may affect functionality.

ZeppMail is not intended for users under 13 years of age. We do not knowingly collect information from children. If we discover that a child has provided us with personal information, we will promptly delete it.

Your data may be transferred to and processed in countries other than your own. We ensure adequate safeguards are in place to protect your data in accordance with this privacy policy.

We may update this privacy policy from time to time. We'll notify you of significant changes via email or through the service. Your continued use of ZeppMail after changes constitutes acceptance of the updated policy.

If you have questions about this privacy policy or how we handle your data, please contact us: