Security

We treat your inbox like our own.

• OAuth where possible. Gmail, Microsoft 365, and Yahoo use OAuth. IMAP credentials are accepted only when OAuth is unavailable.
• AES-256-GCM encryption for tokens, IMAP/SMTP credentials, and any user-provided AI keys.
• Per-tenant isolation. Every database query is scoped by team_id; default-deny.
• No AI training on your data. We enforce zero-retention / no-train flags on supported providers.
• Audit logs for every AI action and admin event. Exportable on Business and above.
• GDPR export and delete tooling. 16+ age requirement on signup.
• Default-off auto-send and auto-delete. Drafts queue for human approval until you opt in.