Privacy Policy

1. Introduction

Welcome to smtp-sync. We operate as a "Stateful Proxy" utility designed to bridge your legacy email accounts (POP3/IMAP) securely to your Gmail "Command Center". This Privacy Policy outlines how we handle your data, with a strong commitment to a Zero-Trust security model.

2. Data Collection & Authorization

To provide our services, we collect and securely store the following information:

• Google OAuth 2.0 Tokens: Used exclusively to authorize the users.messages.import API, allowing us to push emails to your Gmail inbox.
• Legacy Credentials: The usernames and passwords for your source POP3/IMAP servers required to establish the synchronization connection.

3. Zero-Trust Data Processing

Our architecture is built on a "No-Storage" binary streaming model. We believe that your email content is your own.

• No Content Persistence: Email bodies, attachments, and content are never persisted to our disks or databases.
• In-Memory Streaming: Our high-concurrency workers stream data directly from your source server to the Gmail API using temporary in-memory buffers.

4. Glass Box Audit (Metadata Logging)

To ensure high reliability and to give you full transparency into the health of your sync connections, we maintain a "Glass Box Audit" trail.

• What is Logged: We log only sync metadata, which includes timestamps, sender domains, delivery status, and message sizes.
• No PII in Logs: No email content or sensitive Personally Identifiable Information (PII) beyond metadata is visible or stored in these logs.
• Data Isolation: All metadata is strictly partitioned by user ID. You can view your own logs via your dashboard.

5. Third-Party Services

We utilize trusted third-party infrastructure to deliver our service:

• Google Cloud (Gmail API): For delivering synchronized mail.
• Stripe: For secure billing and subscription management.
• Neon.com & Metabase: For metadata ingestion and dashboard visualization.
• Fly.io & Cloudflare: For dedicated hardware and network security.