Privacy Policy

Last updated: 6/1/2026

1. Introduction

Welcome to smtp-sync. We operate as a "Stateful Proxy" utility designed to bridge your legacy email accounts (POP3/IMAP) securely to your Gmail "Command Center". This Privacy Policy outlines how we handle your data, with a strong commitment to a Zero-Trust security model.

2. Data Collection & Authorization

To provide our services, we collect and securely store the following information:

  • Google OAuth 2.0 Tokens: We store refresh tokens used exclusively to authorize the users.messages.import API. These tokens allow us to push emails to your Gmail inbox and are managed via Google's secure OAuth 2.0 flow.
  • Mailbox Credentials: The usernames and passwords for your source POP3/IMAP servers. These are required to establish the synchronization connection.

3. Data Protection Mechanisms

We take the security of your sensitive data seriously and implement the following protection mechanisms:

  • Encryption at Rest: All sensitive credentials, including your legacy mailbox passwords and Google OAuth tokens, are encrypted at rest using industry-standard AES-256 encryption.
  • Encryption in Transit: All data transfers between our servers, your legacy email providers, and Google APIs are conducted over secure TLS (Transport Layer Security) encrypted connections.
  • Data Isolation: Your data is strictly isolated at the database level, ensuring that your credentials and metadata are only accessible to the synchronization processes associated with your account.

4. Zero-Trust Data Processing

Our architecture is built on a "No-Storage" binary streaming model. We believe that your email content is your own.

  • No Content Persistence: Email bodies, attachments, and content are never persisted to our disks or databases.
  • In-Memory Streaming: Our high-concurrency workers stream data directly from your source server to the Gmail API using temporary in-memory buffers that are cleared immediately after the transfer.

5. Data Retention & Deletion

We adhere to strict data retention policies to ensure you have full control over your information:

  • Retention Period: We retain your mailbox credentials and sync metadata only for as long as your synchronization task remains active in our system.
  • User-Initiated Deletion: You can delete any mailbox connection or your entire account at any time through the dashboard.
  • Immediate Wiping: Upon deletion, all associated sensitive data (including encrypted passwords and OAuth tokens) and sync history are permanently removed from our active databases immediately.
  • Google User Data: If you revoke access via your Google Security settings or delete your account within smtp-sync, all Google-sourced tokens and associated metadata are destroyed.

6. Glass Box Audit (Metadata Logging)

To ensure high reliability and to give you full transparency into the health of your sync connections, we maintain a "Glass Box Audit" trail.

  • What is Logged: We log only sync metadata, which includes timestamps, sender domains, delivery status, and message sizes.
  • No PII in Logs: No email content or sensitive Personally Identifiable Information (PII) beyond metadata is visible or stored in these logs.
  • Data Isolation: All metadata is strictly partitioned by user ID. You can view your own logs via your dashboard.

7. Third-Party Services

We utilize trusted third-party infrastructure to deliver our service:

  • Google Cloud (Gmail API): For delivering synchronized mail.
  • Mailjet: For sending system notifications and error alerts.
  • Stripe: For secure billing and subscription management.
  • Neon.com: For metadata ingestion and dashboard visualization.
  • Fly.io & Cloudflare: For dedicated hardware and network security.

8. Google API Disclosure

Our use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

We do not use your Gmail data (including message content and metadata) to serve advertisements or for any marketing purposes.

Important: We do not use, sell, or transfer your Gmail data for the purpose of training or improving generalized Artificial Intelligence (AI) or Machine Learning (ML) models.

← Back to Home