ChainMail
Privacy Policy
Last updated: March 29, 2026
ChainMail ("we", "our", "the app") is a desktop email client that connects to your Gmail account via Google's official API. This privacy policy explains what data we access, how it is used, and how it is protected.
1. Overview
ChainMail is a local-first application. Your email data is processed and stored entirely on your own computer. We do not operate servers that receive, store, or process your emails or personal information.
2. Google API Scopes & Data Access
When you sign in with your Google account, ChainMail requests the following permissions (scopes). Each scope is used solely for the purpose described below:
| Permission | What It Does | Why We Need It |
|---|---|---|
gmail.modify |
Read and modify your email (mark as read, archive, trash, label) | Core email client functionality — displaying and organizing your inbox |
gmail.compose |
Create and send new emails | Compose, reply, and forward emails from within ChainMail |
gmail.labels |
Create, rename, and delete Gmail labels | Manage your folder/label structure from the sidebar |
userinfo.email |
Read your email address | Display your account identity and set the "From" address on outgoing mail |
userinfo.profile |
Read your name and profile photo | Display your name in the app interface |
contacts |
Read and write Google Contacts | Autocomplete recipient addresses when composing email |
contacts.other.readonly |
Read "Other Contacts" (people you've emailed) | Include frequently-emailed addresses in autocomplete suggestions |
3. How Your Data Is Handled
3.1 Local Processing Only
All email data retrieved from Gmail is processed and cached locally on your computer in an encrypted SQLite database. Email content is never transmitted to any server operated by us.
3.2 No Cloud Sync
ChainMail does not sync your data to any cloud service. Your cached emails, contacts, settings, and attachments remain on the device where the app is installed.
3.3 OAuth Tokens
Your Google OAuth tokens (used to authenticate with Gmail) are encrypted at rest using your operating system's secure credential storage (Windows DPAPI / macOS Keychain). We never see or store your Google password.
3.4 AI Email Drafting (Optional)
ChainMail offers an optional AI drafting feature that uses a "Bring Your Own Key" (BYOK) model. If you choose to use this feature:
- You provide your own API key for a supported AI provider (OpenAI, Anthropic, Google, Grok, OpenRouter, or local Ollama)
- API requests are made directly from your computer to the AI provider — not through our servers
- Your API key is encrypted at rest using your operating system's secure storage
- We do not have access to your API keys or the content of your AI requests
- The email context sent to the AI provider is limited to the current email thread (truncated to 3,000 characters) and your drafted instructions
3.5 Attachments
Email attachments are downloaded and cached locally on your computer. They are stored in the app's data directory and are not uploaded to any external service.
4. Data We Collect
4.1 License Verification
When you activate a license key, the following information is sent to our license server:
- Your license key
- A unique device identifier (machine ID)
This is used solely to validate your license and enforce the activation limit. We do not collect your name, email address, or any email content during license verification.
4.2 Update Checks
If you enable automatic update checks, ChainMail will periodically check our update server for new versions. This request contains only the current app version number. No personal data is transmitted.
4.3 No Analytics or Tracking
ChainMail does not include any analytics, telemetry, crash reporting, or tracking software. We do not collect usage data, browsing habits, or behavioral information of any kind.
5. Data Sharing
We do not sell, rent, or share your personal information with any third parties. The only external services ChainMail communicates with are:
- Google APIs — to access your Gmail and Contacts (as authorized by you)
- AI providers — only if you configure the optional AI drafting feature (directly from your device)
- Our license server — for license key validation (license key and device ID only)
- Our update server — for checking app updates (version number only)
6. Data Retention & Deletion
Since your email data is stored locally on your computer:
- Uninstalling ChainMail removes all cached data, tokens, and settings from your machine
- Signing out deletes your OAuth tokens and cached email data
- Revoking access in your Google Account permissions immediately prevents ChainMail from accessing your Gmail data
7. Security
We take the security of your data seriously:
- OAuth tokens are encrypted at rest using OS-level secure storage
- AI API keys are encrypted at rest using OS-level secure storage
- License data is encrypted at rest
- Email HTML is sanitized with DOMPurify before rendering to prevent XSS attacks
- Content Security Policy (CSP) headers restrict code execution within the app
- All external API communication uses HTTPS/TLS
8. Children's Privacy
ChainMail is not directed at children under 13 years of age. We do not knowingly collect personal information from children.
9. Changes to This Policy
We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the app after changes constitutes acceptance of the revised policy.
10. Google API Services User Data Policy
ChainMail's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
11. Contact
If you have questions about this privacy policy or how your data is handled, contact us at:
Email: admin@chainmail.online