Privacy & data handling

What lives where

Message bodies are stored in encrypted object storage and cached locally on your device. They are never held in a shared cloud cache accessible across accounts. What the server works with day-to-day is thread metadata — sender, subject, dates, labels — plus AI-generated summaries that you can inspect and delete.

Full message text is only touched during two operations: initial mailbox sync and AI-powered actions (drafting, triaging, summarising). Both are metered and written to the audit log.

AI inference: zero-retention by design

All LLM calls are routed through OpenRouter, a single gateway that lets us pick the right model for each task without giving any one provider a persistent copy of your data. We configure every request for zero retention, meaning the provider must not log or store the prompt or completion.

When you supply a BYOK key, inference runs on your own provider account under your own terms — Aiemaily never sees the raw response in plaintext beyond the isolated worker that handles the call.

Metadata minimisation

The server stores the minimum metadata needed to power the inbox view and AI triage: thread IDs, sender addresses, subject lines, timestamps, and label assignments. It does not store analytics events tied to individual messages, advertising identifiers, or cross-account behavioural profiles.

IP addresses are retained only in security logs (brute-force, anomaly detection) and are purged on a rolling 30-day window.

Audit trail

Every AI-initiated action — summary generated, draft created, label applied — is written to an immutable audit log scoped to your account. You can review the full log in Settings → Activity. Actions taken in Autopilot mode include the source email ID that triggered them, so you can always trace why something happened.