GingerMailGingerMail
← Back to GingerMail

Privacy policy

GingerMail runs entirely on your own machine and connects directly to your mail providers. There is no backend service holding your data. Here is exactly what that means.

Last updated: 2026-05-27

What stays local

Everything mail-shaped stays on your machine:

  • Mail headers, bodies, and attachments are cached in an encrypted SQLite database under your OS user-data directory.
  • The database is encrypted at rest with SQLCipher. The encryption key is generated once on first launch and stored in your OS keychain (macOS Keychain, Windows DPAPI via Electron safeStorage).
  • Account passwords, OAuth tokens, and AI API keys live in that same OS keychain.

What goes off your machine, and where

A short, honest list. Most of it only happens because you asked for it:

  • Mail sync (always): your credentials and API calls go to the mail provider you configured. Remove the account to stop it.
  • Slack (opt-in): your token and Web API calls go toslack.com. Disconnect any time.
  • Cloud AI (opt-in): the text you asked AI to act on, plus your prompt, goes to the vendor you chose. Set AI to Off or Local to stop it.
  • Local AI:nothing leaves — the Ollama sidecar runs on loopback only.
  • Auto-update (off by default): app version, OS, and arch on an update check, to our static update host.
  • One-click unsubscribe:an HTTPS request to the sender’s unsubscribe URL, only when you click it.

Things we explicitly do NOT do

  • We do not run a backend. No mirror of your mail exists on our servers, because we have no servers (except the static update host).
  • We do not have analytics, telemetry, or crash-reporting beacons. The desktop app does not contact our domain on launch.
  • We do not sell, share, or aggregate user data. We don’t have it.
  • We do not log into your mail provider on your behalf. We just store your tokens so the app can use them.

Privacy posture for cloud AI

  • Egress allowlist.The app only allows outbound HTTP to the configured vendor’s host. Anything else is blocked at the network layer.
  • PII redaction toggle. Optionally rewrites card numbers, SSNs, phone numbers, IBANs, OTP codes, and email addresses to placeholders before the request leaves your machine.
  • Per-message AI badge. Every AI summary or draft carries a provenance string so you always see where your data went.
  • Sensitive-account block. Tag accounts as Sensitive and AI calls for them are blocked even in cloud mode.

Children

GingerMail is not designed for users under 13. Please don’t use it if you are.

Contact

Questions? Email privacy@gingermail.app or open a non-security issue tagged privacy on GitHub.