Privacy Policy

1. Introduction

Conduit Mail ("Conduit Mail," "we," "us," or "our") is operated by Conduit Labs LLC, a New York limited liability company based in New York, NY. This Privacy Policy explains how we collect, use, store, and protect your information when you use our AI-powered email client available at in.conduitmail.app (the "Service").

By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

For questions about this policy, contact us at privacy@conduitmail.app.

2. Information We Collect

2.1 Account Information

When you sign in via Google or Microsoft, we receive:

• Your email address
• Your display name and profile photo (as provided by the identity provider)
• OAuth tokens (used to access your email on your behalf)

When you connect an email account via IMAP/SMTP (e.g., Yahoo, AOL, iCloud, Fastmail, or a custom mail server), we collect:

• Your email address
• Your IMAP/SMTP credentials (username and app-specific password)
• Your mail server hostname, port, and connection settings

2.2 Email Data

When you connect your email account, we access the following via the Gmail API, Microsoft Graph API, or IMAP protocol (depending on your email provider):

• Email messages (subject, body, headers, attachments metadata)
• Labels, folders, and mailbox metadata
• Contact information associated with your messages

Important: Email content is stored locally in your browser using IndexedDB. We do not store the content of your emails on our servers. For IMAP accounts, email data is fetched via our server (which acts as a proxy to your mail server) but is not persisted server-side — it is transmitted to your browser and stored only in your local IndexedDB database.

2.3 User-Created Content

You may create the following within the Service, which is stored server-side:

• Email rules and automation configurations (including webhook URLs you configure)
• Account settings and preferences
• AI memory and personalization data — this includes conversation context, preferences, and instructions you provide to the AI assistant so it can better assist you over time
• Blocked sender lists

2.4 Automatically Collected Information

• Usage analytics (pages visited, features used) via PostHog
• Error and crash reports via Sentry
• Device and browser information (user agent, screen size)

3. How We Store Your Data

3.1 Local Storage (Your Browser)

Email messages, threads, and labels are stored in your browser's IndexedDB. This data never leaves your device except when sent to our AI provider for AI features you explicitly invoke. You control this data through your browser settings and can delete it at any time by clearing site data.

3.2 Server-Side Storage (Google Cloud)

We store the following in Google Cloud Firestore:

• User account records (email, name, provider, subscription status)
• Email rules and automation settings
• User preferences and AI memory
• Encrypted OAuth tokens (for Google and Microsoft accounts)
• Encrypted IMAP/SMTP credentials (for IMAP-connected accounts — see Section 3.3)

3.3 IMAP/SMTP Credential Storage

If you connect an email account via IMAP/SMTP, your credentials (including your app-specific password, server hostname, and port) are encrypted as a single blob using AES-256-GCM before being stored in our database. Credentials are decrypted only in server memory for the duration of an IMAP or SMTP operation and are never written to disk in plaintext or logged. You may delete your stored IMAP credentials at any time by removing the connected account from the Service.

3.4 Encryption

OAuth tokens and IMAP/SMTP credentials are encrypted at rest using AES-256-GCM with a server-managed encryption key before being stored in our database. All data in transit is protected by TLS encryption. Firestore data is additionally encrypted at rest by Google Cloud's built-in encryption.

4. How We Use Your Data

• Provide the Service: Access and display your email (via API or IMAP), sync labels and folders, apply rules, send email (via API or SMTP), and manage your inbox.
• AI Features (Managed): When you use AI features (summarization, drafting, search, rules), relevant email content is sent to Anthropic's Claude API for processing via our servers. Anthropic automatically deletes this data after 30 days and does not use it for model training.
• AI Features (Bring Your Own Key): If you provide your own Anthropic API key, AI requests are sent directly from your browser to Anthropic under your own API agreement with Anthropic. In this mode, we do not intermediate or have access to the data sent to Anthropic — Anthropic's own terms and data policies govern that data.
• Webhooks: If you configure automation rules with webhook actions, email data (such as sender, subject, and AI-generated summaries) may be sent to external URLs that you specify. You are responsible for the privacy and security practices of any third-party services you connect via webhooks.
• Product Analytics: We use PostHog to understand how the Service is used so we can improve it. No email content is sent to PostHog.
• Error Tracking: We use Sentry to detect and fix bugs. Personally identifiable information is scrubbed from error reports. No email content is sent to Sentry.
• Communication: We may send you service-related emails (security alerts, major changes) to the email address associated with your account.

5. Third-Party Services

We rely on the following third-party services (subprocessors) to provide the Service:

• Google (Gmail API, Firebase Authentication, Cloud Firestore, Cloud Run) — Email access, user authentication, data storage, and server hosting.
• Microsoft (Microsoft Graph API) — Email access for Microsoft/Outlook accounts.
• Anthropic (Claude API) — Powers AI features. Email content sent for processing is automatically deleted after 30 days and is never used for model training per Anthropic's data policy.
• PostHog — Product analytics. No email content is sent to PostHog.
• Sentry — Error tracking and performance monitoring. PII is scrubbed; no email content is sent.
• Stripe — Payment processing (when paid plans are available). Stripe receives your payment method details, billing address, and transaction information. We do not store full credit card numbers on our servers. Stripe's handling of your payment data is governed by the Stripe Privacy Policy.
• Third-party mail servers — If you connect an IMAP/SMTP account (e.g., Yahoo, AOL, iCloud, Fastmail), our server communicates with your email provider's mail servers using your encrypted credentials to fetch and send email on your behalf.
• User-configured webhooks — If you set up webhook automations, email metadata and AI-generated content may be sent to external services of your choosing. These services are not our subprocessors — they operate under your own relationship with those services.

All subprocessors listed above process data in the United States. By using the Service, you consent to the transfer and processing of your data in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, please see Section 9 regarding the legal basis for this transfer.

6. Google API Services User Data Policy

Conduit Mail's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Conduit Mail:

• Only uses Google user data to provide and improve the email client functionality described in this policy.
• Does not use Google user data to develop, train, or improve artificial intelligence or machine learning models, whether generalized or personalized, without your explicit consent.
• Does not transfer Google user data to third parties except (a) as necessary to provide the Service (e.g., sending email content to Anthropic when you invoke AI features), (b) as required by law, or (c) with your explicit consent.
• Does not use Google user data for serving advertisements.
• Does not allow humans to read Google user data unless: (a) you have given affirmative consent, (b) it is necessary for security purposes (e.g., investigating abuse), or (c) it is required by law.

7. Data Retention & Deletion

• Account deletion: You may request account deletion at any time. Upon request, your account enters a 30-day soft-delete grace period during which you can reactivate it. After 30 days, all server-side data (account record, rules, settings, encrypted OAuth tokens, and encrypted IMAP/SMTP credentials) is permanently and irreversibly erased.
• Immediate erasure: If you require immediate erasure (e.g., under GDPR), contact us at privacy@conduitmail.app and we will process the request promptly.
• Local data: Data stored in your browser (IndexedDB) is under your control. You can delete it at any time by clearing site data for in.conduitmail.app in your browser settings.
• AI processing data: Email content sent to Anthropic for AI features is automatically deleted by Anthropic within 30 days of processing.

8. Data Breach Notification

In the event of a security breach that compromises the confidentiality of your personal data, we will:

• Notify affected New York residents within 30 days of discovering the breach, as required by the New York SHIELD Act (NY Gen. Bus. Law § 899-aa).
• Notify the New York Attorney General, the New York State Police, and the New York Department of State's Division of Consumer Protection as required by law.
• Notify affected residents of other states in accordance with their applicable breach notification laws.
• If required by GDPR, notify the relevant supervisory authority within 72 hours and affected data subjects without undue delay.

Notification will include, to the extent known: the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate personal data.
• Erasure: Request deletion of your personal data.
• Data Portability: Request a machine-readable export of your data.
• Objection: Object to processing of your personal data for certain purposes.
• Restriction: Request that we limit how we use your data.
• Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing performed prior to withdrawal.
• Non-Discrimination: Under the CCPA, you have the right not to receive discriminatory treatment for exercising your privacy rights.

9.1 GDPR (EEA, UK, Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, the legal bases for our processing of your personal data are: (a) performance of our contract with you (providing the Service), (b) your consent (e.g., when you invoke AI features or connect an email account), and (c) our legitimate interests (e.g., product improvement, security, and fraud prevention), balanced against your rights. You may lodge a complaint with your local data protection authority if you believe your rights have been violated.

Data transferred from the EEA/UK to the United States is transferred pursuant to appropriate safeguards, including the EU-U.S. Data Privacy Framework where applicable, or on the basis of your explicit consent.

9.2 CCPA / CPRA (California)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

• Right to Know: You may request the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Right to Correct: You may request correction of inaccurate personal information.

Categories of personal information collected: Identifiers (email address, name); internet or electronic network activity information (usage analytics, error reports); and account credentials (OAuth tokens, IMAP credentials, stored encrypted).

To exercise any of these rights, contact us at privacy@conduitmail.app. We will respond within 30 days (or 45 days for CCPA requests, with notice if an extension is needed). We may need to verify your identity before fulfilling your request.

10. Security

• All data in transit is encrypted via TLS.
• OAuth tokens and IMAP/SMTP credentials are encrypted at rest using AES-256-GCM with a server-managed key.
• IMAP credentials are decrypted only in server memory for the duration of an IMAP/SMTP operation and are never logged or written to disk in plaintext.
• Firestore data is additionally encrypted at rest by Google Cloud.
• Email content is not stored on our servers — our local-first architecture means your messages stay in your browser.
• We implement reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of personal information, consistent with the requirements of the New York SHIELD Act (NY Gen. Bus. Law § 899-aa).

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially reasonable means to protect your personal data, we cannot guarantee its absolute security.

If you discover a security vulnerability, please report it to security@conduitmail.app.

11. Cookies & Tracking Technologies

The Service uses the following cookies and similar technologies:

• Authentication cookies/tokens: Essential for keeping you signed in. These are strictly necessary for the Service to function and cannot be disabled.
• Local storage (IndexedDB, localStorage): Used to store your email data, preferences, and application state locally in your browser. This is core to the Service's local-first architecture.
• PostHog analytics: Uses cookies and similar technologies to collect anonymous usage data (pages visited, features used). No email content is collected. You can opt out of PostHog tracking by enabling your browser's "Do Not Track" signal or by contacting us at privacy@conduitmail.app.
• Sentry error tracking: May set cookies for session tracking when capturing error reports. PII is scrubbed; no email content is collected.

We do not use advertising cookies or tracking pixels. We do not engage in cross-site tracking or behavioral advertising.

12. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will promptly delete it. If you believe a child under 13 has provided us with personal data, please contact us at privacy@conduitmail.app.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or by posting a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

14. Contact

If you have any questions about this Privacy Policy or our data practices, please contact:

Conduit Labs LLC
New York, NY
Email: privacy@conduitmail.app