Privacy Policy

1. Who We Are

Carbonmail is a browser‑based email client that connects to your existing Gmail account. It is designed to help you organize and act on your email more efficiently while keeping your data on your device as much as possible. This Privacy Policy explains how Carbonmail handles your information.

2. What This Policy Covers

This Policy applies to your use of the Carbonmail web application (the “Service”). It does not apply to Gmail itself or to any third‑party services (such as Google), which have their own privacy policies.

3. Data We Access

3.1 Gmail account data

When you authorize Carbonmail via Google OAuth, the Service may access:

  • Email messages and message content
  • Message metadata (such as subject, sender, recipients, timestamps, labels, and thread IDs)
  • Labels and folders
  • Your email address and basic Google profile information (name and profile picture)

This access is required to display, organize, and send email on your behalf as an email client.

3.2 Local app data

Carbonmail may store the following locally in your browser:

  • App settings and preferences
  • Keyboard shortcuts and UI configurations
  • Local classification signals (for example, how messages are grouped into Today, Decide, Act, Respond, or Review)
  • Caches to speed up loading and offline behavior, where supported

3.3 Optional diagnostic data

By default, Carbonmail does not collect usage analytics or diagnostics about how you use the Service. If we later introduce optional diagnostics or analytics, we will describe what is collected and how it is used, and where required, ask for your consent.

4. How We Process Your Data

4.1 Local processing in your browser

Carbonmail is built as a client‑side web application:

  • The app runs in your browser and communicates directly with Google’s Gmail APIs over HTTPS.
  • Email content is processed locally in your browser; we do not operate a server that ingests or stores your email messages.
  • A small on‑device AI model and rule engine may classify emails into categories (such as Decide, Act, Respond, Review) and detect tasks, decisions, and dates based on email content, all on your device.

4.2 Storage

  • Your emails remain in your Gmail account.
  • Carbonmail may store settings and cached data in your browser’s storage (for example, localStorage, IndexedDB, or similar).
  • We do not create separate server‑side copies of your mailbox.

5. What We Do Not Do

To protect your privacy:

  • We do not sell, rent, or trade your email content or personal information with advertisers or data brokers.
  • We do not use your email content for ad targeting.
  • We do not train remote models on your email content.
  • We do not maintain server copies of your inbox.

6. Use of Google APIs

Carbonmail uses Google’s Gmail API and related Google Workspace APIs to provide the Service.

  • Access is granted via Google OAuth, and you can revoke it at any time in your Google Account settings.
  • We request only the scopes needed to read, organize, and send email, and to apply labels or metadata to support features like the Today view.
  • We use Gmail data solely to provide you with email client functionality and related productivity features, in accordance with Google’s API Services User Data Policy.

7. Security and Protection Features

7.1 Transport security

  • All communication between your browser and Google’s APIs uses HTTPS/TLS.
  • The Carbonmail domain uses HTTPS by default.

7.2 Tracking pixel and remote image protection

To reduce third‑party tracking:

  • Carbonmail may block remote images and common tracking pixels (such as 1×1 images or images with tracking identifiers) by default.
  • When this happens, the Service may display an in‑app notice (for example, “Tracking blocked · Load images?”).
  • If you choose to load remote images, they will be fetched for that email, and some tracking may occur as it would in a normal email client.

7.3 Link screening

To help you avoid phishing and tracking links:

  • When you click a link in an email, Carbonmail may first display a link‑safety screen.
  • The Service may locally inspect the URL, remove obvious tracking parameters (such as utm_ tags), and highlight the destination domain.
  • The screen may indicate whether the link appears safe or unusual, and remind you to be careful with links received via email.
  • Link screening is performed locally; link content is not sent to our servers.

7.4 Sender authenticity and look‑alike detection

To help you assess whether a sender appears genuine:

  • Carbonmail may parse authentication headers (such as SPF, DKIM, and DMARC results) provided by receiving mail servers.
  • The app may display a simple indicator (for example, “Verified sender” or “Unverified sender”) based on these results.
  • Carbonmail may compare sender domains to common brand domains to detect visually similar look‑alike domains (for example, rnicrosoft.com vs microsoft.com) and display a warning when appropriate.
  • These checks are performed locally and are informational; they do not guarantee that a message is safe.

8. Cookies and Local Storage

  • Carbonmail does not rely on third‑party tracking cookies.
  • The app may use browser storage (such as localStorage, sessionStorage, IndexedDB, or equivalent) to remember your settings, preferences, and cached data.
  • If we introduce first‑party analytics or error tracking in the future, we will describe what is stored and how to control it.
  • You can clear Carbonmail’s local data at any time using your browser’s site‑data or storage settings.

9. Your Choices and Controls

You have several ways to control your data:

  • Revoke Gmail access: You can remove Carbonmail’s access to your Gmail account at any time from your Google Account’s security settings under third‑party access. After revocation, Carbonmail will no longer be able to read or send email on your behalf.
  • Browser storage: You can clear Carbonmail’s local data through your browser’s privacy or site‑data settings.
  • In‑app controls: Where available, you can adjust settings such as image loading, tracking protection, and security prompts directly in the app.

10. Data Retention

  • Email data remains in your Gmail account as controlled by you and Google.
  • Carbonmail retains data only in your browser storage for as long as you use the app or until you clear it.
  • Because we do not maintain server‑side copies of your mailbox, there is no separate server retention period for your emails.

11. Children’s Privacy

The Service is intended for professional and general‑audience use and is not directed to children under 13, or any higher age where local law imposes additional requirements. We do not knowingly collect information from children. If we become aware that a child is using the Service in violation of this section, we will take reasonable steps to disable use as appropriate.

12. International Use

  • Carbonmail can be accessed from different countries.
  • Email content remains stored in Gmail and subject to Google’s data‑center and jurisdiction practices.
  • Carbonmail itself does not transfer your email content to our own servers in other countries.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

  • When we make changes, we will update the “Last updated” date at the top of this page.
  • If changes are significant, we may provide an in‑app notice or prompt when you next use the Service.

14. Contact

If you have questions about this Privacy Policy or about how Carbonmail handles information, please use the contact method provided within the app or on the Carbonmail website.

Last updated: January 2026