Privacy Policy
Last updated: June 2026
Introduction
Mailpipe ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.
Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Service.
Information We Collect
Account Information
When you create an account, we collect:
- Email address
- Name
- Password (stored securely hashed)
- Payment information (processed by our payment provider, not stored by us)
Connected Applications & OAuth Tokens
When you connect Mailpipe to a third-party application or AI client (for example, connecting the Mailpipe connector to Claude), we create and store OAuth credentials that represent that authorization:
- The identity of the connected application (client name and ID)
- The scopes (permissions) you granted, such as reading or sending mail
- Access and refresh tokens that let the connected application act on your behalf within the granted scopes (stored hashed/encrypted, never shown in plaintext after issuance)
- When the authorization was granted and last used
Usage Data
We automatically collect certain information when you use our Service:
- IP address
- Browser type and version
- Operating system
- Pages visited and features used
- Time and date of access
- Error logs and performance metrics
Email Data
Where your email is stored depends on your plan. Mailpipe offers two storage modes:
- Mailpipe Cloud (default):your email — including message bodies, headers, and attachments — is stored in Mailpipe's managed Postgres database. We process and store this content in order to operate the inbox, run your routing rules, and deliver the Service. It is encrypted at rest and isolated per organization with row-level security. We do not sell it, use it for advertising, or read it except as needed to provide, secure, and support the Service or as required by law.
- Bring Your Own Supabase (BYOS): when you connect your own Supabase project, your email content is written to and stored in your database, not ours. In this mode Mailpipe routes and processes the message in transit but does not retain the stored content on its own servers.
In both modes we handle routing metadata (sender address, recipient address, subject line, timestamps) as needed to process and deliver your mail.
How We Use Your Information
We use your information to:
- Provide, maintain, and improve the Service
- Process payments and manage your subscription
- Send important updates about the Service (security alerts, feature updates)
- Respond to customer support requests
- Monitor and analyze usage patterns to improve user experience
- Detect and prevent fraud, abuse, or security incidents
- Comply with legal obligations
How We Share Your Information
We do not sell your personal information. We may share your information with:
Service Providers
We work with third-party service providers who assist us in operating the Service:
- Payment processors (Stripe) for billing
- Database and cloud infrastructure providers (Supabase, Vercel) for hosting and storage
- Email delivery providers (Resend, and any provider you connect, such as Postmark, Mailgun, SendGrid, or AWS SES) to transmit your mail
- Analytics providers for usage insights
Connected AI Clients
If you connect Mailpipe to an AI client such as Anthropic's Claude, that client — acting on your behalf and at your direction — accesses the email data and actions covered by the scopes you granted. We share data with such a client only because you authorized it, only within the granted scopes, and only for as long as the authorization remains active. See “Connecting Mailpipe to an AI Client” below for details and how to revoke access.
Legal Requirements
We may disclose your information if required by law, such as in response to a subpoena, court order, or government request.
Business Transfers
If Mailpipe is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
Connecting Mailpipe to an AI Client (Claude / MCP)
Mailpipe can be connected to an AI client — for example, Anthropic's Claude — through OAuth and the Model Context Protocol (MCP). When you authorize such a connection, you are granting that client permission to act on your behalf within the specific scopes you approve on the consent screen.
Depending on the scopes you grant, the connected client can, on your behalf:
- Read mail (
mail:read): access the content, metadata, and attachments of your messages and threads - Send mail (
mail:send): send new emails, replies, and forwards from your connected addresses - Modify mail (
mail:write): archive, delete, star, and label messages - Manage drafts, mailboxes, and labels (
mail:drafts,mailbox:read,mailbox:write,labels:read,labels:write): as applicable to the scopes you granted
When the client reads or sends mail on your behalf, the relevant email content and metadata are transmitted to that client (e.g. to Claude) so it can perform the action you asked for. That data is then handled under the AI client's own privacy policy and terms. We grant access only within the scopes you approved, and only while the authorization is active.
Revoking access.You can revoke a connected client at any time. Disconnecting or removing the connector in the AI client (e.g. removing the Mailpipe connector in Claude's connector settings) revokes its authorization. You can also revoke the underlying OAuth token directly from your Mailpipe dashboard, which immediately invalidates the connected client's access and refresh tokens. Once revoked, the client can no longer read or send mail on your behalf.
Data Security
We implement industry-standard security measures to protect your information:
- TLS 1.2+ encryption for all data in transit
- Encryption at rest for stored data
- API keys hashed with SHA-256; provider credentials encrypted with AES-256-GCM
- Postgres row-level security isolating each organization's data
- Scoped API keys and authentication requirements on every request
However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.
Data Retention
We retain your account information for as long as your account is active or as needed to provide you the Service. If you delete your account, we will delete your personal information within 30 days, except where we are required to retain it for legal purposes.
For Mailpipe Cloud organizations, your stored email is held for as long as your account is active. When you delete your account or remove data from the dashboard, the associated email content is deleted from our database, except where we are required to retain it for legal purposes. For BYOS organizations, your email lives in your own Supabase database, is not affected by deleting your Mailpipe account, and remains under your control.
Your Data Rights
Depending on your location, you may have the following rights:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate or incomplete information
- Deletion: Request deletion of your personal information
- Portability: Request a copy of your data in a portable format
- Objection: Object to processing of your personal information
- Restriction: Request restriction of processing in certain circumstances
If you use BYOS, your email data is stored in your own database, so you have direct control — you can access, modify, or delete it at any time through Supabase. For Mailpipe Cloud, you can access, export, and delete your stored email from the dashboard at any time.
To exercise your rights regarding account data or stored email held with us, please contact us at privacy@mailpipe.dev.
Third-Party Services
Our Service integrates with third-party services that have their own privacy policies:
- Supabase:Mailpipe stores email data in Postgres on Supabase — in Mailpipe's managed project for Cloud organizations, or in your own project if you use BYOS. Review Supabase's Privacy Policy.
- Email Providers: Resend, Postmark, Mailgun, SendGrid, and AWS SES process emails on your behalf. Review their respective privacy policies (e.g. Resend's Privacy Policy).
- Stripe: Processes payments. Review Stripe's Privacy Policy.
- Anthropic (Claude): If you connect Mailpipe to Claude as an AI client, your authorized email data is processed by Anthropic under its own policies. Review Anthropic's Privacy Policy. This applies only if you choose to connect such a client.
Cookies and Tracking
We use cookies and similar technologies to:
- Essential cookies: Required for authentication and session management
- Preference cookies: Remember your settings and preferences
- Analytics cookies: Understand how users interact with our Service
We do not use cookies for advertising purposes or share cookie data with third parties for advertising.
You can control cookies through your browser settings. Note that disabling essential cookies may affect the functionality of the Service.
International Data Transfers
Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers, including Standard Contractual Clauses where required.
Children's Privacy
Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided us with personal information, we will delete it immediately.
California Privacy Rights
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):
- Right to know what personal information we collect
- Right to delete your personal information
- Right to opt-out of the sale of personal information (we do not sell personal information)
- Right to non-discrimination for exercising your privacy rights
European Privacy Rights (GDPR)
If you are in the European Economic Area, you have additional rights under the General Data Protection Regulation:
- Right to lodge a complaint with a supervisory authority
- Right to withdraw consent at any time
- Right to object to processing based on legitimate interests
Our legal basis for processing your personal data includes:
- Contract performance (providing the Service)
- Legitimate interests (improving the Service, fraud prevention)
- Legal obligations (compliance with laws)
- Consent (where specifically requested)
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by:
- Posting the new Privacy Policy on this page
- Updating the "Last updated" date
- Sending an email notification for significant changes
Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.
Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us at:
Email: privacy@mailpipe.dev
For data protection inquiries in the EU, you may also contact our Data Protection Officer at dpo@mailpipe.dev.