Privacy Policy
Last updated: March 10, 2026
1. Introduction
RuneMail ("we," "our," or "us") values your privacy. This Privacy Policy explains how we collect, use, share, and protect your information when you use our website, mobile application, and services (collectively, the "Service").
2. Information We Collect
2.1 Information You Provide Directly
- Account credentials (email address, password)
- Profile information (name, avatar, preferences)
- Email content you process through our service
- Communication preferences and settings
- Customer support inquiries and feedback
2.2 Information Collected Automatically
- Device information (IP address, browser type, OS)
- Usage data (features accessed, actions taken, time spent)
- Email open/read events and tracking metadata
- Gmail metadata (headers, sender info, timestamps)
- Cookies and similar tracking technologies
2.3 Gmail API Data
RuneMail integrates with Gmail via the Gmail API. We request permission to: read your emails, send emails on your behalf, and manage your drafts. This data is stored securely on our servers (Supabase PostgreSQL) and encrypted in transit.
3. How We Use Your Information
- Process and analyze emails (categorization, summarization, urgency detection)
- Generate AI-powered drafts and suggestions
- Detect meetings and manage scheduling
- Send emails and track delivery status
- Provide customer support and respond to inquiries
- Improve service performance and user experience
- Enforce our Terms of Service and legal obligations
- Prevent fraud and unauthorized access
4. Data Storage & Security
Database: Your data is stored in Supabase (PostgreSQL) with Row-Level Security (RLS) enabled on all tables. Only your account can access your data.
Encryption: Gmail OAuth tokens are encrypted at rest using Fernet encryption. Email data is encrypted in transit via HTTPS.
AI Processing: You can choose to process emails locally in your browser (WebLLM) for maximum privacy, or server-side with Cerebras AI. Local processing keeps your data on your device.
Backup & Retention: We retain email data for as long as your account is active. You may request deletion at any time, and we will remove your data within 30 days.
5. Third-Party Services
RuneMail integrates with the following third-party services:
- Google Services: Gmail API, Google Calendar. See Google's Privacy Policy.
- Cerebras AI: Cloud AI processing provider. In cloud or hybrid AI mode, email content is sent to Cerebras AI to perform categorization, summarization, and action extraction. See Cerebras's Privacy Policy.
- Supabase: Database, authentication, and edge function hosting. See Supabase's Privacy Policy.
- Vercel: Frontend hosting provider. See Vercel's Privacy Policy.
6. Data Sharing
We do not sell your email data. Email content may be shared only in the following circumstances:
- Cerebras AI (cloud/hybrid mode): Email content is sent to Cerebras AI solely to perform the AI features you requested (categorization, summarization, action extraction). You can avoid this entirely by switching to local AI mode in Settings.
- Legal obligations or court orders
- Enforcement of our Terms of Service
- Protection of our rights, privacy, or safety
- Infrastructure providers under confidentiality agreements (Supabase, Vercel)
RuneMail's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
7. Your Rights
Depending on your location, you may have the following rights:
- Right to Access: Request a copy of your data
- Right to Deletion: Request deletion of your account and data
- Right to Portability: Export your data in a machine-readable format
- Right to Opt-Out: Disable certain data collection practices
To exercise these rights, contact us at privacy@runemail.org.
8. Cookies & Tracking
RuneMail uses cookies to:
- Maintain your session and authentication state
- Store your preferences (theme, AI mode, language)
- Track email opens and engagement (via unique pixel URLs)
- Analyze anonymized usage patterns to improve the service
You may opt out of email tracking by disabling it in Settings or declining cookies in your browser.
9. Children's Privacy
RuneMail is not intended for children under 13. We do not knowingly collect information from children. If we become aware that a child under 13 has provided us with personal information, we will delete such information and terminate the child's account.
10. International Users
If you are accessing RuneMail from the European Union, the United Kingdom, or other regions with data protection laws, your data is processed in accordance with the General Data Protection Regulation (GDPR) and equivalent local laws. This Privacy Policy constitutes our data processing disclosure. For questions, contact us at privacy@runemail.org.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you by updating the "Last Updated" date and, in the case of material changes, by sending you a notice or requiring your consent before the changes take effect.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:
RuneMail Privacy Team
Email: privacy@runemail.org