Privacy Policy

Last Updated: February 27, 2026

🔍

Privacy TL;DR

— the short version, upfront
Email content stored after analysis Never
Email content written to disk or database Never
Used to train AI models No
Sold to third parties No
Human access to email content No
Advertising or tracking pixels No
What is stored Hashed email address only (irreversible)
Processing time before deletion Seconds — analysis only, in memory
Third-party AI providers used AI analysis APIs (see section 4)
Can I request deletion of my data Yes — email support@mailpi.app

The full policy below is the authoritative version. This table is a summary for convenience.

1. Who We Are

Mail P.I. is an AI-powered email security service operated as a small business. We provide automated phishing and scam detection by analyzing emails forwarded to check@mailpi.app. We are not a security corporation — we're a small team, and we take privacy seriously because we use this product ourselves.

2. What Happens When You Forward an Email

When you forward an email to check@mailpi.app, the following happens in sequence:

  1. The email is received by our email delivery provider and passed to our analysis system via webhook.
  2. The email content is held in memory and passed to two independent AI analysis APIs for simultaneous analysis.
  3. A risk report is generated and emailed back to you.
  4. The email content is discarded. It is never written to a database, file system, or log.

This entire process typically completes in under 30 seconds.

3. What We Store

We store the minimum necessary to operate the service:

  • Hashed email address — a one-way cryptographic hash (SHA-256) of your email address. This cannot be reversed to recover your address. It is used only to enforce scan limits and manage subscriptions.
  • Daily scan counter — a number (e.g. "3 scans today") associated with your hashed identifier. Resets daily. No content attached.
  • Subscription status — whether your hashed identifier is associated with a paid plan. Managed via our payment processor.
  • Verification tokens — temporary one-time tokens used to confirm email ownership for new users. Expire automatically after 1 hour.
  • Anonymized case IDs — a hashed case reference used to prevent duplicate processing of the same forwarded email. Not linked to your identity.

We do not store: email subject lines, email body content, sender or recipient addresses, attachments, or any part of the email being analyzed.

4. Third-Party Service Providers

Email content is transmitted to AI analysis providers solely for real-time analysis. We use API access only — not consumer-facing tools — which means your data is subject to their API data handling policies. API data is generally not used to train their models, but you should review their policies directly. Provider information is available on request at support@mailpi.app.

  • AI analysis providers — two independent APIs are used to cross-validate results. Both are accessed via API only, not consumer interfaces.

We also use the following infrastructure providers:

  • Email delivery provider — inbound and outbound email processing via webhook
  • Payment processor — subscription and billing management. We never see or store your card details.
  • Encrypted cache provider — encrypted at-rest storage for hashed metadata only
  • Application host — serverless compute and deployment infrastructure

5. Data Retention

  • Email content: zero retention — discarded immediately after analysis
  • Verification tokens: deleted automatically after 1 hour
  • Daily scan counters: expire automatically after 24 hours
  • Case IDs: expire after 24 hours
  • Hashed email and subscription status: retained while your account is active; deleted on request
  • Billing records: retained per our payment processor's policy and applicable financial regulations

6. Security

We take reasonable steps to protect the data we do hold:

  • All connections use TLS encryption in transit
  • Cached storage is access-restricted and encrypted at rest
  • Email addresses are never stored in plaintext — only as one-way SHA-256 hashes
  • No employee or contractor has access to email content (because we don't store it)
  • Verification tokens are single-use and expire after 1 hour

To report a security vulnerability, email support@mailpi.app. We will respond promptly.

7. Your Rights

You can contact us at any time to:

  • Request deletion of your hashed account data and scan history
  • Ask what data is stored associated with your email address
  • Unsubscribe from service emails
  • Exercise GDPR or CCPA rights where applicable

Because we only store hashed identifiers, we will ask you to provide your email address so we can compute the hash and locate your records. We cannot look up data by name — only by hashed email.

8. What We Don't Do

To be explicit:

  • We do not sell, rent, or share your data with advertisers
  • We do not use your email content to train AI models
  • We do not run advertising pixels or third-party trackers on this site
  • We do not share identifiable data with any third party except as described in section 4 above
  • We do not store email content under any circumstances

9. Changes to This Policy

If we make material changes to this policy, we will update the "Last Updated" date and, for significant changes, notify active subscribers by email. Continued use of the service constitutes acceptance of the updated policy.

10. Contact

Questions, deletion requests, or concerns:

Email: support@mailpi.app

We're a small team. You'll hear from a real person, not a support ticket system.

Protect Your Business Today →