Privacy Policy

Effective date: February 25, 2026

1. Introduction

SipherMail ("we," "us," or "our") is operated by SipherMail. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our email service through our website (siphermail.com), iOS application, Android application, and any related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Service.

2. Information We Collect

2.1 Information You Provide

  • Account information: name, email address, and password when you create an account.
  • Profile data: display name, avatar photo, and language preference.
  • Email content: messages you send, receive, and draft, including subject lines, body text, attachments, and metadata (timestamps, headers, recipients).
  • Contacts: email addresses of people you communicate with, used for autocomplete suggestions.
  • Payment information: subscription purchases are processed by Apple (App Store), Google (Play Store), or Stripe (web). We do not store credit card numbers. We receive transaction confirmations and subscription status.
  • Support communications: messages you send to our support team.

2.2 Information Collected Automatically

  • Device information: device type, operating system version, unique device identifiers, and app version.
  • Log data: IP address, browser type, pages visited, time and date of access, and referring URLs.
  • Usage data: features used, frequency of use, interactions with the app, and performance metrics.
  • Push notification tokens: if you enable push notifications, we collect your device token to deliver notifications.
  • Cookies and similar technologies: session cookies for authentication, preference cookies for settings. See Section 8.

2.3 Information from Third Parties

  • OAuth providers: if you sign in via a third-party provider, we receive your name and email address.
  • Payment platforms: Apple, Google, and Stripe provide us with purchase confirmation, subscription status, and billing identifiers (no card details).

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide the Service: deliver, maintain, and improve email functionality including sending, receiving, searching, filtering, and organizing messages.
  • Account management: create and manage your account, verify your identity, and process subscription and billing.
  • AI features (opt-in only): when you explicitly enable AI features, we process email content on SipherMail's own infrastructure to provide summaries, rewriting, translation, smart replies, and Sipher AI. See Section 5 for details.
  • Security: detect and prevent fraud, abuse, spam, and security threats, including rate limiting, bot detection, and login verification.
  • Communications: send you service-related notices, security alerts, and support responses.
  • Analytics: understand usage patterns to improve the Service and fix bugs.
  • Legal compliance: comply with applicable laws, regulations, and legal processes.

4. Data Sharing and Disclosure

We do not sell your personal data. We share information only in these circumstances:

  • Service providers: trusted third parties that help us operate the Service (hosting, payment processing, email delivery infrastructure). These providers are contractually obligated to protect your data.
  • AI processing (opt-in): when you enable AI features, selected email content is processed on our own servers (see Section 5). This only occurs with your explicit consent.
  • Legal requirements: when required by law, subpoena, court order, or government request.
  • Safety: to protect the rights, property, or safety of SipherMail, our users, or the public.
  • Business transfers: in connection with a merger, acquisition, or sale of assets, your data may be transferred to the successor entity.

5. AI Features and Data Processing

SipherMail offers optional AI-powered features including email summarization, translation, rewriting, smart reply suggestions, and a Sipher AI assistant.

5.1 Explicit Consent Required

AI features are disabled by default. Before any email content is processed by AI, you must explicitly opt in through an in-app consent dialog that explains what data is processed and for what purpose. You can disable AI features at any time in Settings.

5.2 What Data Is Sent

When you use an AI feature on a specific email or thread, only the content of that particular email (subject, body, and relevant thread context) and your prompt are processed. No other emails, contacts, or personal data are included.

5.3 AI Infrastructure

AI features are processed on SipherMail's own infrastructure. Your data is handled transiently and is not used for model training.

5.4 AI Data Retention

Your data is processed in real-time and is not persistently stored. SipherMail does not retain AI-processed results beyond delivering them to you in the current session.

5.5 Your Control

You can revoke AI consent at any time via Settings → Sipher AI, or by enabling Privacy Mode in Settings → Privacy. When disabled, no email content is processed by AI.

6. Data Security

  • Encryption in transit: all communications between your device and our servers use TLS 1.2 or higher.
  • Encryption at rest: email content is encrypted at rest on our servers.
  • End-to-end encryption: SipherMail supports optional E2EE using RSA-4096 and AES-256-GCM. When enabled, messages are encrypted on your device before being sent to our servers. We cannot read E2EE-encrypted content.
  • Authentication security: passwords are hashed using industry-standard algorithms. Two-factor authentication (TOTP) is available. Login approvals are available for trusted device verification.
  • Access controls: data access is limited to authorized personnel on a need-to-know basis.

While we implement robust security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

7. Data Retention

  • Active accounts: we retain your data for as long as your account is active and as necessary to provide the Service.
  • Deleted emails: emails you delete are purged from our servers within 30 days.
  • Account deletion: upon account deletion request, all associated data (emails, contacts, settings, profile data) is permanently deleted within 30 days.
  • Backups: backup copies may persist for up to 90 days after deletion for disaster recovery purposes, after which they are permanently removed.
  • Legal obligations: we may retain certain data as required by applicable law.

8. Cookies and Tracking

  • Essential cookies: required for authentication and session management. Cannot be disabled.
  • Preference cookies: store your settings such as theme, language, and layout preferences.
  • Analytics: we collect aggregate, anonymized usage statistics to improve the Service. No third-party advertising trackers are used.

SipherMail does not serve advertisements and does not use third-party advertising or cross-app tracking technologies.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: request a copy of the personal data we hold about you.
  • Correction: request correction of inaccurate or incomplete data.
  • Deletion: request deletion of your personal data. You can delete your account from Settings → Account.
  • Data portability: export your data in standard formats (available via Settings).
  • Restrict processing: request that we limit processing of your data.
  • Object: object to processing of your data for certain purposes.
  • Withdraw consent: withdraw consent for AI data processing at any time without affecting the lawfulness of prior processing.

To exercise your rights, contact us at contact@siphermail.com.

10. Children's Privacy

SipherMail is not intended for children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at contact@siphermail.com.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. We ensure appropriate safeguards are in place, including standard contractual clauses where applicable, to protect your data in accordance with this policy.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through an in-app notification. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us at contact@siphermail.com.

Last updated: February 25, 2026

Privacy Policy - SipherMail