Honest about what we do - and don't do - with your mail.
SuperMail is a hosted email app. That means your messages live on our infrastructure. Here's the full picture so you can decide if we're a fit.
Where data lives
- Mailbox metadata (sender, subject, thread IDs, read state) lives in a managed PostgreSQL database with encryption at rest.
- Message bodies and attachments live in object storage with server-side encryption. Access is scoped per-workspace via time-limited signed URLs.
- IMAP/SMTP credentials and OAuth refresh tokens live in a dedicated secrets manager, never in the application database.
- Logs are redacted of message bodies; we only retain request metadata.
In transit
- TLS 1.2+ everywhere - web, mobile, and provider connections.
- IMAP / SMTP / submission (587) require STARTTLS or implicit TLS.
- Outbound mail is signed with DKIM on your custom domains.
- We reject cleartext auth on any connection we control.
Access
- Auth is email + password via Supabase. Passwords are bcrypt-hashed by Supabase and never touch SuperMail's own servers.
- API endpoints require per-request JWTs scoped to your user. No session cookies.
- Internal endpoints (background sync, daemons) are gated behind a separate internal token and rate-limited.
What we don't do
- No end-to-end encryption. Message bodies are encrypted at rest on our side, but we can technically read them. If E2E is a hard requirement, use Proton.
- No ads, no training. We never use your mail to train models or serve ads.
- No selling data. We don't sell, rent, or share your data with third parties except the subprocessors required to run the service.
Responsible disclosure
Found a vulnerability? Email security@supermail.app. We'll respond within two business days. Please give us a reasonable window to patch before public disclosure; we'll credit you in the changelog if you'd like.
Questions about security?
We'd rather answer them than hide behind a compliance page.