Honest about what we do - and don't do - with your mail.
SuperMail is a hosted email app. That means your messages live on our infrastructure. Here's the full picture so you can decide if we're a fit.
Where data lives
- Your messages and mailbox details are stored in our secure cloud environment, encrypted in transit and at rest.
- Credentials for connected providers are stored separately from your mail.
- Operational logs do not include message contents.
In transit
- TLS 1.2+ everywhere - web, mobile, and provider connections.
- IMAP / SMTP / submission (587) require STARTTLS or implicit TLS.
- Outbound mail is signed with DKIM on your custom domains.
- We reject cleartext auth on any connection we control.
Access
- SuperMail accounts use email and password sign-in. Passwords are handled by our authentication provider and never stored by SuperMail.
- API requests are authenticated on every call.
- Internal tools are separately protected and rate-limited.
What we don't do
- No end-to-end encryption. Message bodies are encrypted at rest, but our servers need access to index, search, and render your mail. If end-to-end encryption is a hard requirement, a dedicated encrypted-mail provider may be a better fit.
- No ads, no training. We never use your mail to train models or serve ads.
- No selling data. We don't sell, rent, or share your data with third parties except the subprocessors required to run the service.
User controls
Security settings stay visible
Security controls live in Settings, where you can manage sign-in options and account-level preferences.
Responsible disclosure
Found a vulnerability? Email security@supermail.app. We'll respond within two business days. Please give us a reasonable window to patch before public disclosure; we'll credit you in the changelog if you'd like.
Questions about security?
We'd rather answer them than hide behind a compliance page.