Gomailify

Privacy Policy

Last updated: December 31, 2024

Overview

Gomailify ("we", "our", or "us") provides an email delivery service that connects custom email addresses to Gmail accounts via OAuth2. This Privacy Policy explains how we collect, use, store, and protect your information.

Information We Collect

1. OAuth Tokens

For Mailbox Users:

  • Google OAuth access tokens and refresh tokens
  • Gmail email addresses
  • Token expiration times

Purpose: To send and insert emails into your Gmail account on your behalf.

For Admin Users:

  • Google OAuth access tokens and refresh tokens (with gmail.insert permission)
  • Gmail email addresses
  • Token expiration times

Purpose: To insert system notifications (billing alerts, delivery failures, service updates) directly into your Gmail inbox. We only write to your own inbox - we do not read your emails or send to external recipients.

2. Account Information

  • Google account ID
  • Email address
  • Name and profile picture (for admin users only)
  • Login timestamps

3. Email Delivery Records

  • Sender and recipient email addresses
  • Email subject lines
  • Delivery status (delivered, failed)
  • Timestamps
  • Email content (stored temporarily in R2 for up to 7 days)

How We Use Your Information

  • Email Delivery: To send emails from your custom address via your Gmail account
  • Email Insertion: To insert sent emails into your Gmail Sent folder
  • System Notifications (Admin Users): To insert service notifications (billing alerts, delivery failures, service updates) directly into your Gmail inbox using the gmail.insert scope
  • Authentication: To identify which Gmail account is connected to each mailbox
  • Monitoring: To track delivery status and troubleshoot failures
  • Compliance: To maintain audit logs for security and compliance

Data Storage and Security

Storage Locations

  • Cloudflare D1 Database: OAuth tokens (both mailbox and admin user tokens), user accounts, domains, mailboxes, delivery records (encrypted at rest)
  • Cloudflare R2 Storage: Temporary email content storage (automatically deleted after 7 days)

Security Measures

  • OAuth tokens stored exclusively in D1 database (encrypted at rest by Cloudflare)
  • Automatic OAuth revocation detection and tracking for both mailbox and admin users
  • Refresh tokens automatically revoked with Google upon mailbox disconnection or account removal
  • Token expiration and refresh handled automatically (5-minute expiry buffer)
  • Separate secrets for API authentication and session signing
  • Redacted logging (OAuth codes, states, and tokens never logged)
  • TLS encryption for all data in transit

Data Retention and Deletion

Automatic Deletion

  • Email Content: Deleted from R2 after successful delivery or after 7 days (whichever comes first)
  • Delivery Records: Automatically deleted after 7 days
  • OAuth Tokens: Immediately deleted when you disconnect a mailbox

Manual Deletion

You can disconnect your Gmail account at any time by visiting the removal URL sent to you via email during setup. This will:

  • Revoke your OAuth refresh token with Google
  • Delete all stored tokens from our database
  • Mark your mailbox as disconnected

Google API Services User Data Policy Compliance

Gomailify's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Limited Use Disclosure

Gomailify only requests the minimum scopes necessary to provide our service:

For Mailbox Users:

  • gmail.insert - To insert emails into your Gmail inbox and sent folder
  • userinfo.email - To identify which Gmail account is connected

For Admin Users:

  • openid - For authentication
  • email - To identify your account
  • profile - To display your name and avatar in the admin dashboard
  • gmail.insert - To insert system notifications (billing alerts, delivery failures, service updates) directly into your Gmail inbox

Important Privacy Commitments:

  • We do NOT read your Gmail emails
  • We do NOT modify existing Gmail content
  • We do NOT access any Gmail data beyond inserting pre-formatted messages
  • We do NOT share your Gmail data with third parties
  • We do NOT use gmail.send scope - we only use gmail.insert to write to your own inbox
  • Admin notifications are inserted only into your own Gmail account - never sent to external recipients

Third-Party Services

  • Google OAuth: For authentication and Gmail API access
  • Cloudflare: For hosting, database, and storage infrastructure
  • Stripe: For payment processing (if applicable)

Your Rights

You have the right to:

  • Access your data
  • Request data deletion
  • Disconnect your Gmail account at any time
  • Revoke OAuth permissions via Google Account settings

Contact Us

For privacy-related questions or data deletion requests, please contact us at: humans@gomailify.com

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy with an updated "Last updated" date.

Professional email via Gmail you already have.
Try Gomailify Free for 14 days.

Keep using the Gmail you love now also with your very own domain. No more mailboxes hopping and no forwarding issues.

Sign in with Google

Upgrade for just $12/year for up to two mailboxes,
then $6/year per each additional mailbox.