Privacy Policy

Last updated: 2026-05-06

Mailsweeper is operated by Stoerkens GmbH (the “Provider”, “we”, “us”), Karl-Birzer-Str. 7, 85521 Ottobrunn, Germany. This policy explains what data Mailsweeper processes when you use the macOS app and the cloud-mode service at mailsweeper.cbsrv2.net.

1. Summary in plain English

• You sign in with Apple. We get an opaque user identifier and (optionally) your relay email — nothing else from Apple.
• You connect your own mail accounts (Gmail or IMAP). The credentials are encrypted at rest with a server-side master key. We never share them.
• Mailsweeper polls your inbox to apply rules YOU define. We store the metadata of moved messages (sender, subject, timestamp, the rule that matched) so you can review and undo. We never read or store full message bodies.
• If you subscribe, payment is processed by Stripe. We do not see your card.
• Your data lives only on our server and your Mac. No third-party analytics, ads, or trackers.

2. What we collect

2.1 Account identity (Sign in with Apple)

When you sign in we receive a stable Apple-issued user identifier (sub) plus the email Apple chooses to share (your real address or a @privaterelay.appleid.com alias). We do not receive your name. We use this only to identify you across devices.

2.2 Mail-account credentials

When you connect a Gmail account, your OAuth refresh token is stored encrypted with AES-256-GCM under a per-row data key wrapped with the Provider’s master key. When you connect an IMAP account, your password is stored the same way. The master key lives only on the server; access is restricted to the running service. Credentials never leave the server in plaintext.

2.3 Polling artifacts

For every message Mailsweeper auto-moves on your behalf, we store: the message’s provider ID, sender address, subject, received-at timestamp, the rule that matched, the destination (Spam or a folder name), and the move time. This is what powers the “Auto-moved” tab and the Restore action. We do not store message bodies, attachments, or the full headers.

2.4 Subscription state

If you upgrade to Pro, we store your Stripe customer ID, current subscription ID, and renewal date. Card numbers, billing addresses, and similar payment details are held by Stripe (stripe.com/privacy) — we never see them.

2.5 Service logs

The server keeps standard HTTP access logs (request method, path, status code, anonymized request ID) and operational logs for up to 30 days, used for debugging and abuse prevention. Authorization headers are redacted before any line is written to disk.

3. Data we explicitly do not collect

• Message bodies, attachments, or full email headers.
• Contacts, calendar entries, or other Google/Apple data outside what's needed to read & move messages.
• Browser cookies, third-party trackers, advertising IDs, or analytics scripts.
• Crash reports — only what you explicitly export via Settings → Diagnostics → Export Diagnostic Logs and choose to send us.

4. Why we process this data (legal bases under GDPR)

• Performance of contract (Art. 6(1)(b) GDPR) — to provide the polling, rule-matching and migration features you’re asking for.
• Legitimate interest (Art. 6(1)(f) GDPR) — to keep the service secure, debug failures, prevent abuse.
• Legal obligation (Art. 6(1)(c) GDPR) — to keep records required by tax / commercial law (Stripe payment receipts, invoices).

5. Data retention

• Account record + credentials: until you delete your account or remove the mail account.
• Auto-moved log entries: indefinitely while the account exists, so the Restore action keeps working.
• Service logs: 30 days then rotated.
• Stripe records: 10 years for tax-law reasons (Germany, §147 AO).

6. Sharing

We share data only with the following sub-processors, and only the minimum required:

• Apple Inc. — Sign in with Apple. apple.com/legal/privacy
• Stripe Payments Europe Ltd. — payment processing for Pro subscriptions. stripe.com/privacy
• Google LLC — when polling your Gmail account on your behalf via the OAuth-issued refresh token, communicating with the Gmail API. We do not send your data to Google; we only read your mail per your account’s permissions.
• Hetzner Online GmbH — hosts the server in Germany.

We do not sell or rent personal data to anyone, ever.

7. International transfers

The server runs in Germany. Stripe and Apple may process data in the United States or Ireland under the EU–US Data Privacy Framework / Standard Contractual Clauses.

8. Your rights

Under GDPR you can:

• Request access to the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion (right to be forgotten) — see §9 below.
• Request data portability (export of your accounts, rules, and log).
• Object to processing based on legitimate interest.
• Lodge a complaint with the supervisory authority (Bayerisches Landesamt für Datenschutzaufsicht, lda.bayern.de).

Send any request to andreas.stoll@stoerkens.de.

9. Account deletion

To delete your Mailsweeper account: email us at andreas.stoll@stoerkens.de from the address associated with your Apple ID. We delete your user row, all attached accounts, credentials, rules, and log entries within 7 days. Stripe records related to past payments are retained per §5.

10. Security

• TLS 1.2+ between the Mac client and our server.
• Mail credentials encrypted at rest with AES-256-GCM (per-row data key + master-key envelope).
• Authorization tokens stored only in your Mac’s Keychain and the server’s session table.
• The server runs in a sandboxed Linux container; only the API ports are publicly reachable.

If you discover a security issue please report it privately to andreas.stoll@stoerkens.de.

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced in-app or by email to active subscribers. The “Last updated” date at the top reflects the current version.

12. Contact