Privacy Policy

1. Who we are and how to contact us

• Controller: Jan-Marlon Leibl (Zinq Mail Owner), Lower Saxony, Germany
• Email: jan[at]jleibl[dot]net
• For general inquiries: see our Contact page and humans.txt

2. Information we collect

3. Sources of information

• Directly from you (account setup, settings, actions).
• Your email provider via IMAP or SMTP when you connect the Services.
• Third-party AI providers if you enable and configure them.
• Analytics providers when enabled in production.

4. How we use information

• Provide core functionality: authenticate you, connect to your email provider, fetch and display email, send email, manage folders, move or mark messages read or starred, and attach files.
• Power AI features (if enabled by you): generate summaries, categories, and intent using your configured provider.
• Personalize and improve: remember UI preferences, speed up loading via client-side caches, improve reliability and UX.
• Secure accounts and Services: detect and prevent abuse, debug errors, comply with legal obligations.
• Communicate: transactional notices and support communications.

5. Legal bases for processing (EEA or UK)

• Performance of a contract: providing the Services, including connecting to your email provider and sending email.
• Legitimate interests: securing the Services, preventing fraud or abuse, improving performance and UX.
• Consent: optional analytics and AI features that send content to third parties; desktop notifications; any marketing communications.
• Legal obligations: complying with law enforcement or regulatory requirements.

6. Cookies and similar technologies

7. Disclosure of information

• To your configured email infrastructure: your IMAP or SMTP provider to read, send, and append messages.
• To AI providers you configure: if you enable AI features, relevant text or metadata is sent to your selected provider (Anthropic Claude, Google Generative AI, or self-hosted Zinq AI or OpenWebUI).
• To service providers: hosting and infrastructure (for example, Vercel or AWS), analytics (Google Analytics in production), and email delivery infrastructure (Nodemailer interacts with your SMTP).
• For legal reasons: to comply with law or enforce our terms, or in connection with a merger or acquisition.

We do not sell personal information.

8. International transfers

We may process and store information in the United States and other countries where our service providers operate. Where required, we implement safeguards such as standard contractual clauses for cross-border transfers.

9. Data retention

• Session cookie: expires after 1 hour by default, or up to 7 days if Remember me is selected.
• User settings: retained while your account remains active or as necessary to provide the Services.
• AI metadata (summaries, categories, intent): retained to support features while your account is active; you may request deletion.
• Local storage caches: persist in your browser until cleared automatically due to staleness or manually by you.
• Logs: error and operational logs retained for a limited period for security and troubleshooting.

We may anonymize and aggregate data for analytics and service improvement.

10. Security

• Transport security: TLS for data in transit.
• Session security: HTTP-only cookie for auth token; Secure in production; SameSite=Lax.
• Password handling for mail provider: your mail server password is not stored in plaintext. An encrypted form may be embedded in the JWT payload to perform IMAP or SMTP on your behalf; the server uses an environment-based encryption key to decrypt when needed.
• Access controls: scoped server-side operations with IMAP and SMTP to your account.
• Data minimization: persistent storage primarily for user settings and optional AI metadata; email content is fetched on demand.

No system is 100% secure. Please use strong, unique passwords and protect your devices.

11. Your rights

Depending on your jurisdiction (for example, EEA or UK under GDPR; California under CCPA or CPRA), you may have rights to:

• Access your personal data.
• Correct inaccurate data.
• Delete your data.
• Restrict or object to processing.
• Data portability.
• Withdraw consent where processing is based on consent.
• Opt-out of sale or sharing for cross-context behavioral advertising (we do not sell personal information).

To exercise rights, contact [email protected]. We may need to verify your identity.

12. Children's privacy

The Services are not intended for children under 16 (or the age required by local law). We do not knowingly collect personal data from children.

13. Third-party services and your responsibilities

• You are responsible for complying with your email provider policies when connecting your mailbox.
• If you enable third-party AI providers, their privacy practices apply to the data you choose to send. Review Anthropic and Google policies (or your self-hosted provider terms) before enabling.
• Links to external websites are governed by their own privacy policies.

14. Changes to this policy

We may update this Privacy Policy periodically. Changes will be posted within the Services with an updated Last updated date. Significant changes may be communicated by additional notice.

15. Contact

• Email: jan[at]jleibl[dot]net
• Controller/Address: Jan-Marlon Leibl, Lower Saxony, Germany

Additional implementation details

• Auth token cookie name: zinq_auth_token (HTTP-only, SameSite=Lax, Secure in production).
• Optional analytics: Google Tag Manager or Analytics 4 scripts are injected in production builds only.
• Optional AI providers (configurable per user): Anthropic Claude, Google Generative AI, or a self-hosted Zinq AI or OpenWebUI endpoint.
• Persistent server-side storage (SQLite): user settings (including AI provider keys you choose to store) and optional AI metadata per email (summary, categories, intent).
• Email operations use your configured IMAP or SMTP servers via ImapFlow and Nodemailer.