Mailhopper logo

Security & privacy

How Mailhopper protects your mail: AES-256-GCM credential encryption, TLS-only connections, per-account isolation, EU hosting, and no AI training or ad tracking.

Your mail is only ever yours. Mailhopper is built to keep it that way, from the credential vault to the servers your data runs on.

How your credentials are stored

When you connect an account, Mailhopper needs its app password or OAuth token to reach your mailbox. That secret is encrypted with AES-256-GCM before it ever touches disk.

The key that decrypts it lives only on Mailhopper's server, never in the database and never in the app's code. So even with a copy of the database, the stored secret is unreadable: it is kept as ciphertext, a nonce, and an authentication tag, in a table the rest of the app can't read.

The credential vault is isolated at the database level and isn't exposed to the app's data layer at all. No browser request can reach it, only the server-side code that needs to open a connection to your mailbox.

Encrypted on every connection

Mailhopper reaches your providers over IMAP and SMTP with TLS only and no plaintext fallback, so your mail is protected on the wire every time it moves between Mailhopper and your mailbox. The app itself is served over HTTPS.

Walled off to your account

Every record in Mailhopper is tied to your signed-in session by database-level rules, so one account can never read another's mail. Your credentials are locked down further still, in the isolated vault the data layer doesn't touch.

Hardened against abuse

Rate limited

Every API request is limited per client IP, so brute-force attempts and automated abuse are throttled.

Strict headers

Security response headers (HSTS, frame-blocking, and content-type protection) defend against clickjacking and content-sniffing attacks.

Short-lived reset links

Password reset links expire within the hour, so an old link sitting in a mailbox can't be reused.

Cards go straight to Stripe

Card details are entered into Stripe's own fields and never reach Mailhopper's servers.

Where your data lives

Mailhopper runs entirely in the EU: your data is stored in Frankfurt and the app runs in Nuremberg, both in Germany. It's built to line up with GDPR, and Standard Contractual Clauses cover any transfer abroad.

What we never do with your mail

No AI reads your mail

Your messages are never scanned, profiled, or used to train a model, ours or anyone's. Mailhopper fetches your mail for one reason: to show it to you.

Never sold for ads

Your mail is never sold or shared for advertising. No ads, no trackers. You pay a dollar a month per account, and that's the whole business model.

Audited dependencies

Mailhopper's third-party dependencies are audited for known vulnerabilities and kept up to date, so the code you rely on stays clear of components with published security issues.

You stay in control

Disconnecting a Gmail account automatically revokes Mailhopper's access at Google, so no grant is left behind. Removing any account deletes Mailhopper's local copy only; your mailbox is never touched. You can close your whole account at any time under Settings → Delete account.

Disconnecting an account never changes anything in your mailbox. To close your Mailhopper account and billing, see Plans & billing.

At a glance

AreaWhat Mailhopper does
Encryption at restAES-256-GCM, key held apart from the data
Encryption in transitTLS only, no plaintext fallback
Account isolationDatabase-level rules, scoped to your session
Password reset linksExpire within the hour
Brute-force & API abuseRate limited per IP
Clickjacking & sniffingBlocked by strict headers
Data residencyEU · Germany
Mail used to train AINever
Sold or shared for adsNever
Dependency auditsRun regularly, kept clean
Google access after disconnectRevoked automatically
Disconnect & delete accountAnytime