---
title: Security & privacy
description: "How Mailhopper protects your mail: AES-256-GCM credential encryption, TLS-only connections, per-account isolation, EU hosting, and no AI training or ad tracking."
---

> **For AI agents:** the complete documentation index is at [llms.txt](/llms.txt). Append `.md` to any page URL for its markdown version.

Your mail is only ever yours. Mailhopper is built to keep it that way, from the credential
vault to the servers your data runs on.

## How your credentials are stored

When you connect an account, Mailhopper needs its app password or OAuth token to reach your
mailbox. That secret is encrypted with **AES-256-GCM** before it ever touches disk.

The key that decrypts it lives only on Mailhopper's server, never in the database and never
in the app's code. So even with a copy of the database, the stored secret is unreadable: it
is kept as ciphertext, a nonce, and an authentication tag, in a table the rest of the app
can't read.

<Info>
The credential vault is isolated at the database level and isn't exposed to the app's data
layer at all. No browser request can reach it, only the server-side code that needs to open
a connection to your mailbox.
</Info>

## Encrypted on every connection

Mailhopper reaches your providers over IMAP and SMTP with **TLS only** and no plaintext
fallback, so your mail is protected on the wire every time it moves between Mailhopper and
your mailbox. The app itself is served over HTTPS.

## Walled off to your account

Every record in Mailhopper is tied to your signed-in session by database-level rules, so one
account can never read another's mail. Your credentials are locked down further still, in the
isolated vault the data layer doesn't touch.

## Hardened against abuse

<Columns cols={2}>
  <Card title="Rate limited" icon="gauge-high">
    Every API request is limited per client IP, so brute-force attempts and automated abuse
    are throttled.
  </Card>
  <Card title="Strict headers" icon="shield-halved">
    Security response headers (HSTS, frame-blocking, and content-type protection) defend
    against clickjacking and content-sniffing attacks.
  </Card>
  <Card title="Short-lived reset links" icon="clock-rotate-left">
    Password reset links expire within the hour, so an old link sitting in a mailbox can't be
    reused.
  </Card>
  <Card title="Cards go straight to Stripe" icon="credit-card">
    Card details are entered into Stripe's own fields and never reach Mailhopper's servers.
  </Card>
</Columns>

## Where your data lives

Mailhopper runs entirely in the EU: your data is stored in Frankfurt and the app runs in
Nuremberg, both in Germany. It's built to line up with GDPR, and Standard Contractual Clauses
cover any transfer abroad.

## What we never do with your mail

<Columns cols={2}>
  <Card title="No AI reads your mail" icon="eye-slash">
    Your messages are never scanned, profiled, or used to train a model, ours or anyone's.
    Mailhopper fetches your mail for one reason: to show it to you.
  </Card>
  <Card title="Never sold for ads" icon="ban">
    Your mail is never sold or shared for advertising. No ads, no trackers. You pay a dollar a
    month per account, and that's the whole business model.
  </Card>
</Columns>

## Audited dependencies

Mailhopper's third-party dependencies are audited for known vulnerabilities and kept up to
date, so the code you rely on stays clear of components with published security issues.

## You stay in control

Disconnecting a Gmail account **automatically revokes Mailhopper's access at Google**, so no
grant is left behind. Removing any account deletes Mailhopper's local copy only; your mailbox
is never touched. You can close your whole account at any time under **Settings → Delete
account**.

<Note>
Disconnecting an account never changes anything in your mailbox. To close your Mailhopper
account and billing, see [Plans &amp; billing](/billing#closing-your-account).
</Note>

## At a glance

| Area | What Mailhopper does |
|------|----------------------|
| Encryption at rest | AES-256-GCM, key held apart from the data |
| Encryption in transit | TLS only, no plaintext fallback |
| Account isolation | Database-level rules, scoped to your session |
| Password reset links | Expire within the hour |
| Brute-force &amp; API abuse | Rate limited per IP |
| Clickjacking &amp; sniffing | Blocked by strict headers |
| Data residency | EU · Germany |
| Mail used to train AI | Never |
| Sold or shared for ads | Never |
| Dependency audits | Run regularly, kept clean |
| Google access after disconnect | Revoked automatically |
| Disconnect &amp; delete account | Anytime |
