Privacy Policy

Last updated: March 26, 2026

1. Introduction

At MailProtect, protecting your privacy is at the heart of our service. This privacy policy describes what data we collect, how we use it and what your rights are.

MailProtect is designed around the principle of data minimization: we only collect what is strictly necessary for the service to function.

2. Data controller

GO PROTECT, Société par Actions Simplifiée (SAS)
4 Allée du Colonel Fabien, APP 2064, 93320 Les Pavillons-sous-Bois, France
SIRET: 841 095 649 00023 — RCS: Bobigny B 841 095 649
Email: contact@mailprotect.fr

3. Data collected

3.1. Account data (on server)

When you register, we collect:

• Email address: to identify your account and contact you
• Password: stored in hashed form (bcrypt) — we never know your password in plain text

3.2. Email data (on device only)

Your emails are NEVER stored on our servers. Email processing is performed entirely on your device (iPhone, iPad or Mac):

• The IMAP connection is established directly between your device and your email provider
• Emails are downloaded and stored locally on your device only
• Classification (spam, quarantine, inbox) is performed on your device
• No copy of your emails passes through our servers

3.3. IMAP passwords (on device only)

Your email passwords (IMAP/SMTP) are stored exclusively in the Apple Keychain on your device. They are never sent to our servers or stored in our database.

3.4. Filter lists (synced)

Your filter lists (whitelist and blacklist) are synced between your devices via our server. These lists contain only email addresses or domain names, no email content.

3.5. Technical data (on server)

We collect minimal technical data:

• Email account configuration (IMAP server, port) — without the password
• Push notification tokens (for quarantine alerts)

3.6. Billing data

Subscription status and Stripe customer ID are stored on our server. We do not store any banking data.

3.7. Ephemeral processing for security

Certain security features require entirely ephemeral server-side processing:

• AI classification: the subject and body of an email are sent ephemerally to the server for analysis by our AI classifier. This content is processed in memory only, never written to disk, never stored in the database, never logged. Processing takes a few milliseconds and the data is immediately discarded.
• Attachment antivirus scan: suspicious attachments may be transmitted to the server for analysis by ClamAV (virus signatures), YARA (behavioral rules) and VirusTotal hash verification. No attachment is retained — the file is deleted immediately after analysis, in memory only.

Retention period: 0 seconds — in-memory processing only, no persistent storage of any kind.

Sub-processors involved:

• AI classification and antivirus scan servers hosted on OVH infrastructure (France) via Tailscale — same confidentiality level as account data.
• VirusTotal (Google LLC): only the hash (digital fingerprint) of the file is sent, never the actual attachment content.

4. Data NOT collected

MailProtect does not collect:

• Email content (bodies, attachments, subjects)
• Your email passwords (IMAP/SMTP)
• Analytics or usage tracking data
• Advertising identifiers
• Location data
• Device identifiers (UDID, IDFA)

5. Payment and banking data

Payments are managed by Stripe, a PCI-DSS certified provider. MailProtect does not collect, store or have access to any banking data (card number, expiration date, CVV).

For more information on how Stripe processes your data, see Stripe's privacy policy.

6. Purpose of data processing

Your data is used exclusively for:

• Managing your user account (authentication, subscription management)
• Syncing your filter lists between your devices
• Sending quarantine notifications via push
• Contacting you in case of technical issues or important updates

We never sell, rent or share your data with third parties for commercial or advertising purposes.

7. Cookies

The mailprotect.fr website uses only essential cookies necessary for the service to function:

• Session cookie (authentication)
• Preferences cookie (language)

No tracking, analytics or advertising cookies are used. We do not use Google Analytics or any third-party tracking tool.

8. Data retention

• Account data: retained as long as your account is active, then deleted within 30 days after account closure
• Filter lists: deleted with the account
• Technical logs: retained for a maximum of 90 days

9. Security

We implement the following security measures:

• HTTPS/TLS encryption on all communications
• Passwords hashed with bcrypt (unique salt per user)
• IMAP passwords stored in the Apple Keychain only
• JWT tokens with short expiration (30 minutes)
• Rate limiting on sensitive endpoints
• No email storage on our servers

10. Your rights (GDPR)

In accordance with the General Data Protection Regulation (GDPR), you have the following rights:

• Right of access: obtain a copy of all data we hold about you
• Right of rectification: correct your personal data if it is inaccurate
• Right of erasure: request deletion of your account and all your data
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to the processing of your data
• Right to restriction: request restriction of the processing of your data

To exercise these rights, contact us at contact@mailprotect.fr. We will respond within a maximum of 30 days.

You also have the right to lodge a complaint with the CNIL (www.cnil.fr), the French data protection authority.

11. Hosting

Our servers are hosted by OVH SAS (2 rue Kellermann, 59100 Roubaix, France), in data centers located in France.

12. Changes

We may update this privacy policy. In the event of a substantial change, you will be notified by email. The last updated date is shown at the top of this page.

13. Contact

For any questions regarding the protection of your personal data:

Email: contact@mailprotect.fr