Privacy Policy

Effective date: June 2026 · MailCue v0.9 beta

MailCue is a macOS app that helps you get through email faster — AI reads a message, drafts a reply, and you send. This policy explains exactly what the app reads, what it transmits, what is retained and for how long, your right to erase it, and what MailCue will never do. It is written to be accurate, not to oversell — if a practice changes, this page changes with it.

What MailCue reads

Today (Apple Mail): when you submit a reply intent, MailCue uses macOS Accessibility/AppleScript to read the single email message you currently have selected in Apple Mail — the sender address, the subject line, and the message body. Nothing is read until you submit an intent.

When you connect a mailbox (Gmail, as described under Connecting a mailbox): MailCue reads messages in that account so it can rank your inbox, draft replies, and manage mail you ask it to manage. This is broader than single-message reading, and you grant it explicitly through Google's consent screen. It still never sends or composes without your tap, and never trashes without your per-message confirmation.

What MailCue sends over the network

When you submit an intent, MailCue sends the following to MailCue's backend service over TLS (HTTPS):

Your reply intent (the text you typed)
The selected message's sender, subject, and body
Your license key (for authentication; never logged)

This data is transmitted to power MailCue's features for you — drafting replies, ranking your inbox, and learning your tone (and, when you connect a mailbox, managing it). It is not sold, shared with advertisers, or used to train any AI model. See Erase everything for how to remove what we keep.

What is retained, why, and for how long

Honest retention: MailCue may store some of your mail content on its servers so the AI can do a better job for you — drafting in your voice, ranking what matters, and replying faster. We are direct about this rather than promising we never keep anything. What we store is bounded, used only to serve your own account, and erasable by you with one click (see Erase everything for exactly what clears instantly and what clears shortly after).

MailCue's backend may retain, tied to your account only:

Recent mail content — raw text of recent messages, kept up to 90 days, to power drafting and ranking.
Tone & ranking features — derived signals (including irreversible embeddings) learned from your mail so drafts sound like you and your inbox is ordered usefully. Kept until you delete them or close your account.
Your reply drafts generated for you.

What we never do with retained content:

Sell it, share it, or hand it to advertisers or data brokers
Use it to train any AI model — ours or a provider's
Mine it for analytics or build a cross-user profile
Write your message content into our server logs (logs hold metadata only)

The AI provider MailCue routes to does not train on your content, and handles it only transiently to produce your draft.

Connecting a mailbox (read & manage)

MailCue is moving toward letting you connect a mail account (starting with Gmail) directly, so it can help you manage your inbox — read messages, archive them, and apply a MailCue label. With your explicit, per-action confirmation it can also move a message to Trash. This uses Google's gmail.modify permission, which covers read plus archive, label, and trash — it does not allow sending or composing mail on your behalf.

Nothing is silent. MailCue never deletes or trashes a message without your explicit confirmation for that specific message, and never sends a reply without your tap on Send.
You grant it; you can revoke it. The connection is created by a Google consent screen that names exactly what MailCue may do, and you can disconnect at any time.

Connected-mailbox access ships only once Google has verified MailCue for this use. Until then, MailCue works with the message you have selected in Apple Mail, as described above.

Google user data & Limited Use

When you connect Gmail, MailCue accesses your Google user data only through the gmail.modify permission you grant, and uses it solely to provide MailCue's features to you — ranking your inbox, drafting replies in your voice, and managing the messages you ask it to manage. MailCue's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular, MailCue does not use Google user data to develop, improve, or train generalized AI/ML models; does not sell or transfer it; does not use it for advertising; and does not allow humans to read it except with your explicit consent (e.g. for support), where required for security or to comply with the law, or as part of operations on aggregated, anonymized data.

Sub-processors and where your data is processed

MailCue uses two external services to operate. We name them here because honest disclosure is what you deserve, and because Google's policies for apps that handle Gmail data require it. Each service has a specific role and a specific geographic processing posture.

Google Cloud (Vertex AI / Gemini family) — MailCue's current AI provider. When MailCue drafts a reply, ranks your inbox, or summarizes a message, the relevant mail content is sent to Vertex AI to generate that result.

What Google's default terms say. Under Google Cloud's standard data governance for Vertex AI generative models, Google does not use your prompts or its responses to train its foundation models. Inputs and outputs may be cached for up to 24 hours in the data center where the request was served, and prompts may be logged for abuse-monitoring purposes; eligible enterprise customers can opt into stricter "Zero Data Retention" via technical settings and a contractual amendment to the Data Processing Addendum. MailCue is currently on Vertex AI's standard terms.

Geographic processing. Google Cloud's standard service routing is global: any individual Vertex AI request may be processed in any of Google's data-center regions. MailCue does not pin requests to a specific country. Google's default no-training and bounded-cache terms apply across every region Google routes to. If your work has a hard requirement that AI processing happen only inside the United States (or any specific country), MailCue does not currently meet that — we will update this page if and when we add a region-pinned provider.
Cloudflare — MailCue's backend hosting. The MailCue backend runs on Cloudflare Workers and uses Cloudflare's storage products (D1 for accounts, KV for bounded mail-content cache, Vectorize for embeddings, Workers Secrets for OAuth refresh tokens) and Cloudflare's edge cache. Cloudflare hosts the Workers core in US regions and operates a global edge cache; metadata and durable account state stay in the US-origin core, while ephemeral edge-cached content may be served from any of Cloudflare's edge points-of-presence.

Other AI providers MailCue may add in the future under the same Zero-Data-Retention bar (e.g. OpenAI ZDR Enterprise, Anthropic Zero Retention Enterprise) are configured US-region only when contracted. MailCue does not route mail content to providers or sub-processors hosted in mainland China; this is a hard exclusion that applies to upstream providers, failover providers, caching tiers, and analytics endpoints alike.

If MailCue adds, swaps, or changes the routing posture of any sub-processor listed above, this section will be updated within 7 days. Removing accurate disclosure is not something we do.

What is stored locally on your Mac

MailCue stores a small amount of data on your device only:

License key — stored in macOS Keychain (encrypted at rest, accessible only to MailCue).
Your mail — to load instantly, read offline, and give Pouchy the context to draft replies, MailCue keeps a local copy of the messages it shows you (sender, subject, and the message body) on your Mac. This is stored on your device, not used to build any cross-user dataset, and removed entirely when you run Reset & Forget.
Sent log — a lightweight on-disk record of when messages were sent (timestamp + subject line only, no body content). Used to power the 30-second undo window.
Chat history — your intent prompts and Pouchy's reply bubbles are saved locally on disk so your conversation context carries across sessions. This history stays on your Mac and is removed when you run Reset & Forget. Mail content (message bodies, sender addresses) is never written to the chat history.
App preferences — window position and settings stored in UserDefaults.

On disk, this local data lives in two places: the app's support folder (~/Library/Application Support/MailCue/), which holds local state, the brief cache, and chat history; and the app's preferences file (~/Library/Preferences/com.mailcue.MailCue.plist), which holds settings and cached mail metadata. The license key is held separately in the macOS Keychain.

MailCue is not sandboxed, so dragging the app to the Trash does not remove this data on its own. To erase everything stored locally, delete those two locations and remove the com.mailcue.app entry from Keychain Access — the Install guide walks through the steps.

Erase everything — Reset & Forget

You can remove everything MailCue has stored about you at any time. In the app, open Settings → Reset & Forget — one click, always free, always available. Your subscription is not cancelled by Reset — manage that separately under Manage subscription.

What is erased the moment you click: your retained mail content, your reply drafts, any connected-mailbox access on MailCue's servers (the Gmail permission token is revoked), and MailCue's local data on your Mac. This part is immediate and complete — it is gone right away, not scheduled.

What is removed shortly after: the small amount of writing-style data MailCue learned from you — the derived embeddings that let drafts sound like you. These live in a vector store that has no instant bulk-delete, so clicking Reset queues them for removal and a background cleanup job erases them shortly afterward. They are tied to your account only, are never sold or used to train any AI model in the meantime, and the deletion is permanent once it runs. The delay is in the timing, not in whether they go.

What MailCue never does

Sends or composes any email without your explicit tap on Send
Deletes or trashes a message without your explicit confirmation for that message
Sells, rents, or shares your data with any third party
Uses your mail to train any AI model — ours or a provider's
Mines your mail for analytics or builds a cross-user profile
Tracks you across apps or websites, or shows you ads
Sends analytics or crash reports containing your mail content

Your rights (GDPR / CCPA)

You can access, correct, or delete the data MailCue holds about you, and you can withdraw access at any time — the one-click Reset & Forget covers deletion. For any other request, email izhiwen@icloud.com. MailCue processes your mail only to provide the service to you (drafting, ranking, and, where you connect a mailbox, managing it); it is not used for advertising or sold to anyone.

AppleScript and Automation permissions

macOS requires your explicit permission before MailCue can control Apple Mail via AppleScript. When prompted, you may grant or deny this permission. Without it, MailCue cannot read the selected message or dispatch replies — but the app will continue to run.

You can review or revoke this permission at any time in System Settings → Privacy & Security → Automation.

Changes to this policy

If the data practices described here change in a future version, this page will be updated and the effective date revised. Material changes will be noted in the release notes.

Contact

Questions about privacy? Email izhiwen@icloud.com.