LEGAL

Privacy Policy

Effective May 18, 2026 · Last updated May 18, 2026

TL;DR — We collect the minimum data needed to give you an email account and the AI brain features. We do not sell your data, ever. Your email contents are encrypted at rest on servers we own in Germany. We do not use third-party advertising, analytics, or trackers. You can delete your account and all data at any time from Settings → Account → Delete Account.

What we collect

Account info — email address, password (argon2id-hashed), display name. You provide this at signup.
Email contents — messages you send and receive, including subject, body, attachments. Stored encrypted at rest in Postgres on Hetzner Cloud (Germany).
Calendar events — events you create or that our brain auto-suggests from your email.
Brain memory — knowledge graph entities (people, organizations, places, dates, amounts) extracted from your email locally on our server using compromise.js NLP. Linked to your user account.
Settings + preferences — quiet hours, blocklists, notification settings, etc.
Crash reports — if you opt in, anonymous stack traces sent to Sentry. Default: OFF.

What we don't collect

Location data
Contacts from your phone's address book
Photos, camera, or microphone access
Browsing history
Cross-site identifiers
Advertising IDs (IDFA)
Financial information (Apple handles all payments via App Store IAP)

What we don't do

Sell or rent your data to any third party
Use your data to train machine learning models we don't own
Show advertising
Track you across other apps or websites
Send your email contents to OpenAI, Google, Anthropic, or any LLM unless YOU explicitly enable the optional "AI Synthesis" feature (off by default; requires you to provide your own API key)

Who has access

You — full access via the iOS app and web client at app.cybrmail.net
Our infrastructure team — encrypted-at-rest storage. For end-to-end encrypted messages, even we cannot read the body. For other messages, access is restricted to incident response and logged.
Apple — only when reviewing the app for App Store compliance, using a dedicated test account
Law enforcement — only with a valid subpoena or court order. We will notify you unless legally prohibited.

Data location

All servers are in Germany (Hetzner Cloud, Falkenstein / Helsinki). Data is NOT transferred outside the EU/US for processing.

Your rights (GDPR + CCPA)

Access — request a copy of all data we have about you (Settings → Account → Export Data)
Rectify — fix any inaccurate info
Delete — permanently remove your account and all data (Settings → Account → Delete Account). This is irreversible.
Portability — export your email and calendar in standard formats (mbox + iCal)
Object — opt out of crash reporting at any time

To exercise any of these rights, use the app's built-in controls or email privacy@cybrmail.net.

Children

CyberMail is not directed at children under 13 and we do not knowingly collect data from them. If you believe a child has signed up, email privacy@cybrmail.net and we will delete the account immediately.

Pricing

CyberMail is currently free. There are no paid plans, subscriptions, or in-app purchases at this time. If we introduce paid features in the future, any purchase will go through the Apple App Store and we will update this policy in advance.

Changes

If we materially change this policy, we'll notify you in-app at least 30 days before the change takes effect. The most current version always lives at cybrmail.net/privacy.

Contact

General: support@cybrmail.net
Privacy questions: privacy@cybrmail.net
Security disclosure: security@cybrmail.net

CyberMail is operated by AR Dynamics Inc.