Skip to main content

Trust

How mailservr keeps your email private and secure

Security is not a feature we bolt on — it is how the product is built. No forwarding, no tracking, no third-party dependencies.

Infrastructure and storage

  • Email content stored in PostgreSQL with encrypted connections
  • Attachments stored in S3-compatible (R2) object storage
  • Attachment access controlled via time-limited presigned URLs
  • No email forwarding — your messages never pass through third-party providers

Authentication

  • Passwords hashed with bcrypt (industry-standard key derivation)
  • Session-based authentication with 7-day automatic expiry
  • No third-party auth providers tracking your login activity
  • Admin-level access controls for domain management

API security

  • Bearer token authentication for all API endpoints
  • API keys scoped to individual user accounts
  • Webhook payloads signed with HMAC-SHA256 for integrity verification
  • Webhook delivery logs for auditing and debugging

Data handling

  • Email content, metadata, and attachments stored — nothing more
  • Credit card data handled entirely by Stripe (never touches our servers)
  • No tracking pixels, analytics scripts, or ad networks on the platform
  • Attachment size validation (up to 100 MB per file)

Operational security

  • No email forwarding means your real address is never transmitted
  • Sender blocking at the per-alias level
  • Protected API routes with session and admin middleware
  • Dashboard and API endpoints excluded from public sitemap and robots

Privacy by design

  • One-time payment — no recurring billing data collection
  • No free tier means no ad-supported model (your email is not the product)
  • Minimal data collection: we store what is needed to deliver email, nothing else
  • Full account data accessible through the dashboard and API

Security FAQ

Can mailservr read my emails?

Email content is stored in our database to provide inbox functionality. We do not scan, analyze, or monetize your email content. There are no ads, no tracking, and no third-party data sharing.

Where is my data stored?

Email data is stored in PostgreSQL and attachments are stored in Cloudflare R2 object storage. All connections use encrypted transport.

What happens if I delete my account?

Deleting your account removes all associated data including aliases, emails, threads, attachments, and API keys.

Do you comply with GDPR?

We follow data minimization principles and only collect what is necessary to provide the service. You can request data export or deletion at any time through the dashboard.

Next steps

Create accountPrivacy policyPrivacy guideView pricing