Privacy Policy

Last updated: April 15, 2026

This Privacy Policy explains how Aria Mail ("Aria Mail", "we", "us", or "our") collects, uses, stores, and discloses information when you use the Aria Mail application and related services (collectively, the "Service") available at ariamail.app.

By using the Service, you agree to the practices described here. If you do not agree, please do not use the Service.

1. Summary — the short version

We connect to your email accounts (Gmail, Outlook, IMAP) with your explicit consent.
We use your email content only to operate features you asked for, such as unified inbox, search, and AI answers about your mail.
We do not sell your email data. We do not use it for advertising.
We do not train machine learning or AI models on your email content.
You can disconnect an account or delete your data at any time from the Settings page.

2. Information we collect

2.1 Account information

When you sign up, we collect your name, email address, and profile image from your identity provider (Google or Microsoft). We also store authentication tokens required to read and send email on your behalf.

2.2 Email data

When you connect a mailbox, we access message metadata (sender, recipients, subject, date, labels, folder), message bodies, and attachments. We retrieve only the data needed to provide the Service features you enabled (inbox view, search, threading, AI answers).

2.3 Usage data

We collect limited product telemetry (for example, which buttons you click, how long requests take, and error reports) to operate, secure, and improve the Service. Telemetry does not include the content of your emails.

2.4 Billing data

If you purchase a paid plan, payments are processed by Stripe. We do not store full card numbers. Stripe provides us with limited billing metadata (such as subscription status, plan, and last four digits of the card) so we can manage your subscription.

3. How we use your information

To provide the Service — showing your inbox, searching messages, and generating AI answers with citations.
To authenticate you and secure your account.
To process payments and manage subscriptions.
To respond to support requests.
To detect, prevent, and respond to abuse, fraud, or security incidents.
To comply with legal obligations.

4. Google API Services — Limited Use Disclosure

Aria Mail's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

When you connect a Google account, Aria Mail requests the following Gmail scopes:

gmail.readonly — to display your messages, threads, labels, and attachments inside Aria Mail.
gmail.modify — to let you mark messages read/unread, apply or remove labels, archive, and move messages between folders.
gmail.send — to send replies and new messages that you compose inside Aria Mail.

In accordance with Google's Limited Use policy, Aria Mail will:

Only use your Gmail data to provide or improve user-facing features that are prominent in the Service interface.
Not transfer Gmail data to others unless necessary to provide or improve these features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with your explicit prior consent.
Not use Gmail data for advertising.
Not allow humans to read Gmail data, except (a) with your explicit consent for specific messages, (b) when necessary for security investigations or to comply with the law, or (c) when the data has been aggregated and anonymized for internal operations.
Not use Gmail data to develop, improve, or train generalized AI or machine learning models. Your email content is never added to model training sets.

4.1 AI features and Gmail data

When you ask Aria (our in-product AI assistant) a question, the relevant portions of your email — retrieved on demand — may be sent to Anthropic's Claude API to generate an answer. Anthropic processes this data as our subprocessor and does not use it to train its models. You can disable AI features per account from Settings.

5. Microsoft / Outlook data

The same principles apply to Microsoft 365 and Outlook mailboxes connected via Microsoft Graph. We access only the scopes required to operate the Service (read mail, send mail, read user profile), do not sell the data, do not use it for advertising, and do not train AI models on it.

6. How we store and protect your data

Data is stored on secure cloud infrastructure in the United States.
OAuth refresh tokens are encrypted at rest.
Transport is encrypted end-to-end with TLS.
Access to production systems is restricted to authorized personnel with two-factor authentication.
We conduct regular internal security reviews and penetration tests.

7. Sharing and disclosure

We do not sell your personal data. We share data only with:

Subprocessors who operate parts of the Service on our behalf under written data-protection agreements (for example, cloud hosting, database providers, Stripe for payments, and Anthropic for AI inference).
Authorities when required by law, subpoena, or court order, and only to the extent legally compelled.
Successors in the event of a merger, acquisition, or sale of assets, in which case your data remains subject to this Privacy Policy or a policy at least as protective.

8. Data retention

We retain connected mailbox metadata, indexes, and derived data for as long as the account is connected. When you disconnect an account or delete your Aria Mail account, the associated data is removed from our active systems within 30 days, and from encrypted backups within 90 days.

9. Your rights and choices

Access and export: You can request a copy of the data we hold about you.
Correction: You can correct inaccurate account information from the Settings page.
Deletion: You can disconnect a mailbox or delete your entire account at any time from Settings, or by contacting us at privacy@ariamail.app.
Revoking Google access: You can revoke Aria Mail's access to your Google account at any time at myaccount.google.com/permissions.
Revoking Microsoft access: You can revoke access at myaccount.microsoft.com/consent.
EU / UK residents have additional rights under GDPR, including the right to object to processing and the right to lodge a complaint with a supervisory authority.
California residents have rights under the CCPA/CPRA, including the right to know, delete, and opt out of "sale" or "sharing" of personal information. We do not sell or share personal information as defined by CCPA/CPRA.

10. Children

The Service is not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. International transfers

If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States. Where required, we rely on Standard Contractual Clauses or equivalent safeguards for such transfers.

12. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the Service or by email before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact us

Questions or requests about this Privacy Policy or your data:

Email: privacy@ariamail.app
Support: ariamail.app/contact