01 · The short versionWhat you need to know.
Ciela is a desktop application. When you connect it to Gmail, Outlook, iCloud, Yahoo, or any IMAP provider, it reads metadata from your inbox on your computer, classifies it locally, and stores the results in a local encrypted database on your machine. We do not run servers that hold a copy of your mail. We do not have user accounts. We have no way to identify you.
Your email stays yours. Your computer stays yours. We're not in the middle.
02 · Data we touchWhat we read, and what we don't.
For classification, Ciela reads the following fields from each message in your inbox:
- Sender address and display name
- Subject line
- Snippet (the short preview your email app already shows in the inbox list)
- List-Unsubscribe and related bulk-mail headers
- Received timestamp, read/unread state, label list
What we never read
- Message bodies
- Attachments
- Contacts, calendar, drive, or any other service beyond your inbox
Ciela requests the narrowest scope that supports its features (gmail.modify for Gmail; Mail.ReadWrite for Outlook). IMAP providers (iCloud, Yahoo, etc.) use an app-specific password rather than OAuth; that credential is stored in your OS credential vault and is never sent to Ciela's servers (there are none). You can revoke access at any time from your provider's security settings, or by removing the account within Ciela.
Triage: what Ciela shows when you open a sender
When you open a sender in the triage view, Ciela fetches all email threads involving that address — including messages from your Sent folder. This is intentional: to decide whether to keep or remove a sender, you want the full picture of your correspondence with them, not just what arrived in your inbox. Nothing is sent anywhere; the fetch happens over the provider API directly to your device.
03 · Where it livesStorage is local.
Classification results are written to a single SQLite database file on your computer. That file is encrypted with SQLCipher using a key derived from your device, so removing the drive and reading it elsewhere will not work.
OAuth tokens are held in memory for the duration of a session. When persistence is needed, they are written to your operating system's encrypted credential vault — Windows Credential Manager on Windows, Keychain on macOS, Secret Service on Linux — never as a plaintext file.
| What | Where |
|---|---|
| Email metadata (sender, subject, snippet) | Local SQLite, encrypted at rest |
| OAuth tokens | OS keychain, encrypted by the OS |
| Encryption key | Derived from your device — never written to disk in plaintext |
| Classifier rules | Bundled in the application binary |
| Anything on our servers | — Nothing. We don't have any. — |
04 · Retention & deletionYou're in control.
All data Ciela holds lives on your device. There is no server-side retention to worry about because there is no server.
Retention: Email metadata remains in the local encrypted database for as long as you keep the account connected. Nothing ages out automatically — Ciela holds it until you say otherwise.
Deletion: You have three ways to delete your data:
- Remove a single account — Settings → your account → Disconnect. Ciela immediately deletes all metadata for that account from the local database and revokes the OAuth token from your OS credential vault.
- Reset everything — Settings → Reset App Data. Wipes the entire local database and all stored credentials.
- Uninstall — Removing Ciela from your system removes the application and its local database.
For Gmail and Outlook accounts specifically: disconnecting revokes Ciela's OAuth access at the OS level. To fully revoke at the Google or Microsoft level, visit your provider's connected apps page — we include a link to that page in the disconnect flow.
05 · TelemetryNone.
Ciela does not include analytics, crash reporting, usage tracking, A/B testing, install pings, feature-flag checks, or any other form of telemetry. The application never connects to any server other than your email provider's OAuth and API endpoints. We do not know how many people use Ciela, which features they use, or whether they exist at all.
This is a deliberate trade-off: it means we cannot detect bugs you do not report. It also means we cannot accidentally betray you.
06 · Third partiesThe whole list.
Up to three, depending on which accounts you connect:
- Google — Gmail users only. To authenticate you (OAuth2 PKCE) and to read your mailbox over Gmail's API. Their privacy policy governs that side of the connection.
- Microsoft — Outlook users only. To authenticate you (OAuth2 PKCE) and to read your mailbox over the Microsoft Graph API. Their privacy statement governs that side of the connection.
- Your operating system — to store OAuth tokens in its native credential vault. Apple, Microsoft, and your Linux distribution govern that storage.
This website (the page you're reading) loads a font from Google Fonts. The Ciela application itself does not load fonts or anything else over the network.
07 · ChildrenNot intended for under-13s.
Ciela is not directed to children under 13, and we do not knowingly process any data from them — though, since we do not process data from anyone, this is largely a formality.
08 · ChangesIf anything here changes.
We will update this page and bump the version stamp at the top. The application will not change its data behaviour without a visible release note. There is no mailing list to inform you, by design — checking the changelog when you update is the right way to stay current.
09 · ContactIf you need to reach us.
We don't run a support inbox — for reasons that should now be obvious. If you've spotted a bug or have a question, the in-app "Report an issue" link is the right path; it opens a private form, not an email thread.