Ciela/Privacy policy

Privacy policy.

A short policy for a short product. Ciela runs on your computer, reads your inbox there, and sends nothing anywhere. This page exists to say that plainly, and to spell out the few edges where we touch the outside world.

EFFECTIVE · MAY 2026 VERSION · 1.0 PLAIN LANGUAGE

01 · The short versionWhat you need to know.

Ciela is a desktop application. When you connect it to Gmail or Outlook, it reads metadata from your inbox on your computer, classifies it locally, and stores the results in a local encrypted database on your machine. We do not run servers that hold a copy of your mail. We do not have user accounts. We have no way to identify you.

Your email stays yours. Your computer stays yours. We're not in the middle.
The network surface. Ciela only reaches out to your email provider: Google's OAuth endpoint and Gmail's API (Gmail users), or Microsoft's OAuth endpoint and the Graph API (Outlook users). That is the entire network surface.

02 · Data we touchWhat we read, and what we don't.

For classification, Ciela reads the following fields from each message in your inbox:

  • Sender address and display name
  • Subject line
  • Snippet (the short preview your email app already shows in the inbox list)
  • List-Unsubscribe and related bulk-mail headers
  • Received timestamp, read/unread state, label list

What we never read

  • Message bodies
  • Attachments
  • Contacts, calendar, drive, or any other service beyond your inbox

Ciela requests the narrowest scope that supports its features (gmail.modify for Gmail; Mail.ReadWrite for Outlook). You can revoke that access at any time from your Google account or Microsoft account security settings, or by removing the account within Ciela.

Triage: what Ciela shows when you open a sender

When you open a sender in the triage view, Ciela fetches all email threads involving that address — including messages from your Sent folder. This is intentional: to decide whether to keep or remove a sender, you want the full picture of your correspondence with them, not just what arrived in your inbox. Nothing is sent anywhere; the fetch happens over the provider API directly to your device.

03 · Where it livesStorage is local.

Classification results are written to a single SQLite database file on your computer. That file is encrypted with SQLCipher using a key derived from your device, so removing the drive and reading it elsewhere will not work.

OAuth tokens are held in memory for the duration of a session. When persistence is needed, they are written to your operating system's encrypted credential vault — Windows Credential Manager on Windows, Keychain on macOS, Secret Service on Linux — never as a plaintext file.

WhatWhere
Email metadata (sender, subject, snippet)Local SQLite, encrypted at rest
OAuth tokensOS keychain, encrypted by the OS
Encryption keyDerived from your device — never written to disk in plaintext
Classifier rulesBundled in the application binary
Anything on our servers— Nothing. We don't have any. —

04 · TelemetryNone.

Ciela does not include analytics, crash reporting, usage tracking, A/B testing, install pings, feature-flag checks, or any other form of telemetry. The application never connects to any server other than your email provider's OAuth and API endpoints. We do not know how many people use Ciela, which features they use, or whether they exist at all.

This is a deliberate trade-off: it means we cannot detect bugs you do not report. It also means we cannot accidentally betray you.

05 · Third partiesThe whole list.

Up to three, depending on which accounts you connect:

  • Google — Gmail users only. To authenticate you (OAuth2 PKCE) and to read your mailbox over Gmail's API. Their privacy policy governs that side of the connection.
  • Microsoft — Outlook users only. To authenticate you (OAuth2 PKCE) and to read your mailbox over the Microsoft Graph API. Their privacy statement governs that side of the connection.
  • Your operating system — to store OAuth tokens in its native credential vault. Apple, Microsoft, and your Linux distribution govern that storage.

This website (the page you're reading) loads a font from Google Fonts. The Ciela application itself does not load fonts or anything else over the network.

06 · ChildrenNot intended for under-13s.

Ciela is not directed to children under 13, and we do not knowingly process any data from them — though, since we do not process data from anyone, this is largely a formality.

07 · ChangesIf anything here changes.

We will update this page and bump the version stamp at the top. The application will not change its data behaviour without a visible release note. There is no mailing list to inform you, by design — checking the changelog when you update is the right way to stay current.

08 · ContactIf you need to reach us.

We don't run a support inbox — for reasons that should now be obvious. If you've spotted a bug or have a question, the in-app "Report an issue" link is the right path; it opens a private form, not an email thread.