01

Executive Summary

Ciela is a free, local-only desktop application that helps people clean, understand, and take control of their email inbox. It connects to Gmail and Outlook via secure OAuth2, and to iCloud, Yahoo, Zoho Mail, AOL, Fastmail, and 30+ other providers via IMAP. Scanning happens entirely on your own device, emails are classified into twenty-one categories, and you have the tools to clean years of unwanted email in minutes.

No cloud. No servers. No accounts. No ads. No subscriptions. Your email stays yours.

Ciela is built for everyone — from the grandmother overwhelmed by 15 years of promotional email, to the privacy-conscious professional who refuses to hand their inbox to a third-party cloud service. The core cleanup tool is free and always will be.

02

The Problem

The average person receives over 120 emails per day. After a decade of inbox accumulation, many users carry 50,000 to 200,000 emails — the vast majority of which are promotional, automated, or long-expired notifications they never asked for and will never read.

Existing solutions fall into two categories, both unsatisfactory:

  • Cloud-based cleaners (Unroll.me, Clean Email, Mailstrom) require users to grant full Gmail access to a third-party server. These services read, index, and in some cases monetize inbox data. For privacy-conscious users — and for anyone who has thought carefully about what their inbox actually contains — this is unacceptable.
  • Manual cleanup is simply not viable at scale. Deleting 50,000 emails one by one, or even sender by sender through Gmail's search interface, takes hours of tedious work that most people never finish.

Ciela solves both problems. It does the heavy lifting of a cloud cleaner, with the privacy guarantees of a local tool.

03

The Vision

Ciela is a tool, not a companion. It is calm, precise, and trustworthy. It does not have a personality. It does not send notifications. It does not ask for reviews.

The personal edition is free and always will be. A Pro edition for teams and organizations is in development — it will never compromise the core free product.

It does one thing exceptionally well: it clears the air in your inbox.

The name Ciela draws from the Italian cielo — sky. The mission is to make your inbox feel light again.

04

The Ruth Experience

Every design decision in Ciela is evaluated against a single question:

Would Ruth understand this?
Would Ruth feel safe?

The Ruth Test — applied to every screen

Ruth is our design persona — a non-technical user in her 60s, comfortable with tablets and Chromebooks, overwhelmed by her inbox but unwilling to hand it to a service she doesn't trust. She is patient and curious, but easily overwhelmed by jargon, error codes, or interfaces that assume technical knowledge.

Ciela must pass the Ruth test at every screen:

  • No raw error codes — ever
  • No technical terminology without plain-language explanation
  • No blank screens or silent failures
  • Every action has a clear, reversible consequence
  • The app always tells Ruth what it is doing and why

The Ruth Experience also defines the scan screen. Rather than a blank spinner during a long first scan, Ruth sees:

  • A real-time progress bar with accurate percentage
  • A live category breakdown building as emails are classified
  • Rotating tips that teach her what Ciela can do
05

Privacy & Security

Privacy is not a feature in Ciela. It is the foundation.
Connects to Gmail and Outlook via OAuth2 PKCE
The same secure flow used by every major email client.
Connects to iCloud, Yahoo, and 30+ IMAP providers via app passwords
IMAP app passwords never leave your device — stored in the OS credential vault and wrapped in zeroing memory for their entire in-memory lifetime.
Reads email metadata locally on your device
Sender, subject line, and List-Unsubscribe header only — never the full body or attachments. IMAP uses PEEK fetch so emails are never marked read.
Classifies emails using local rules
No machine learning API, no cloud inference — a Rust rule engine running on your machine.
Stores results in an encrypted local database
SQLite via SQLCipher — encrypted at rest, key derived from device hardware.
Requests only the scopes it actually needs
gmail.modify for Gmail · Mail.ReadWrite for Outlook — not full account access.
Never sends your email content to any server
Never stores OAuth tokens or IMAP credentials in plaintext
No analytics, telemetry, or usage tracking
No external resources loaded in the app interface
Connects to no server except your email provider's API and OAuth endpoints

5.1Offline-first after scan

The initial scan is the only time Ciela requires a live network connection. Once complete, every sender list, subject line, stat, and insight is read from the local encrypted database — no network required. Ciela only reaches out to your provider again when you explicitly take action: moving emails to Trash or opening an unsubscribe URL. You can disconnect your internet after scanning and the entire inbox intelligence layer continues to work.

5.2Credential storage

OAuth tokens are held in memory during a session. When persistence is needed, credentials are stored in the OS-level encrypted vault — Windows Credential Manager, macOS Keychain, or Linux Secret Service — never in a plaintext file. IMAP app passwords follow the same path and are additionally wrapped in zeroing memory (Zeroizing<String>) for their entire in-memory lifetime, ensuring they are overwritten rather than garbage-collected when no longer needed.

5.3Database encryption

The local SQLite database is encrypted using SQLCipher. The encryption key is derived from the device's hardware identifier, making the database unreadable if the storage is removed from the machine, while remaining completely transparent to the user.

5.4OAuth client credentials

Ciela bundles Google and Microsoft OAuth Client IDs in the application binary. This is the standard, platform-endorsed pattern for installed desktop applications using the PKCE authorization flow. The credentials do not grant access to any user data on their own — they merely identify the application to the OAuth server. All actual authorization requires explicit user consent, and the resulting tokens are stored in the OS credential store, not in the binary.

5.5Security as a design principle

Every new feature is evaluated through a security lens before implementation. The guiding question is always: does this require data to leave the device? If yes, it requires explicit justification or is removed from scope.

06

How It Works

1Connection

Gmail & Outlook (OAuth2): The user selects their provider on the connect screen. A browser window opens to the provider's sign-in page. After authentication, the browser redirects to a local loopback server (http://127.0.0.1) that Ciela has opened for exactly this purpose. The authorization code is exchanged for access and refresh tokens entirely on the user's device. OAuth policy requires the system browser — embedded webviews are prohibited for security reasons. Ciela makes this seamless: the app shows a waiting screen, and the browser tab closes automatically after authentication completes.

IMAP (iCloud, Yahoo, Zoho Mail, and 30+ providers): The user fills in an inline form — choose provider, enter email and app password, done. Ciela tests the live TLS connection before saving anything, then stores the app password in the OS credential vault. No browser redirect, no waiting screen — a successful IMAP connect takes the user directly to their inbox.

Multiple accounts can be connected across all three provider types; each is isolated in its own keyring entry and database partition.

2Scan

Ciela fetches only the metadata fields needed for classification: sender, subject line, and the List-Unsubscribe header. Full email content is never downloaded.

Gmail: Messages are fetched in batches of up to 100 per HTTP call using Gmail's batch API, with 10 concurrent requests and a 200 req/s rate limiter. Outlook: Microsoft Graph API with batch sizes up to 20. IMAP: UIDs fetched via UID SEARCH (capped at 10,000 per run), then headers fetched in 500-UID batches with a 50ms pause between batches — slower than OAuth providers due to IMAP protocol constraints. Rate limiting is tuned to stay safely below each provider's quota ceiling. A first scan of a 100,000-email inbox typically takes 5–20 minutes; API rate limits, not hardware, are the constraining factor.

Scan state is checkpointed after every page of results. If the scan is interrupted — app closed, connection lost — it resumes from the last checkpoint rather than starting over.

On subsequent runs, Ciela performs an incremental scan — fetching only emails received since the last scan date. A typical weekly incremental scan completes in seconds to a few minutes.

3Classification

Every email is classified by a local rule engine written in Rust. The classifier evaluates the sender domain, subject line, snippet text, and bulk email headers to assign one of twenty-one categories:

Category Description
PersonalEmails from real people on personal domains
SecurityLogin alerts, verification codes, password resets
GovernmentFederal, state, and local government agencies; .gov domains
FinanceStatements, invoices, transactions, tax documents
UtilitiesElectric, gas, water, internet, and phone providers
TravelBookings, itineraries, boarding passes
ReceiptsOrder confirmations, shipping updates, delivery notifications
NotificationsApp alerts, digests, activity summaries
EducationK-12 and university platforms — Canvas, Blackboard, school districts
HealthcarePatient portals, appointment reminders, pharmacy, medical offices
FoodFood delivery (DoorDash, Uber Eats, Grubhub), restaurant loyalty, meal kits
SubscriptionNewsletters and curated content
JobsRecruiters, job boards, staffing agencies, application updates
DatingDating app notifications and match alerts
FaithReligious organizations, places of worship, faith-based charities
Real EstateListings, agent updates, mortgage, rental platforms
GamingGame launchers, in-game alerts, esports
GamblingCasinos, sports betting, lottery
Active MarketingPromotional email from senders who are actively mailing
Dead MarketingPromotional email from senders who haven't mailed in years
UnknownSenders that don't match any category — reviewed and reclassified by the user

The sender-type model treats email type as the primary entity. Senders with mixed behavior — Amazon sending both receipts and marketing, for example — appear as separate rows. "Amazon Receipts" and "Amazon Marketing" are distinct, independently actionable entries — trash all marketing from a sender while leaving every receipt untouched.

4Cleanup

The user reviews their sender list, filtered by category. Each sender shows their email count and category classification. Clicking Trash opens a confirmation modal with four date-scope options (Older than 30 days / 6 months / 1 year / All time). If the sender has a stored unsubscribe URL, an "Also try to unsubscribe" checkbox appears in the same modal. An amber warning appears if the selected date window would include emails opened in the last 90 days, prompting the user to choose a safer scope.

For bulk category cleaning, clicking "Clean all" on a cleanup category (Active Marketing, Dead Marketing, Subscription, Notifications) first checks whether any unprotected sender in that category was recently active. If so, an OutlierView review screen appears before any action is taken. The user can protect recently-active senders one by one; the summary panel updates in real time to show exactly how many senders and emails will be affected. Protected senders are excluded from the clean without needing to dismiss the modal or lose their place.

Ciela moves emails to the provider's trash folder — Gmail uses Trash, Outlook uses Deleted Items, iCloud uses Deleted Messages. It does not permanently delete. Standard 30-day retention applies, giving users a safety net. The trash operation batches up to 1,000 messages per API call; trashing a 10,000-email sender takes roughly the same time as a single network round-trip.

5Stats & Intelligence

After scanning, Ciela surfaces inbox intelligence on the Dashboard tab:

  • Inbox at a Glance — total emails, active senders, years of history, and noise percentage in one snapshot
  • Signal vs. Noise — what share of your inbox is promotional or automated vs. email that actually matters
  • Read Rate by Category — per-category engagement showing which types of email you actually open
  • Senders Never Opened — count and list of senders you've never read a single email from
  • Total email breakdown by category
  • Top senders by volume
  • Ghost subscriptions — newsletters not opened in 5+ months
  • Inbox history — a bar chart of email volume by year; after a cleanup session, the bars shrink to reflect the current state of the inbox
  • Peak Mail Hours — histogram of the hours when you receive the most email
  • Your Oldest Email — the year your earliest stored message was received and what category it fell into
  • Storage reclaimed after a clean session
07

Architecture

Ciela is built on Tauri 2.x — a Rust-based framework for native desktop applications that uses the system's built-in web renderer rather than bundling a full browser engine. This is what allows Ciela to ship as a sub-10MB installer while delivering a modern, responsive interface.

Backend — Rust

Gmail and Outlook (Microsoft Graph) API clients with automatic token refresh and rate limiting · IMAP client (async-imap) supporting implicit TLS (port 993) and STARTTLS (port 143); 32 providers pre-configured · Local rule-based email classifier (twenty-one categories) · Tauri command layer exposing backend functionality to the frontend · SQLite via rusqlite + SQLCipher encryption

Frontend — React + TypeScript + Tailwind CSS

Component-based UI with type-safe Tauri command invocations · Real-time scan progress via Tauri event system · Tile-based customizable dashboard

Database — SQLite

Fully local, single file · Multi-account schema with per-account data isolation · WAL journal mode for performance · Encrypted with SQLCipher

Installer — NSIS

currentUser install mode — no administrator rights required · WebView2 bootstrapper (pre-installed on Windows 10/11, downloaded silently if missing) · Sub-10MB installer target

Build Pipeline — GitHub Actions

All three platform binaries — Windows (.exe), macOS (.dmg), and Linux (AppImage / .deb / .rpm) — are compiled by GitHub Actions on a specific commit in the private development repository. No manual compilation step exists in the release process. Every release is tied to a commit hash and a build log, available on request.

08

What Ciela Does Today

Connect & Scan

  • Connect Gmail or Outlook via secure OAuth2 — no credentials to enter, no account to create
  • Connect iCloud, Yahoo, Zoho Mail, AOL, Fastmail, and 30+ providers via IMAP app password — inline form, live TLS connection test, password stored in OS credential vault
  • Multiple accounts supported — switch between connected inboxes in one click; add or remove from Settings
  • Full mailbox scan across your entire email history
  • Incremental rescans — fast, checks only new mail since the last scan
  • Scan resumes from checkpoint if interrupted — no starting over
  • Works offline after the first scan — browse, filter, and clean without a network connection

Classification

  • Twenty-one-category local classifier — Personal, Security, Government, Finance, Utilities, Travel, Receipts, Notifications, Subscription, Food & Dining, Active Marketing, Dead Marketing, Education, Healthcare, Jobs, Dating, Faith, Real Estate, Gaming, Gambling, Unknown
  • Sender-type model — one sender can appear as multiple rows when they send different types of email (e.g. Amazon Receipts and Amazon Marketing are separate, independently actionable entries)
  • Reclassify any sender — corrections persist across rescans automatically
  • Similarity suggestions — after reclassifying a sender, Ciela surfaces other senders with similar patterns for bulk reclassification in one step
  • Domain-rule engine — hundreds of known platforms classified by sender domain, not just subject keywords

Clean Up

  • Trash action with date-scope picker — 4 options (Older than 30 days / 6 months / 1 year / All time); pre-selects your last-used preference; amber warning if selected scope would include recently-opened emails
  • "Also try to unsubscribe" — optional checkbox in the trash modal, shown when a sender has a stored unsubscribe URL; queues unsubscribe alongside trash in one action
  • Bulk clean by category — "Clean all" on any cleanup category opens a confirmation; proceeds directly when no recently-active senders are present
  • Outlier review before bulk clean — if any sender in a cleanup category was opened in the last 90 days, an OutlierView screen appears first; protect specific senders before the clean fires; summary updates in real time
  • Protected senders — mark any sender as untouchable; excluded from all bulk operations and the OutlierView clean flow
  • Unsubscribe tracking — one click to open the sender's unsubscribe URL; Ciela tracks whether they actually stop sending
  • Batch trash API — up to 1,000 emails per API call; trashing a large sender is near-instant rather than minutes

Dashboard & Insights

  • Inbox at a Glance — total emails, active senders, years of history, and noise percentage on the landing screen
  • Signal vs. Noise — single-number read on what share of your inbox is promotional or automated
  • Read Rate by Category — engagement bar for each category; see at a glance which types of email you actually open
  • Senders Never Opened — how many senders have never had a single email read; one click to browse them
  • Inbox overview — category cards showing email and sender counts; click any category to jump directly to that sender list
  • Sender detail view — click any sender for their full subject history, engagement chart, open-rate trend, and individual actions (protect, reclassify, trash)
  • Inbox history — bar chart of email volume by year; shrinks in real time as you clean
  • Peak Mail Hours — 24-hour histogram of when you receive the most email; peak hour highlighted
  • Your Oldest Email — the year and category of the earliest message in your inbox
  • Sender behavior signals — "Never opened", "Actively read", "Last read N months ago"
  • Outlier protection — amber warning when a sender you're about to clean was recently active
  • Inactive Subscriptions panel — surfaces newsletters you haven't opened in months
  • Unsubscribe status tracking — "Unsubscribed", "Still sending", or "Confirmed ✓"
  • Inbox growth trend — sparkline showing how your inbox has grown across scans
  • Inbox health trend — noise % trend chart across the last 8 scans; sender delta indicator showing change vs. the previous scan
  • Storage breakdown — explains the gap between the provider's total and Ciela's scanned count; empty Trash and clear Spam directly from the app
  • Scan History — every scan listed with date, email and sender counts, and Unknown delta; click any row to open its Scan Report
  • Scan Reports — per-scan detail: category changes since last scan; full cleanup history with recoverable, rescued, and permanently gone status; Undo available for recoverable operations
  • Smart Purge Tray — after a scan, if senders you previously trashed have returned, a compact tray appears: "These senders are back. You trashed them last time." Options: Trash all, Look at them first, or Not now

Auto-Clean Rules

  • Rule creation — after manually cleaning the same category 3 times, Ciela offers to save it as a rule; rules run automatically at the end of every full scan
  • Pre-scan confirmation — a screen lists all active rules and what they will do before each scan, with a link to change them
  • Post-scan summary — a banner after the scan reports which rules ran and how many emails were moved
  • Settings rules panel — lists all active rules with Turn On/Off and Delete controls; minimum age threshold 7 days enforced backend-side

Your Outlook Filters (Outlook accounts)

  • Server-side filtering — when a sender has been trashed in 2+ different scans, Ciela can create an Outlook inbox rule that routes those emails to Trash automatically, even when Ciela isn't open
  • Transparent disclosure — required copy before any rule is created: "Outlook will send [sender] emails straight to trash — even when Ciela isn't open. You can remove this anytime from Settings → Your Outlook Filters."
  • Settings panel — lists all active Outlook rules with a Remove button for each; removal calls the Microsoft Graph API immediately

Settings & Safety

  • Settings screen — account info, app version, default date filter preference, auto-clean rules list, Your Outlook Filters panel, disconnect
  • Sort and filter — by email volume, engagement, or recency; state persists across navigation
  • No admin rights required — installs per-user on Windows
09

What's Coming

Distribution Reliability

  • EV code signing — eliminates Windows SmartScreen "Unknown publisher" warning for direct download users; CI build pipeline and auto-updater already shipped

Microsoft Store — deprioritized

  • MSIX packaging + Windows App Certification Kit (WACK)
  • Store listing and submission

Ciela Pro

A Pro edition for teams and organizations is in development. It will extend the core product with capabilities for shared inboxes, company-wide inbox hygiene, and administrative oversight. The personal edition will not be affected.

10

Monetization

Personal — Free, forever

Ciela's personal edition is free. No ads. No subscriptions. No data selling.

Your data never leaves your computer. Ciela runs entirely on your device — no servers, no accounts, no tracking. Your email stays yours.

This reflects a belief that useful software should be accessible to everyone — including the college student who can't afford a subscription and the grandmother who doesn't understand why email costs money to clean.

Ciela Pro — Coming soon

A Pro edition is in development for teams and organizations. It will extend the core product with capabilities designed for shared inboxes, company-wide inbox hygiene, and administrative oversight.

The personal edition will never be paywalled. Pro features are additive — they will not remove or restrict anything available today.

11

Technology Stack

Component Technology
Application frameworkTauri 2.x
Backend languageRust
FrontendReact 19 + TypeScript + Tailwind CSS
Build toolVite
DatabaseSQLite via rusqlite (bundled)
EncryptionSQLCipher / AES-GCM
HTTP clientreqwest (rustls, no OpenSSL dependency)
IMAP clientasync-imap 0.9 + async-native-tls
Rate limitinggovernor crate (token bucket)
OAuthPKCE desktop flow, loopback redirect
InstallerNSIS (Windows), DMG (macOS), AppImage (Linux)
Auto-updateTauri updater via GitHub Releases
12

About

Independent. Not venture-backed.

Ciela is an independent software product. It is not trying to grow into something else. It is a tool built to solve a real problem, built right, and given away freely.

FREE · LOCAL-ONLY · YOUR EMAIL STAYS YOURS