White Paper · Living Document

Ciela: The Inbox Curator™

A full technical and product overview — architecture, privacy model, classification system, and what's coming next.

Last updated May 21, 2026 · v0.5.5 · Independent, not venture-backed
01

Executive Summary

Ciela is a free, local-only desktop application that helps people clean, understand, and take control of their email inbox. It connects to Gmail and Outlook via secure OAuth2, scans your mailbox entirely on your own device, classifies emails into twenty-one categories, and gives you the tools to clean years of unwanted email in minutes.

No cloud. No servers. No accounts. No ads. No subscriptions. Your email stays yours.

Ciela is built for everyone — from the grandmother overwhelmed by 15 years of promotional email, to the privacy-conscious professional who refuses to hand their inbox to a third-party cloud service. The core cleanup tool is free and always will be.

02

The Problem

The average person receives over 120 emails per day. After a decade of inbox accumulation, many users carry 50,000 to 200,000 emails — the vast majority of which are promotional, automated, or long-expired notifications they never asked for and will never read.

Existing solutions fall into two categories, both unsatisfactory:

  • Cloud-based cleaners (Unroll.me, Clean Email, Mailstrom) require users to grant full Gmail access to a third-party server. These services read, index, and in some cases monetize inbox data. For privacy-conscious users — and for anyone who has thought carefully about what their inbox actually contains — this is unacceptable.
  • Manual cleanup is simply not viable at scale. Deleting 50,000 emails one by one, or even sender by sender through Gmail's search interface, takes hours of tedious work that most people never finish.

Ciela solves both problems. It does the heavy lifting of a cloud cleaner, with the privacy guarantees of a local tool.

03

The Vision

Ciela is a tool, not a companion. It is calm, precise, and trustworthy. It does not have a personality. It does not send notifications. It does not ask for reviews.

The personal edition is free and always will be. A Pro edition for teams and organizations is in development — it will never compromise the core free product.

It does one thing exceptionally well: it clears the air in your inbox.

The name Ciela draws from the Italian cielo — sky. The mission is to make your inbox feel light again.

04

The Ruth Experience

Every design decision in Ciela is evaluated against a single question:

Would Ruth understand this?
Would Ruth feel safe?

The Ruth Test — applied to every screen

Ruth is our design persona — a non-technical user in her 60s, comfortable with tablets and Chromebooks, overwhelmed by her inbox but unwilling to hand it to a service she doesn't trust. She is patient and curious, but easily overwhelmed by jargon, error codes, or interfaces that assume technical knowledge.

Ciela must pass the Ruth test at every screen:

  • No raw error codes — ever
  • No technical terminology without plain-language explanation
  • No blank screens or silent failures
  • Every action has a clear, reversible consequence
  • The app always tells Ruth what it is doing and why

The Ruth Experience also defines the scan screen. Rather than a blank spinner during a long first scan, Ruth sees:

  • A real-time progress bar with accurate percentage
  • A live category breakdown building as emails are classified
  • Rotating tips that teach her what Ciela can do
05

Privacy & Security

Privacy is not a feature in Ciela. It is the foundation.
Connects to Gmail and Outlook via OAuth2 PKCE
The same secure flow used by every major email client.
Reads email metadata locally on your device
Sender, subject line, snippet — never the full body or attachments.
Classifies emails using local rules
No machine learning API, no cloud inference — a Rust rule engine running on your machine.
Stores results in an encrypted local database
SQLite via SQLCipher — encrypted at rest, key derived from device hardware.
Requests only the scopes it actually needs
gmail.modify for Gmail · Mail.ReadWrite for Outlook — not full account access.
Never sends your email content to any server
Never stores credentials in plaintext
No analytics, telemetry, or usage tracking
No external resources loaded in the app interface
Connects to no server except your email provider's API and OAuth endpoints

5.1Offline-first after scan

The initial scan is the only time Ciela requires a live network connection. Once complete, every sender list, subject line, stat, and insight is read from the local encrypted database — no network required. Ciela only reaches out to your provider again when you explicitly take action: moving emails to Trash or opening an unsubscribe URL. You can disconnect your internet after scanning and the entire inbox intelligence layer continues to work.

5.2Credential storage

OAuth tokens are held in memory during a session. When persistence is needed, credentials are stored in the OS-level encrypted vault — Windows Credential Manager, macOS Keychain, or Linux Secret Service — never in a plaintext file.

5.3Database encryption

The local SQLite database is encrypted using SQLCipher. The encryption key is derived from the device's hardware identifier, making the database unreadable if the storage is removed from the machine, while remaining completely transparent to the user.

5.4OAuth client credentials

Ciela bundles Google and Microsoft OAuth Client IDs in the application binary. This is the standard, platform-endorsed pattern for installed desktop applications using the PKCE authorization flow. The credentials do not grant access to any user data on their own — they merely identify the application to the OAuth server. All actual authorization requires explicit user consent, and the resulting tokens are stored in the OS credential store, not in the binary.

5.5Security as a design principle

Every new feature is evaluated through a security lens before implementation. The guiding question is always: does this require data to leave the device? If yes, it requires explicit justification or is removed from scope.

06

How It Works

1Connection

The user selects Gmail or Outlook on the connect screen. A browser window opens to the provider's sign-in page. After authentication, the browser redirects to a local loopback server (http://127.0.0.1) that Ciela has opened for exactly this purpose. The authorization code is exchanged for access and refresh tokens entirely on the user's device. Multiple accounts can be connected; each is isolated in its own keyring entry and DB partition.

OAuth policy requires the system browser — embedded webviews are prohibited for security reasons. Ciela makes this seamless: the app shows a waiting screen, and the browser tab closes automatically after authentication completes.

2Scan

Ciela fetches your inbox using the provider's API, reading only the metadata fields needed for classification: sender, subject line, message snippet, and the List-Unsubscribe header. Full email content is never downloaded.

For Gmail, messages are fetched in batches of up to 100 per HTTP call using Gmail's batch API. For Outlook, Microsoft Graph API is used with batch sizes up to 20. Rate limiting is tuned to stay safely below each provider's quota ceiling. A first scan of a 100,000-email inbox typically takes 5–20 minutes; API rate limits, not hardware, are the constraining factor.

Scan state is checkpointed after every page of results. If the scan is interrupted — app closed, connection lost — it resumes from the last checkpoint rather than starting over.

On subsequent runs, Ciela performs an incremental scan — fetching only emails received since the last scan date. A typical weekly incremental scan completes in seconds to a few minutes.

3Classification

Every email is classified by a local rule engine written in Rust. The classifier evaluates the sender domain, subject line, snippet text, and bulk email headers to assign one of twenty-one categories:

Category Description
PersonalEmails from real people on personal domains
SecurityLogin alerts, verification codes, password resets
GovernmentFederal, state, and local government agencies; .gov domains
FinanceStatements, invoices, transactions, tax documents
UtilitiesElectric, gas, water, internet, and phone providers
TravelBookings, itineraries, boarding passes
ReceiptsOrder confirmations, shipping updates, delivery notifications
NotificationsApp alerts, digests, activity summaries
EducationK-12 and university platforms — Canvas, Blackboard, school districts
HealthcarePatient portals, appointment reminders, pharmacy, medical offices
FoodFood delivery (DoorDash, Uber Eats, Grubhub), restaurant loyalty, meal kits
SubscriptionNewsletters and curated content
JobsRecruiters, job boards, staffing agencies, application updates
DatingDating app notifications and match alerts
FaithReligious organizations, places of worship, faith-based charities
Real EstateListings, agent updates, mortgage, rental platforms
GamingGame launchers, in-game alerts, esports
GamblingCasinos, sports betting, lottery
Active MarketingPromotional email from senders who are actively mailing
Dead MarketingPromotional email from senders who haven't mailed in years
UnknownSenders that don't match any category — reviewed and reclassified by the user

Senders with mixed email behavior — Amazon sending both receipts and marketing, for example — display their primary category alongside secondary category badges.

The sender-type model treats email type as the primary entity. "Amazon Receipts" and "Amazon Marketing" are distinct, independently actionable entries — trash all marketing from a sender while leaving every receipt untouched.

4Cleanup

The user reviews their sender list, filtered by category. Each sender shows their email count and category classification. Clicking Trash opens a confirmation modal with four date-scope options (Older than 30 days / 6 months / 1 year / All time). If the sender has a stored unsubscribe URL, an "Also try to unsubscribe" checkbox appears in the same modal. An amber warning appears if the selected date window would include emails opened in the last 90 days, prompting the user to choose a safer scope.

For bulk category cleaning, clicking "Clean all" on a cleanup category (Active Marketing, Dead Marketing, Subscription, Notifications) first checks whether any unprotected sender in that category was recently active. If so, an OutlierView review screen appears before any action is taken. The user can protect recently-active senders one by one; the summary panel updates in real time to show exactly how many senders and emails will be affected. Protected senders are excluded from the clean without needing to dismiss the modal or lose their place.

Ciela moves emails to the provider's Trash (Gmail) or Deleted Items (Outlook) folder — it does not permanently delete. Standard 30-day retention applies, giving users a safety net. The trash operation batches up to 1,000 messages per API call; trashing a 10,000-email sender takes roughly the same time as a single network round-trip.

5Stats & Intelligence

After scanning, Ciela surfaces inbox intelligence on the Dashboard tab:

  • Inbox at a Glance — total emails, active senders, years of history, and noise percentage in one snapshot
  • Signal vs. Noise — what share of your inbox is promotional or automated vs. email that actually matters
  • Read Rate by Category — per-category engagement showing which types of email you actually open
  • Senders Never Opened — count and list of senders you've never read a single email from
  • Total email breakdown by category
  • Top senders by volume
  • Ghost subscriptions — newsletters not opened in 5+ months
  • Inbox history — a bar chart of email volume by year; after a cleanup session, the bars shrink to reflect the current state of the inbox
  • Peak Mail Hours — histogram of the hours when you receive the most email
  • Your Oldest Email — the year your earliest stored message was received and what category it fell into
  • Storage reclaimed after a clean session
07

Architecture

Ciela is built on Tauri 2.x — a Rust-based framework for native desktop applications that uses the system's built-in web renderer rather than bundling a full browser engine. This is what allows Ciela to ship as a sub-10MB installer while delivering a modern, responsive interface.

Backend — Rust

Gmail and Outlook (Microsoft Graph) API clients with automatic token refresh and rate limiting · Local rule-based email classifier (twenty-one categories) · Tauri command layer exposing backend functionality to the frontend · SQLite via rusqlite + SQLCipher encryption

Frontend — React + TypeScript + Tailwind CSS

Component-based UI with type-safe Tauri command invocations · Real-time scan progress via Tauri event system · Tile-based customizable dashboard

Database — SQLite

Fully local, single file · Multi-account schema with per-account data isolation · WAL journal mode for performance · Encrypted with SQLCipher

Installer — NSIS

currentUser install mode — no administrator rights required · WebView2 bootstrapper (pre-installed on Windows 10/11, downloaded silently if missing) · Sub-10MB installer target

08

What Ciela Does Today

Connect & Scan

  • Connect Gmail or Outlook via secure OAuth2 — no credentials to enter, no account to create
  • Multiple accounts supported — switch between connected inboxes in one click; add or remove from Settings
  • Full mailbox scan across your entire email history
  • Incremental rescans — fast, checks only new mail since the last scan
  • Scan resumes from checkpoint if interrupted — no starting over
  • Works offline after the first scan — browse, filter, and clean without a network connection

Classification

  • Twenty-one-category local classifier — Personal, Security, Government, Finance, Utilities, Travel, Receipts, Notifications, Subscription, Food & Dining, Active Marketing, Dead Marketing, Education, Healthcare, Jobs, Dating, Faith, Real Estate, Gaming, Gambling, Unknown
  • Sender-type model — one sender can appear as multiple rows when they send different types of email (e.g. Amazon Receipts and Amazon Marketing are separate, independently actionable entries)
  • Reclassify any sender — corrections persist across rescans automatically
  • Similarity suggestions — after reclassifying a sender, Ciela surfaces other senders with similar patterns for bulk reclassification in one step
  • Domain-rule engine — hundreds of known platforms classified by sender domain, not just subject keywords

Clean Up

  • Trash action with date-scope picker — 4 options (Older than 30 days / 6 months / 1 year / All time); pre-selects your last-used preference; amber warning if selected scope would include recently-opened emails
  • "Also try to unsubscribe" — optional checkbox in the trash modal, shown when a sender has a stored unsubscribe URL; queues unsubscribe alongside trash in one action
  • Bulk clean by category — "Clean all" on any cleanup category opens a confirmation; proceeds directly when no recently-active senders are present
  • Outlier review before bulk clean — if any sender in a cleanup category was opened in the last 90 days, an OutlierView screen appears first; protect specific senders before the clean fires; summary updates in real time
  • Protected senders — mark any sender as untouchable; excluded from all bulk operations and the OutlierView clean flow
  • Unsubscribe tracking — one click to open the sender's unsubscribe URL; Ciela tracks whether they actually stop sending
  • Batch trash API — up to 1,000 emails per API call; trashing a large sender is near-instant rather than minutes

Dashboard & Insights

  • Inbox at a Glance — total emails, active senders, years of history, and noise percentage on the landing screen
  • Signal vs. Noise — single-number read on what share of your inbox is promotional or automated
  • Read Rate by Category — engagement bar for each category; see at a glance which types of email you actually open
  • Senders Never Opened — how many senders have never had a single email read; one click to browse them
  • Inbox overview — category cards showing email and sender counts; click any category to jump directly to that sender list
  • Sender detail view — click any sender for their full subject history, engagement chart, open-rate trend, and individual actions (protect, reclassify, trash)
  • Inbox history — bar chart of email volume by year; shrinks in real time as you clean
  • Peak Mail Hours — 24-hour histogram of when you receive the most email; peak hour highlighted
  • Your Oldest Email — the year and category of the earliest message in your inbox
  • Sender behavior signals — "Never opened", "Actively read", "Last read N months ago"
  • Outlier protection — amber warning when a sender you're about to clean was recently active
  • Inactive Subscriptions panel — surfaces newsletters you haven't opened in months
  • Unsubscribe status tracking — "Unsubscribed", "Still sending", or "Confirmed ✓"
  • Inbox growth trend — sparkline showing how your inbox has grown across scans
  • Storage breakdown — explains the gap between the provider's total and Ciela's scanned count; empty Trash and clear Spam directly from the app

Settings & Safety

  • Settings screen — account info, default date filter preference, disconnect
  • Security audit log — recent history for destructive operations (trash, disconnect, data clear)
  • Sort and filter — by email volume, engagement, or recency; state persists across navigation
  • No admin rights required — installs per-user on Windows
09

What's Coming

Platform

  • Microsoft Store — MSIX packaging (v0.6.0) — pass Windows App Certification Kit; distribute via the Store for zero-friction Windows discovery
  • Microsoft Store — listing & submit (v0.6.1) — go live on the Microsoft Store
  • Auto-updater + EV code signing (v0.7.0) — silent background updates; Extended Validation certificate permanently eliminates SmartScreen warnings

Ciela Pro

A Pro edition for teams and organizations is in development. It will extend the core product with capabilities for shared inboxes, company-wide inbox hygiene, and administrative oversight. The personal edition will not be affected.

10

Monetization

Personal — Free, forever

Ciela's personal edition is free. No ads. No subscriptions. No data selling.

Your data never leaves your computer. Ciela runs entirely on your device — no servers, no accounts, no tracking. Your email stays yours.

This reflects a belief that useful software should be accessible to everyone — including the college student who can't afford a subscription and the grandmother who doesn't understand why email costs money to clean.

Ciela Pro — Coming soon

A Pro edition is in development for teams and organizations. It will extend the core product with capabilities designed for shared inboxes, company-wide inbox hygiene, and administrative oversight.

The personal edition will never be paywalled. Pro features are additive — they will not remove or restrict anything available today.

11

Technology Stack

Component Technology
Application frameworkTauri 2.x
Backend languageRust
FrontendReact 19 + TypeScript + Tailwind CSS
Build toolVite
DatabaseSQLite via rusqlite (bundled)
EncryptionSQLCipher / AES-GCM
HTTP clientreqwest (rustls, no OpenSSL dependency)
Rate limitinggovernor crate (token bucket)
OAuthPKCE desktop flow, loopback redirect
InstallerNSIS (Windows), DMG (macOS), AppImage (Linux)
Auto-updateTauri updater via GitHub Releases (v0.7.0)
12

About

Independent. Not venture-backed.

Ciela is an independent software product. It is not trying to grow into something else. It is a tool built to solve a real problem, built right, and given away freely.

Download Free
FREE · LOCAL-ONLY · YOUR EMAIL STAYS YOURS