Executive Summary
Ciela is a free, local-only desktop application that helps people clean, understand, and take control of their email inbox. It connects to Gmail and Outlook via secure OAuth2, and to iCloud, Yahoo, Zoho Mail, AOL, Fastmail, and 30+ other providers via IMAP. Scanning happens entirely on your own device, emails are classified into twenty-one categories, and you have the tools to clean years of unwanted email in minutes.
No cloud. No servers. No accounts. No ads. No subscriptions. Your email stays yours.
Ciela is built for everyone — from the grandmother overwhelmed by 15 years of promotional email, to the privacy-conscious professional who refuses to hand their inbox to a third-party cloud service. The core cleanup tool is free and always will be.
The Problem
The average person receives over 120 emails per day. After a decade of inbox accumulation, many users carry 50,000 to 200,000 emails — the vast majority of which are promotional, automated, or long-expired notifications they never asked for and will never read.
Existing solutions fall into two categories, both unsatisfactory:
- Cloud-based cleaners (Unroll.me, Clean Email, Mailstrom) require users to grant full Gmail access to a third-party server. These services read, index, and in some cases monetize inbox data. For privacy-conscious users — and for anyone who has thought carefully about what their inbox actually contains — this is unacceptable.
- Manual cleanup is simply not viable at scale. Deleting 50,000 emails one by one, or even sender by sender through Gmail's search interface, takes hours of tedious work that most people never finish.
Ciela solves both problems. It does the heavy lifting of a cloud cleaner, with the privacy guarantees of a local tool.
The Vision
Ciela is a tool, not a companion. It is calm, precise, and trustworthy. It does not have a personality. It does not send notifications. It does not ask for reviews.
The personal edition is free and always will be. A Pro edition for teams and organizations is in development — it will never compromise the core free product.
It does one thing exceptionally well: it clears the air in your inbox.
The name Ciela draws from the Italian cielo — sky. The mission is to make your inbox feel light again.
The Ruth Experience
Every design decision in Ciela is evaluated against a single question:
Ruth is our design persona — a non-technical user in her 60s, comfortable with tablets and Chromebooks, overwhelmed by her inbox but unwilling to hand it to a service she doesn't trust. She is patient and curious, but easily overwhelmed by jargon, error codes, or interfaces that assume technical knowledge.
Ciela must pass the Ruth test at every screen:
- No raw error codes — ever
- No technical terminology without plain-language explanation
- No blank screens or silent failures
- Every action has a clear, reversible consequence
- The app always tells Ruth what it is doing and why
The Ruth Experience also defines the scan screen. Rather than a blank spinner during a long first scan, Ruth sees:
- A real-time progress bar with accurate percentage
- A live category breakdown building as emails are classified
- Rotating tips that teach her what Ciela can do
Privacy & Security
Privacy is not a feature in Ciela. It is the foundation.
5.1Offline-first after scan
The initial scan is the only time Ciela requires a live network connection. Once complete, every sender list, subject line, stat, and insight is read from the local encrypted database — no network required. Ciela only reaches out to your provider again when you explicitly take action: moving emails to Trash or opening an unsubscribe URL. You can disconnect your internet after scanning and the entire inbox intelligence layer continues to work.
5.2Credential storage
OAuth tokens are held in memory during a session. When persistence is needed, credentials are stored in the OS-level encrypted vault — Windows Credential Manager, macOS Keychain, or Linux Secret Service — never in a plaintext file. IMAP app passwords follow the same path and are additionally wrapped in zeroing memory (Zeroizing<String>) for their entire in-memory lifetime, ensuring they are overwritten rather than garbage-collected when no longer needed.
5.3Database encryption
The local SQLite database is encrypted using SQLCipher. The encryption key is derived from the device's hardware identifier, making the database unreadable if the storage is removed from the machine, while remaining completely transparent to the user.
5.4OAuth client credentials
Ciela bundles Google and Microsoft OAuth Client IDs in the application binary. This is the standard, platform-endorsed pattern for installed desktop applications using the PKCE authorization flow. The credentials do not grant access to any user data on their own — they merely identify the application to the OAuth server. All actual authorization requires explicit user consent, and the resulting tokens are stored in the OS credential store, not in the binary.
5.5Security as a design principle
Every new feature is evaluated through a security lens before implementation. The guiding question is always: does this require data to leave the device? If yes, it requires explicit justification or is removed from scope.
How It Works
1Connection
Gmail & Outlook (OAuth2): The user selects their provider on the connect screen. A browser window opens to the provider's sign-in page. After authentication, the browser redirects to a local loopback server (http://127.0.0.1) that Ciela has opened for exactly this purpose. The authorization code is exchanged for access and refresh tokens entirely on the user's device. OAuth policy requires the system browser — embedded webviews are prohibited for security reasons. Ciela makes this seamless: the app shows a waiting screen, and the browser tab closes automatically after authentication completes.
IMAP (iCloud, Yahoo, Zoho Mail, and 30+ providers): The user fills in an inline form — choose provider, enter email and app password, done. Ciela tests the live TLS connection before saving anything, then stores the app password in the OS credential vault. No browser redirect, no waiting screen — a successful IMAP connect takes the user directly to their inbox.
Multiple accounts can be connected across all three provider types; each is isolated in its own keyring entry and database partition.
2Scan
Ciela fetches only the metadata fields needed for classification: sender, subject line, and the List-Unsubscribe header. Full email content is never downloaded.
Gmail: Messages are fetched in batches of up to 100 per HTTP call using Gmail's batch API, with 10 concurrent requests and a 200 req/s rate limiter. Outlook: Microsoft Graph API with batch sizes up to 20. IMAP: UIDs fetched via UID SEARCH (capped at 10,000 per run), then headers fetched in 500-UID batches with a 50ms pause between batches — slower than OAuth providers due to IMAP protocol constraints. Rate limiting is tuned to stay safely below each provider's quota ceiling. A first scan of a 100,000-email inbox typically takes 5–20 minutes; API rate limits, not hardware, are the constraining factor.
Scan state is checkpointed after every page of results. If the scan is interrupted — app closed, connection lost — it resumes from the last checkpoint rather than starting over.
On subsequent runs, Ciela performs an incremental scan — fetching only emails received since the last scan date. A typical weekly incremental scan completes in seconds to a few minutes.
3Classification
Every email is classified by a local rule engine written in Rust. The classifier evaluates the sender domain, subject line, snippet text, and bulk email headers to assign one of twenty-one categories:
| Category | Description |
|---|---|
| Personal | Emails from real people on personal domains |
| Security | Login alerts, verification codes, password resets |
| Government | Federal, state, and local government agencies; .gov domains |
| Finance | Statements, invoices, transactions, tax documents |
| Utilities | Electric, gas, water, internet, and phone providers |
| Travel | Bookings, itineraries, boarding passes |
| Receipts | Order confirmations, shipping updates, delivery notifications |
| Notifications | App alerts, digests, activity summaries |
| Education | K-12 and university platforms — Canvas, Blackboard, school districts |
| Healthcare | Patient portals, appointment reminders, pharmacy, medical offices |
| Food | Food delivery (DoorDash, Uber Eats, Grubhub), restaurant loyalty, meal kits |
| Subscription | Newsletters and curated content |
| Jobs | Recruiters, job boards, staffing agencies, application updates |
| Dating | Dating app notifications and match alerts |
| Faith | Religious organizations, places of worship, faith-based charities |
| Real Estate | Listings, agent updates, mortgage, rental platforms |
| Gaming | Game launchers, in-game alerts, esports |
| Gambling | Casinos, sports betting, lottery |
| Active Marketing | Promotional email from senders who are actively mailing |
| Dead Marketing | Promotional email from senders who haven't mailed in years |
| Unknown | Senders that don't match any category — reviewed and reclassified by the user |
The sender-type model treats email type as the primary entity. Senders with mixed behavior — Amazon sending both receipts and marketing, for example — appear as separate rows. "Amazon Receipts" and "Amazon Marketing" are distinct, independently actionable entries — trash all marketing from a sender while leaving every receipt untouched.
4Cleanup
The user reviews their sender list, filtered by category. Each sender shows their email count and category classification. Clicking Trash opens a confirmation modal with four date-scope options (Older than 30 days / 6 months / 1 year / All time). If the sender has a stored unsubscribe URL, an "Also try to unsubscribe" checkbox appears in the same modal. An amber warning appears if the selected date window would include emails opened in the last 90 days, prompting the user to choose a safer scope.
For bulk category cleaning, clicking "Clean all" on a cleanup category (Active Marketing, Dead Marketing, Subscription, Notifications) first checks whether any unprotected sender in that category was recently active. If so, an OutlierView review screen appears before any action is taken. The user can protect recently-active senders one by one; the summary panel updates in real time to show exactly how many senders and emails will be affected. Protected senders are excluded from the clean without needing to dismiss the modal or lose their place.
Ciela moves emails to the provider's trash folder — Gmail uses Trash, Outlook uses Deleted Items, iCloud uses Deleted Messages. It does not permanently delete. Standard 30-day retention applies, giving users a safety net. The trash operation batches up to 1,000 messages per API call; trashing a 10,000-email sender takes roughly the same time as a single network round-trip.
5Stats & Intelligence
After scanning, Ciela surfaces inbox intelligence on the Dashboard tab:
- Inbox at a Glance — total emails, active senders, years of history, and noise percentage in one snapshot
- Signal vs. Noise — what share of your inbox is promotional or automated vs. email that actually matters
- Read Rate by Category — per-category engagement showing which types of email you actually open
- Senders Never Opened — count and list of senders you've never read a single email from
- Total email breakdown by category
- Top senders by volume
- Ghost subscriptions — newsletters not opened in 5+ months
- Inbox history — a bar chart of email volume by year; after a cleanup session, the bars shrink to reflect the current state of the inbox
- Peak Mail Hours — histogram of the hours when you receive the most email
- Your Oldest Email — the year your earliest stored message was received and what category it fell into
- Storage reclaimed after a clean session
Architecture
Ciela is built on Tauri 2.x — a Rust-based framework for native desktop applications that uses the system's built-in web renderer rather than bundling a full browser engine. This is what allows Ciela to ship as a sub-10MB installer while delivering a modern, responsive interface.
Gmail and Outlook (Microsoft Graph) API clients with automatic token refresh and rate limiting · IMAP client (async-imap) supporting implicit TLS (port 993) and STARTTLS (port 143); 32 providers pre-configured · Local rule-based email classifier (twenty-one categories) · Tauri command layer exposing backend functionality to the frontend · SQLite via rusqlite + SQLCipher encryption
Component-based UI with type-safe Tauri command invocations · Real-time scan progress via Tauri event system · Tile-based customizable dashboard
Fully local, single file · Multi-account schema with per-account data isolation · WAL journal mode for performance · Encrypted with SQLCipher
currentUser install mode — no administrator rights required · WebView2 bootstrapper (pre-installed on Windows 10/11, downloaded silently if missing) · Sub-10MB installer target
All three platform binaries — Windows (.exe), macOS (.dmg), and Linux (AppImage / .deb / .rpm) — are compiled by GitHub Actions on a specific commit in the private development repository. No manual compilation step exists in the release process. Every release is tied to a commit hash and a build log, available on request.
What Ciela Does Today
Connect & Scan
- Connect Gmail or Outlook via secure OAuth2 — no credentials to enter, no account to create
- Connect iCloud, Yahoo, Zoho Mail, AOL, Fastmail, and 30+ providers via IMAP app password — inline form, live TLS connection test, password stored in OS credential vault
- Multiple accounts supported — switch between connected inboxes in one click; add or remove from Settings
- Full mailbox scan across your entire email history
- Incremental rescans — fast, checks only new mail since the last scan
- Scan resumes from checkpoint if interrupted — no starting over
- Works offline after the first scan — browse, filter, and clean without a network connection
Classification
- Twenty-one-category local classifier — Personal, Security, Government, Finance, Utilities, Travel, Receipts, Notifications, Subscription, Food & Dining, Active Marketing, Dead Marketing, Education, Healthcare, Jobs, Dating, Faith, Real Estate, Gaming, Gambling, Unknown
- Sender-type model — one sender can appear as multiple rows when they send different types of email (e.g. Amazon Receipts and Amazon Marketing are separate, independently actionable entries)
- Reclassify any sender — corrections persist across rescans automatically
- Similarity suggestions — after reclassifying a sender, Ciela surfaces other senders with similar patterns for bulk reclassification in one step
- Domain-rule engine — hundreds of known platforms classified by sender domain, not just subject keywords
Clean Up
- Trash action with date-scope picker — 4 options (Older than 30 days / 6 months / 1 year / All time); pre-selects your last-used preference; amber warning if selected scope would include recently-opened emails
- "Also try to unsubscribe" — optional checkbox in the trash modal, shown when a sender has a stored unsubscribe URL; queues unsubscribe alongside trash in one action
- Bulk clean by category — "Clean all" on any cleanup category opens a confirmation; proceeds directly when no recently-active senders are present
- Outlier review before bulk clean — if any sender in a cleanup category was opened in the last 90 days, an OutlierView screen appears first; protect specific senders before the clean fires; summary updates in real time
- Protected senders — mark any sender as untouchable; excluded from all bulk operations and the OutlierView clean flow
- Unsubscribe tracking — one click to open the sender's unsubscribe URL; Ciela tracks whether they actually stop sending
- Batch trash API — up to 1,000 emails per API call; trashing a large sender is near-instant rather than minutes
Dashboard & Insights
- Inbox at a Glance — total emails, active senders, years of history, and noise percentage on the landing screen
- Signal vs. Noise — single-number read on what share of your inbox is promotional or automated
- Read Rate by Category — engagement bar for each category; see at a glance which types of email you actually open
- Senders Never Opened — how many senders have never had a single email read; one click to browse them
- Inbox overview — category cards showing email and sender counts; click any category to jump directly to that sender list
- Sender detail view — click any sender for their full subject history, engagement chart, open-rate trend, and individual actions (protect, reclassify, trash)
- Inbox history — bar chart of email volume by year; shrinks in real time as you clean
- Peak Mail Hours — 24-hour histogram of when you receive the most email; peak hour highlighted
- Your Oldest Email — the year and category of the earliest message in your inbox
- Sender behavior signals — "Never opened", "Actively read", "Last read N months ago"
- Outlier protection — amber warning when a sender you're about to clean was recently active
- Inactive Subscriptions panel — surfaces newsletters you haven't opened in months
- Unsubscribe status tracking — "Unsubscribed", "Still sending", or "Confirmed ✓"
- Inbox growth trend — sparkline showing how your inbox has grown across scans
- Inbox health trend — noise % trend chart across the last 8 scans; sender delta indicator showing change vs. the previous scan
- Storage breakdown — explains the gap between the provider's total and Ciela's scanned count; empty Trash and clear Spam directly from the app
- Scan History — every scan listed with date, email and sender counts, and Unknown delta; click any row to open its Scan Report
- Scan Reports — per-scan detail: category changes since last scan; full cleanup history with recoverable, rescued, and permanently gone status; Undo available for recoverable operations
- Smart Purge Tray — after a scan, if senders you previously trashed have returned, a compact tray appears: "These senders are back. You trashed them last time." Options: Trash all, Look at them first, or Not now
Auto-Clean Rules
- Rule creation — after manually cleaning the same category 3 times, Ciela offers to save it as a rule; rules run automatically at the end of every full scan
- Pre-scan confirmation — a screen lists all active rules and what they will do before each scan, with a link to change them
- Post-scan summary — a banner after the scan reports which rules ran and how many emails were moved
- Settings rules panel — lists all active rules with Turn On/Off and Delete controls; minimum age threshold 7 days enforced backend-side
Your Outlook Filters (Outlook accounts)
- Server-side filtering — when a sender has been trashed in 2+ different scans, Ciela can create an Outlook inbox rule that routes those emails to Trash automatically, even when Ciela isn't open
- Transparent disclosure — required copy before any rule is created: "Outlook will send [sender] emails straight to trash — even when Ciela isn't open. You can remove this anytime from Settings → Your Outlook Filters."
- Settings panel — lists all active Outlook rules with a Remove button for each; removal calls the Microsoft Graph API immediately
Settings & Safety
- Settings screen — account info, app version, default date filter preference, auto-clean rules list, Your Outlook Filters panel, disconnect
- Sort and filter — by email volume, engagement, or recency; state persists across navigation
- No admin rights required — installs per-user on Windows
What's Coming
Distribution Reliability
- EV code signing — eliminates Windows SmartScreen "Unknown publisher" warning for direct download users; CI build pipeline and auto-updater already shipped
Microsoft Store — deprioritized
- MSIX packaging + Windows App Certification Kit (WACK)
- Store listing and submission
Ciela Pro
A Pro edition for teams and organizations is in development. It will extend the core product with capabilities for shared inboxes, company-wide inbox hygiene, and administrative oversight. The personal edition will not be affected.
Monetization
Personal — Free, forever
Ciela's personal edition is free. No ads. No subscriptions. No data selling.
Your data never leaves your computer. Ciela runs entirely on your device — no servers, no accounts, no tracking. Your email stays yours.
This reflects a belief that useful software should be accessible to everyone — including the college student who can't afford a subscription and the grandmother who doesn't understand why email costs money to clean.
Ciela Pro — Coming soon
A Pro edition is in development for teams and organizations. It will extend the core product with capabilities designed for shared inboxes, company-wide inbox hygiene, and administrative oversight.
The personal edition will never be paywalled. Pro features are additive — they will not remove or restrict anything available today.
Technology Stack
| Component | Technology |
|---|---|
| Application framework | Tauri 2.x |
| Backend language | Rust |
| Frontend | React 19 + TypeScript + Tailwind CSS |
| Build tool | Vite |
| Database | SQLite via rusqlite (bundled) |
| Encryption | SQLCipher / AES-GCM |
| HTTP client | reqwest (rustls, no OpenSSL dependency) |
| IMAP client | async-imap 0.9 + async-native-tls |
| Rate limiting | governor crate (token bucket) |
| OAuth | PKCE desktop flow, loopback redirect |
| Installer | NSIS (Windows), DMG (macOS), AppImage (Linux) |
| Auto-update | Tauri updater via GitHub Releases |
About
Independent. Not venture-backed.
Ciela is an independent software product. It is not trying to grow into something else. It is a tool built to solve a real problem, built right, and given away freely.