Privacy

Privacy policy

Last updated: 2 May 2026

MailTwin is published by Smilodon AS, a Norwegian company. This policy explains what data MailTwin handles, where it goes, and the choices you have. The product is designed so that the sensitive parts of your email life never leave your Mac.

Summary in one paragraph

MailTwin runs on your Mac. Your API keys live in your macOS Keychain; MailTwin never transmits them. When you trigger an AI action, the body of the selected email plus a small style-context fragment from your own sent mail go directly from your Mac to the AI provider you chose (Anthropic, OpenAI, Google, xAI, Groq, DeepSeek, or your local Ollama). MailTwin does not run a backend for AI traffic — there is no MailTwin server in that path. We host an auto-update feed (updates.mailtwin.ai) and an opt-in telemetry endpoint (telemetry.mailtwin.ai) and the LemonSqueezy license endpoints — and that's it.

Data that stays on your Mac

API keys — macOS Keychain, service ai.mailtwin.keys. Never transmitted by MailTwin.
License key and the LemonSqueezy instance ID — Keychain, same service. Used to validate your activation against LemonSqueezy.
Indexed style profiles — sample emails from your Sent mailbox, body LZFSE-compressed, stored in ~/Library/Application Support/MailTwin/.
Request log — redacted previews of the last 200 AI requests, viewable in Settings → Privacy.
Cost tracker — per-day token totals so the soft caps work.
Identity (name + email collected at onboarding) — UserDefaults. Used in greeting templates. Never transmitted by telemetry.

Data that goes to the AI provider you chose

When you trigger an AI action (reply, summarize, improve draft, etc.), we send to the provider:

The body of the email you're acting on (or your draft).
A short prompt that describes the action.
A style-context fragment built from up to 5 of your past sent messages, scoped to the same recipient / topic / account when available.

The provider's privacy policy applies to that traffic. Your API key with that provider is what authenticates the call; from the provider's perspective the request looks identical to any other request from your account.

MailTwin never sends to the provider: subjects, recipient addresses beyond what's in the body, your other accounts' content, your Keychain, your license key, or your name and email.

Auto-update (`updates.mailtwin.ai`)

MailTwin uses Sparkle 2 to check for updates roughly every 24 hours. The check fetches an XML appcast from https://updates.mailtwin.ai/appcast.xml. The fetch carries a User-Agent of the form MailTwin/<build>. Cloudflare (which serves the file) records the request IP and User-Agent in standard CDN logs. We do not associate update fetches with any other identifier.

Updates are signed with an EdDSA private key held by Smilodon AS. Sparkle verifies the signature against the public key embedded in MailTwin before installing — even if our update host were compromised, an attacker couldn't ship you a malicious update.

Remote configuration (`updates.mailtwin.ai`)

MailTwin fetches a small JSON document at https://updates.mailtwin.ai/config.json roughly every four hours. Its purpose is to flip a kill-switch on a specific provider/model combination if a third-party API ships a breaking change. The fetch carries the same User-Agent as the appcast above and no other client information.

Opt-in telemetry (`telemetry.mailtwin.ai`)

Opt-in only — off by default. If you turn it on in Settings → Privacy, MailTwin sends anonymous usage events to https://telemetry.mailtwin.ai/events. Each event contains:

An event name like action.invoked or action.failed.
Properties like the AI provider used, action kind (reply/summarize/…), error class, duration in milliseconds.
An anonymous install ID (random UUID generated on first opt-in; rotated when you opt out).
Your MailTwin build number and macOS version string.

Telemetry never includes email content, addresses, subjects, freeform prompts you typed, AI responses, your name, or your email. The full source list of events is TelemetryEvent in our code; the events MailTwin has actually queued in this session are visible in Settings → Privacy → "Show what's been sent".

Telemetry events are received by a Cloudflare Worker and stored in Cloudflare D1 (a SQLite database). They are used by Smilodon AS to understand which features are used, which AI providers misbehave, and which app/macOS versions need attention. They are not sold, rented, or shared with third parties.

You can turn telemetry off any time. Doing so clears the local queue, rotates the anonymous install ID, and stops further sending.

Crash reports

MailTwin writes crash dumps to ~/Library/Logs/MailTwin/. They stay on your Mac unless you configure an upload endpoint in Settings → Privacy. We don't ship a default endpoint; the field is empty until you fill it.

Payments and licensing (LemonSqueezy)

Purchases are handled by LemonSqueezy as the merchant of record. When you buy a license, LemonSqueezy collects the data needed for payment processing and tax compliance (your name, email, country, and payment details). Their privacy policy applies. Smilodon AS receives your name, email, country, and order details from LemonSqueezy via webhook.

License activation calls https://api.lemonsqueezy.com/v1/licenses/* from your Mac with your license key and a hashed machine fingerprint (derived from IOPlatformUUID plus the bundle id). The fingerprint is used to enforce the seat limit. Smilodon AS does not operate its own license server.

What we never collect

Email content of any kind, except in the request you make to the AI provider you chose.
Email addresses (yours or others').
Subjects.
Freeform prompts you typed.
AI provider responses.
Your IP address tied to any other identifier we hold.

Your rights (GDPR, CCPA)

You can export your local settings to a JSON file (Settings → Privacy → Export settings) and delete all local data with one click (Settings → Privacy → Wipe everything). For data Smilodon AS holds (your LemonSqueezy purchase record, opt-in telemetry rows tied to your anonymous install ID), email [email protected] and we will respond within 30 days as required by GDPR / CCPA.

Because telemetry rows are tied only to a rotating install ID with no link to your purchase email, telemetry deletion requests must include the install ID, which you can find in Settings → Privacy → "Show what's been sent".

Children

MailTwin is not directed at children under 13. We don't knowingly process data from anyone under 13.

Changes to this policy

Material changes will be posted here and noted in the app's release notes. The "Last updated" date at the top reflects the most recent change.

Contact

Smilodon AS
Norway
[email protected] for privacy questions, [email protected] for product questions.