What we collect, why, and what you control.

Plain language version of the same thing every SaaS writes, but actually plain. If anything here is unclear or doesn't match what we do, that's a bug. Email us and we'll fix it.

Effective: 28 May 2026 · Last updated: 28 May 2026

The short version: we collect the minimum needed to run the product. We don't sell data to anyone. We don't use your email contents for ads or training. Your IMAP credentials are encrypted at rest. Email bodies are never persisted. You can delete your account at any time and we'll delete your data.

Who runs Cereal

Cereal is operated by the entity running it (the "operator"). For the hosted version at cereal.run, that's us. If you're self-hosting Cereal under AGPL, the operator is whoever runs that instance, not us, and this policy doesn't apply.

You can reach us at hello[at]cereal.run for any privacy question, including data access, correction, or deletion requests.

What data we collect

Information you give us directly

Account email and password when you sign up. Password is hashed with argon2id and never stored as plaintext.
Mailbox credentials when you connect a mailbox: either an IMAP password (encrypted with AES-256-GCM before storage) or OAuth tokens from Google/Microsoft (also encrypted). These let our servers authenticate against your mail provider on your behalf.
Bowl configuration: the names you give bowls and the email addresses you assign to them.
Payment information, if you subscribe. Payment processing is handled by a merchant of record. We receive your subscription status and customer ID; we don't see your card details.

Information generated automatically

Email metadata from the mailboxes you've connected: sender, recipient addresses, subject line, date, message ID, a short text preview. This is stored encrypted so the dashboard can render quickly without re-fetching from your provider on every click.
Session tokens when you log in. We store only a SHA-256 hash of the token, never the raw value.
Server logs with timestamps, request paths, and HTTP status codes. We do not log email addresses or message contents. Logs are retained for 14 days for debugging and security, then automatically deleted.
IP addresses at the moment of API requests, used for rate limiting and abuse detection. We don't build profiles from them.

What we explicitly do not collect or store

Full email bodies. When you open a message, we fetch the body from your mail provider, render it in your browser, and discard it from memory. It's never written to our database or disk.
Attachments. Same as above. Streamed on demand, not stored.
Browser fingerprints, ad-tracking cookies, or third-party analytics. No Google Analytics, no Facebook pixel, no Hotjar, no Segment.
Behavioural data beyond standard server logs. We don't track what you click, scroll, or hover over.

How we use what we collect

Every piece of data we hold serves a specific product function:

Mailbox credentials and OAuth tokens are used solely to authenticate against your mail provider when syncing or sending mail. They are decrypted in memory only at the moment of an active connection, never logged.
Email metadata is used to render your inbox list, search results, and bowl views.
Account email is used to log you in and to send transactional messages (password reset, payment receipts, security notifications). We don't send marketing emails to this address without explicit opt-in.
Server logs and IP addresses are used to debug errors, detect abuse, and enforce rate limits.

We do not use your data to train AI models. We do not sell your data. We do not share your data with advertisers or data brokers. We will not use your email contents to build features for other users.

Who we share data with

The minimum third parties needed to run the product. Each has a specific role:

A backend hosting provider (United States): runs the servers that operate Cereal. Has technical access to encrypted data at rest but no decryption keys.
A managed database provider (United States): hosts our database. Same situation as above: encrypted data at rest, no keys.
A content delivery and DNS provider (United States and global edge): serves our website and acts as a DNS and TLS layer. Sees traffic metadata but not request bodies past TLS termination.
A payment processor : handles payment processing as merchant of record. Holds card details and billing addresses; we don't.
Your mail provider (Gmail, Fastmail, Microsoft, Zoho, etc.): we authenticate against the providers you connect, on your behalf. Standard IMAP / SMTP traffic.
Google and Microsoft for OAuth: if you connect a mailbox via OAuth, we send our app credentials to them and receive tokens. Standard OAuth flow.

Data transferred to US-based service providers relies on Standard Contractual Clauses where required. We do not share data with anyone else. If we ever need to (for example, complying with a court order), we'll update this policy and where legally permitted, we'll notify affected users.

Where your data lives

Our backend servers and database run in the United States. If you're in the EU or UK, this means your data is transferred to and stored in the US. We rely on Standard Contractual Clauses for this transfer where applicable.

If geographic data residency matters to your use case, the self-hosted version of Cereal (AGPL) runs anywhere you put it.

How long we keep data

Account data: kept while your account is active.
Email metadata: kept while your account is active and the relevant bowl exists. Deleting a bowl deletes its message metadata. Deleting your account deletes everything.
Server logs: 14 days, then automatic deletion.
Payment records: retained by the merchant of record per their own retention rules, plus we keep subscription status until your account is deleted.
Deleted account data: removed from active databases immediately. Database backups roll over within 30 days, after which copies are gone too.

Your rights

Regardless of where you live, you can:

Access your data. Email us and we'll send you everything we have on you, in machine-readable form.
Correct your data. Email or password are editable in account settings. For anything else, email us.
Delete your account. Settings → Delete Account in the dashboard, or email us. We'll confirm and execute deletion within 7 days.
Export your data. Bowls, accounts, and message metadata are exportable via an API call (documented in our developer docs). Email bodies live on your mail provider; we don't export those because we never had them.
Withdraw consent. Disconnect any mailbox at any time. For OAuth mailboxes, you can also revoke our access from your provider's account settings.

If you're in the EU, UK, or California, you have additional statutory rights under GDPR, UK GDPR, and CCPA respectively. Those rights include the above plus the right to lodge a complaint with your local data protection authority. We won't make you go through us first.

Cookies and tracking

We use one cookie-like mechanism: a session token stored in localStorage after you log in. It's required for the product to work. We don't use third-party tracking cookies, advertising IDs, or analytics pixels.

If you visit cereal.run without logging in, no cookies or local storage entries are set.

Children

Cereal is not directed at children under 16. We don't knowingly collect data from anyone under 16. If you believe a child has signed up, email us and we'll delete the account.

Changes to this policy

If we make changes, we'll update the "Last updated" date at the top of this page. For material changes (anything that expands what we collect or how we use it), we'll email all account holders at least 14 days before the change takes effect.

Past versions of this policy are kept in the public Git history of our website at github.com/cereal-run.

Questions

Email hello[at]cereal.run. We aim to respond within 5 business days.