Privacy Policy

Last updated: 2026-06-23.

Your mailbox stays on your device

When you open an .mbox backup, mboxreader parses and indexes it entirely in your browser's local storage. Your email content is never uploaded to or stored on our servers. Clearing your browser's site data for mboxreader removes it.

What we collect

• Account. Your email and a hashed password, so you can sign in. Passwords are stored only as a salted hash — never in plain text — and are never logged.
• Server logs. IP address, user agent, and request paths, kept up to 30 days for security and abuse prevention.

We do not receive the contents of your mailbox, your messages, contacts, or attachments — those never leave your browser.

How we use it

To run the app, keep your account secure, and prevent abuse. We do not sell personal data, show third-party advertising, or use your data to train AI models.

Who we share it with

• Self-hosted infrastructure — we host the app and store your account on servers we operate. Your data is not handed to a third-party database, authentication, or hosting provider.
• Product analytics — a third-party analytics provider records anonymous usage events and sets an analytics identifier. Because this app shows private email, the analytics are configured to mask on-screen text, so your email content is not captured.
• Error monitoring — when the app hits an error, a diagnostic report (stack trace and request context) is sent to a third-party error-monitoring provider so we can fix it.

Cookies & analytics

mboxreader sets an HttpOnly cookie for your signed-in session. Our analytics provider (above) sets an analytics identifier (in local storage and a cookie) to count visits and measure feature use. We do not use cookies for advertising or cross-site tracking.

Your rights (GDPR / CCPA)

Your opened mailbox is local to your browser — you can remove it any time by clearing the site's data. For your account, you can access or delete it in the app, or email our privacy contact. EU residents may also lodge a complaint with their local supervisory authority.

Children

The service is not directed to children under 13 (or the applicable age of digital consent). We do not knowingly collect personal information from children.