Privacy Policy
MailCue is a macOS app that helps you get through email faster — AI reads a message, drafts a reply, and you send. This policy explains exactly what the app reads, what it transmits, what is retained and for how long, your right to erase it, and what MailCue will never do. It is written to be accurate, not to oversell — if a practice changes, this page changes with it.
What MailCue reads
Today (Apple Mail): when you submit a reply intent, MailCue uses macOS Accessibility/AppleScript to read the single email message you currently have selected in Apple Mail — the sender address, the subject line, and the message body. Nothing is read until you submit an intent.
When you connect a mailbox (Gmail, as described under Connecting a mailbox): MailCue reads messages in that account so it can rank your inbox, draft replies, and manage mail you ask it to manage. This is broader than single-message reading, and you grant it explicitly through Google's consent screen. It still never sends or composes without your tap, and never trashes without your per-message confirmation.
What MailCue sends over the network
When you submit an intent, MailCue sends the following to MailCue's backend service over TLS (HTTPS):
- Your reply intent (the text you typed)
- The selected message's sender, subject, and body
- Your license key (for authentication; never logged)
This data is transmitted to power MailCue's features for you — drafting replies, ranking your inbox, and learning your tone (and, when you connect a mailbox, managing it). It is not sold, shared with advertisers, or used to train any AI model. See Erase everything for how to remove what we keep.
What is retained, why, and for how long
MailCue's backend may retain, tied to your account only:
- Recent mail content — raw text of recent messages, kept up to 90 days, to power drafting and ranking.
- Tone & ranking features — derived signals (including irreversible embeddings) learned from your mail so drafts sound like you and your inbox is ordered usefully. Kept until you delete them or close your account.
- Your reply drafts generated for you.
What we never do with retained content:
- Sell it, share it, or hand it to advertisers or data brokers
- Use it to train any AI model — ours or a provider's
- Mine it for analytics or build a cross-user profile
- Write your message content into our server logs (logs hold metadata only)
The AI provider MailCue routes to does not train on your content, and handles it only transiently to produce your draft.
Connecting a mailbox (read & manage)
MailCue is moving toward letting you connect a mail account (starting with Gmail)
directly, so it can help you manage your inbox — read messages,
archive them, and apply a MailCue label. With your explicit, per-action confirmation
it can also move a message to Trash. This uses Google's gmail.modify
permission, which covers read plus archive, label, and trash — it does not
allow sending or composing mail on your behalf.
- Nothing is silent. MailCue never deletes or trashes a message without your explicit confirmation for that specific message, and never sends a reply without your tap on Send.
- You grant it; you can revoke it. The connection is created by a Google consent screen that names exactly what MailCue may do, and you can disconnect at any time.
Google user data & Limited Use
When you connect Gmail, MailCue accesses your Google user data only through the
gmail.modify permission you grant, and uses it solely to provide MailCue's
features to you — ranking your inbox, drafting replies in your voice, and managing the
messages you ask it to manage. MailCue's use and transfer to any other app of information
received from Google APIs will adhere to the
Google
API Services User Data Policy, including the Limited Use requirements.
In particular, MailCue does not use Google user data to develop, improve, or train
generalized AI/ML models; does not sell or transfer it; does not use it for advertising;
and does not allow humans to read it except with your explicit consent (e.g. for support),
where required for security or to comply with the law, or as part of operations on
aggregated, anonymized data.
What is stored locally on your Mac
MailCue stores a small amount of data on your device only:
- License key — stored in macOS Keychain (encrypted at rest, accessible only to MailCue).
- Sent log — a lightweight on-disk record of when messages were sent (timestamp + subject line only, no body content). Used to power the 30-second undo window.
- Chat history — your intent prompts and Pouchy's reply bubbles are saved locally on disk so your conversation context carries across sessions. This history stays on your Mac and is removed when you run Reset & Forget. Mail content (message bodies, sender addresses) is never written to the chat history.
- App preferences — window position and settings stored in UserDefaults.
On disk, this local data lives in two places: the app's support folder
(~/Library/Application Support/MailCue/), which holds local state,
the brief cache, and chat history; and the app's preferences file
(~/Library/Preferences/com.mailcue.MailCue.plist), which holds
settings and cached mail metadata. The license key is held separately in the
macOS Keychain.
MailCue is not sandboxed, so dragging the app to the Trash does not remove this
data on its own. To erase everything stored locally, delete those two locations
and remove the com.mailcue.app entry from Keychain Access — the
Install guide walks through the steps.
Erase everything — Reset & Forget
You can remove everything MailCue has stored about you at any time. In the app, open Settings → Reset & Forget — one click, always free, always available. Your subscription is not cancelled by Reset — manage that separately under Manage subscription.
What is erased the moment you click: your retained mail content, your reply drafts, any connected-mailbox access on MailCue's servers (the Gmail permission token is revoked), and MailCue's local data on your Mac. This part is immediate and complete — it is gone right away, not scheduled.
What is removed shortly after: the small amount of writing-style data MailCue learned from you — the derived embeddings that let drafts sound like you. These live in a vector store that has no instant bulk-delete, so clicking Reset queues them for removal and a background cleanup job erases them shortly afterward. They are tied to your account only, are never sold or used to train any AI model in the meantime, and the deletion is permanent once it runs. The delay is in the timing, not in whether they go.
What MailCue never does
- Sends or composes any email without your explicit tap on Send
- Deletes or trashes a message without your explicit confirmation for that message
- Sells, rents, or shares your data with any third party
- Uses your mail to train any AI model — ours or a provider's
- Mines your mail for analytics or builds a cross-user profile
- Tracks you across apps or websites, or shows you ads
- Sends analytics or crash reports containing your mail content
Your rights (GDPR / CCPA)
You can access, correct, or delete the data MailCue holds about you, and you can withdraw access at any time — the one-click Reset & Forget covers deletion. For any other request, email [email protected]. MailCue processes your mail only to provide the service to you (drafting, ranking, and, where you connect a mailbox, managing it); it is not used for advertising or sold to anyone.
AppleScript and Automation permissions
macOS requires your explicit permission before MailCue can control Apple Mail via AppleScript. When prompted, you may grant or deny this permission. Without it, MailCue cannot read the selected message or dispatch replies — but the app will continue to run.
You can review or revoke this permission at any time in System Settings → Privacy & Security → Automation.
Changes to this policy
If the data practices described here change in a future version, this page will be updated and the effective date revised. Material changes will be noted in the release notes.
Contact
Questions about privacy? Email [email protected].