Vol. I, No. 1  ·  San Francisco
mailconnectest. 2025
Privacy Notice  ·  plain english

Privacy Notice

What we keep, and what we don’t.

Effective · 21 Apr 2026 · Plain language, no dark patterns

mailconnect is a thin bridge between your AI client and your Fastmail mailbox. It sits between two systems you already trust, and our entire job is to be uninteresting in the middle. This notice explains, in concrete terms, what that looks like in practice.

What this service does

mailconnect is operated as a Cloudflare Worker reachable at https://api.mailconnect.app. It speaks two protocols at once: it acts as an OAuth 2.0 authorization server that your AI client connects to, and it acts as a registered third-party OAuth application of Fastmail, exchanging access and refresh tokens with Fastmail’s endpoints. When your client calls one of the live tools, mailconnect uses the encrypted Fastmail tokens for that grant to make a JMAP request and returns the result. mailconnect also exposes a small settings page that lets you enable or disable state-changing capability groups per connected client.

What we collect

The data mailconnect needs to function, and nothing else. Specifically:

  • OAuth grants from your client: when your AI client registers and a user consents, the underlying @cloudflare/workers-oauth-provider stores the grant in Cloudflare KV. Each grant identifies its client and the mailconnect OAuth scope it was issued for.
  • Encrypted Fastmail tokens: the Fastmail access and refresh tokens we receive on your behalf are stored inside that grant’s encrypted props. They are not stored anywhere else.
  • Your Fastmail username: used as the OAuth user identifier so the bridge can find the right grant when your client reconnects, and so the settings page can address the right Fastmail account.
  • Capability settings: if you use the settings page, we store your enabled or disabled capability groups in Cloudflare D1, keyed to your Fastmail account and the connecting client.
  • Settings session cookie: if you sign into the settings page, mailconnect stores a short-lived signed session cookie in your browser so you do not have to re-authenticate on every page load.
  • Operational logs: short-lived request logs from Cloudflare in the normal course of running a Worker, plus structured OAuth events emitted by mailconnect itself. Those events use hashed identifiers; no email content, no full tokens. Nothing here is used for analytics or profiling.

What we don’t collect

  • The contents of your email as stored data on our infrastructure. When a tool call runs, mailconnect fetches mailbox structure, message metadata, search results, bodies, or attachments from Fastmail, returns them to your client, and does not persist any of that response after the request is complete.
  • Your Fastmail password. The OAuth flow happens entirely on Fastmail’s domain; mailconnect never sees credentials.
  • Trackers, ad SDKs, third-party analytics, fingerprinting scripts, or anything similar — neither on the marketing site you’re reading now nor on the API surface.

If and when mailconnect adds materially broader mailbox access or state-changing tools, this notice will be updated to describe that behavior before the new tools become available.

How tokens are protected

Upstream Fastmail tokens are stored as encrypted props on each OAuth grant, encrypted at rest by the Cloudflare Workers OAuth Provider. They are decrypted in memory only for the duration of a request that needs them, and rotated transparently when the upstream Fastmail token is refreshed. If you revoke the grant, the encrypted props become inaccessible.

In short We hold the smallest possible thing — encrypted tokens — for the smallest possible reason — to talk to Fastmail on your behalf when your AI client asks.

Sharing

We do not sell your data. We do not share it with third parties for marketing purposes. The bridge necessarily talks to two parties on your behalf: the AI client you connected from, and Fastmail (which you authorized). Both relationships exist because you initiated them, and both can be ended unilaterally by you.

Cloudflare is our hosting provider for the Worker, KV namespace, and D1 database, and as such acts as a processor for the data described above. They are subject to their own published privacy practices.

Your rights

  • Disconnect at any time. Removing the integration in your AI client revokes the OAuth grant on our side. Revoking the mailconnect application inside your Fastmail security settings kills the upstream tokens immediately.
  • Request deletion. If for any reason a residual grant survives the above (it shouldn’t), email [email protected] and we’ll delete it on request.
  • Ask what’s held. Because what we hold is so narrowly defined, an access request is essentially “the encrypted token props for your grant exist or do not exist.” We’ll confirm in writing on request.

Security reports

If you discover a security issue, please email [email protected] with SECURITY in the subject. We acknowledge security reports within one business day and prefer responsible disclosure with reasonable timelines.

Children

mailconnect is intended for users with their own Fastmail accounts and is not directed at children. If you believe a child has connected the service to a Fastmail account they should not have access to, contact us and we’ll help sort it out.

Changes to this notice

If we materially change what mailconnect collects or how it’s stored, we’ll update this page and revise the “Effective” date at the top. Material changes that expand collection will not apply retroactively to existing grants without re-consent.

Contact

Questions about this notice are welcome. Write to [email protected] and a real person will reply.