Last updated: March 2026
MailGoatt ("we", "us", "our") operates the MailGoatt inbox cleanup service available at mailgoatt.com. This Privacy Policy explains what personal data we collect when you use our Service, how we use and protect it, and your rights over that data. Questions about this policy can be sent to [email protected].
When you register, we collect your email address and a securely hashed version of your password. We do not store your MailGoatt password in plaintext.
To connect to your mail server, we collect your IMAP hostname, port, username, and password. Your IMAP password is protected with a layered, purpose-built approach that combines salting, modern key derivation, and strong encryption at rest before it is stored in our database. It is never stored in plaintext, never logged, and never transmitted to any third party. It is used solely to authenticate to your mail server when running scheduled cleanups.
We store the rules you configure: your age threshold, target folder, unread-only preference, and list of "never-move" keywords. These settings exist only to operate the Service as you intend.
When MailGoatt moves an email, we log: the email's subject line, sender address, date sent, and the folder the email was moved to. We do NOT log or store email body content, HTML, attachments, CC/BCC fields, or any content beyond what is listed here. This log is displayed on your History page and retained indefinitely so you can always trace what the Service has done.
We may collect standard server logs including IP addresses, browser type, and request timestamps for security and debugging purposes. These logs are retained for up to 90 days and are not used for advertising.
Payments are processed by Stripe. We do not store your credit card number, CVV, or full payment details. We receive from Stripe a customer ID, subscription status, and the last four digits of your card for display purposes only.
We want to be explicit about what we do not access or store: • The body content of any email in your mailbox. • Email attachments. • Contacts or address book data. • Emails that do not meet your configured cleanup rules — we only touch messages that match. • Any data from folders other than the ones you configure. • Browsing history or tracking cookies for advertising.
We use the data we collect exclusively to: • Authenticate you when you sign in to MailGoatt. • Connect to your mail server via IMAP and perform scheduled cleanup runs. • Display your cleanup history in the History page. • Send you transactional emails (e.g. subscription receipts, trial expiry reminders, password resets). • Investigate and resolve support requests you submit to us. • Detect and prevent abuse or unauthorized access to the Service. We do not use your data for advertising. We do not sell your data. We do not share your data with third parties except as described in Section 5. We do not use your personal data—including account information, credentials, cleanup settings, or any metadata we log—to train, fine-tune, evaluate, or improve artificial intelligence or machine learning systems. We do not use your data for automated model development or similar AI-related processing, and we do not make your data available to third parties for those purposes.
Payment processing is handled by Stripe, Inc. When you subscribe to Pro, you are interacting with Stripe's payment infrastructure. Stripe's privacy policy is available at stripe.com/privacy.
We use Inngest to schedule and run background jobs, including your daily cleanup runs. Inngest receives job invocation data (e.g. a user ID and timestamp) but does not receive your IMAP credentials or email content.
Our servers and database run on cloud infrastructure. Your data is stored in encrypted form at rest. Providers with access to underlying infrastructure are bound by confidentiality obligations and have no permitted use of your data beyond operating the infrastructure.
We may disclose data if required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
Account data is retained for as long as your account is active. If you delete your account: • Your MailGoatt login credentials are deleted immediately. • Your IMAP credentials are permanently deleted within 24 hours. • Your cleanup settings and History log are deleted within 30 days. You may request early deletion of specific data by contacting [email protected].
We take security seriously because we understand the sensitivity of what you are entrusting us with. • IMAP passwords are protected at rest using salting, key derivation, and strong encryption—we do not publish specific implementation details, which helps keep our defenses effective. • All data in transit is protected by TLS (HTTPS). • Database access is restricted to application servers only; no public access is permitted. • We do not retain plaintext credentials in logs, error reports, or analytics. If you discover a security vulnerability, please report it responsibly to [email protected] before disclosing it publicly. We will respond within one business day.
You have the right to: • Access a copy of the personal data we hold about you. • Correct inaccurate data (you can update your email address from your account settings). • Delete your account and associated data (from your account settings, or by contacting us). • Withdraw consent to IMAP access at any time by removing your IMAP configuration. • Receive your History log in a portable format — contact us and we will provide a CSV export. To exercise any of these rights, email [email protected]. We will respond within 30 days.
MailGoatt uses only functional cookies required to keep you signed in (session cookies via NextAuth.js). We do not use advertising cookies, tracking pixels, or third-party analytics scripts that follow you across the web.
The Service is not directed at children under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with data, contact [email protected] and we will delete it promptly.
We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects when the policy was last revised.
For any privacy-related questions, data requests, or concerns, contact us at [email protected]. We're a small team and we respond personally.