Cookie Policy

• We use essential cookies on every visit. Nothing else without your consent where consent is required.
• We do not use fingerprinting or supercookies. We don't sell cookie data.
• Where the EU/EEA/UK/Switzerland/Brazil/California require consent, we obtain it through a granular banner with equal "Accept" and "Reject" options.
• You can withdraw or change consent at any time from the footer link "Cookie preferences".

A cookie is a small text file placed on your device by a website. Cookies have many uses: authenticating you, remembering preferences, measuring traffic, and (in some cases) tracking across sites. This Cookie Policy also covers similar technologies — local storage, session storage, pixels, web beacons, and SDKs — even though they aren't technically cookies.

• Strictly necessary — required for the Services to function (authentication, session, CSRF protection, load balancing, fraud detection). Cannot be disabled.
• Functional — remember preferences, language, dark mode, recent workspaces. Active with consent or, where lawful, on a legitimate-interest basis with opt-out.
• Analytics — measure how the marketing site and product are used (pages viewed, conversion funnels). First-party only by default; sampled. Off until you consent.
• Marketing / advertising — we use a minimal set, only for our own retargeting on a couple of B2B networks. Off until you consent.

Strictly necessary

Functional

Analytics

Marketing

• On your first visit (in jurisdictions where consent is required), we show a banner with separate toggles for Functional, Analytics, and Marketing categories.
• "Accept all" and "Reject all" are presented with equal prominence.
• You can withdraw consent at any time via the "Cookie preferences" link in the footer of every page.
• We re-prompt for consent at most once every 12 months, or sooner if categories materially change.
• We treat a Global Privacy Control browser signal as an opt-out of non-essential analytics and marketing.
• You can also block cookies entirely in your browser settings. Some Services will not work without strictly necessary cookies.

• Cloudflare — CDN and bot mitigation. Strictly necessary.
• Matomo (self-hosted, EU) — analytics. With consent, where required.
• LinkedIn Insight Tag — B2B retargeting. With consent.
• Google Tag Manager — container only; tags fire conditionally based on your consent.
• Vimeo / YouTube — embedded product walkthrough videos, in privacy-enhanced mode. With consent.

The authenticated Mailapp product does not load third-party analytics or marketing tags. Period.

Inside the authenticated application, we use only first-party cookies for authentication, session management, region routing, and preferences. Product analytics (page views, feature usage) are collected server-side using your account ID, with PII redaction in our pipeline; you may opt out from Settings → Privacy. Audit logs of cookie behaviour are available to Enterprise customers via SIEM export.

Modern browsers can transmit a Global Privacy Control (GPC) signal. We treat a GPC signal as a valid opt-out of any sale or share (already "no") and of non-essential analytics and marketing. The legacy Do Not Track (DNT) header is not standardised and we do not respond to it specifically.

We'll update this Cookie Policy when we add or remove cookies, change purposes, or change retention periods. If we introduce a new category of cookie (e.g., switching to a new analytics provider), we will re-prompt for consent in affected jurisdictions.

For cookie questions, write to hello@mailapp.app. For consent withdrawal that's not working as expected, the cookie team responds within one business day.