Article of Privacy · Vol. I — № 001

What we do with your mail.

An inbox is a private surface. It holds correspondence, invoices, the half-written reply you walked away from. This page is the full account of what Emcognito stores, where it stores it, who else touches it on the way through, and how to take it back — written in the same plain voice as the rest of the journal, because privacy notices read in legalese are privacy notices nobody reads.

Revised

I · What we hold

The kinds of things kept on your behalf.

Account
Your email address, the timestamp you signed up, the domains you register inside the product, and whatever billing handle Stripe returns to us. No password — we never set one.
Mail itself
Every message that arrives at a domain you've added: the raw RFC 822 envelope (sender, recipients, date, headers, body, attachments) and a parsed copy used for the reading view. Outbound: the same, plus the DKIM-signed copy SES held while it was being delivered.
Passkeys
The public half of any WebAuthn credential you register, plus a label and the timestamps of registration and last use. The private half stays on your device; we never see it.
Operational
Sign-in events, magic-link issuance, basic request logs. Kept for debugging and abuse handling, not for analytics on you.

II · Where the letters live

Two stores, one reader.

The raw envelope of every message lands in an Amazon S3 bucket as an .eml file the moment it arrives. A parsed, indexed copy — subject, sender, snippet, attachment list — goes into a single-table DynamoDB store with Point-in-Time Recovery on. The reading view you see in the inbox is built from the DynamoDB copy; the raw .eml is the canonical source of truth, kept in case you ever ask to export your archive.

Both stores have a lifecycle policy. Messages older than ninety days tier into S3 Glacier (still your data, slower to retrieve). After three hundred and sixty-five days they expire altogether. Attachments follow the same schedule, in their own bucket.

“Delete the message and its row vanishes at once; the raw .eml waits out its lifecycle before it goes.”

When you delete a message from the reader, the DynamoDB row is removed immediately — the message stops appearing, stops being searchable, stops being indexed. The raw .eml in S3 lives until the lifecycle expires it (within ninety days for warm storage, within a year for the Glacier tier). That's the honest answer; we'd rather say it than leave it implied.

If you close your account, every DynamoDB row tied to it is deleted on request. The S3 objects expire on their schedule, then are gone. We don't keep shadow copies elsewhere.

III · Who else touches the mail

The sub-processors, named.

  • Amazon Web Services

    S3 (raw mail and attachments), DynamoDB (the reading index), SES (outbound delivery, with per-domain DKIM signing), CloudFront (the website you're reading), KMS (DKIM master key). All in one AWS region. The store of record.

  • DigitalOcean

    The Haraka inbound MTA — the program that accepts incoming SMTP — runs on a DigitalOcean Kubernetes cluster. Mail traverses it, then is handed to S3. It is not stored there.

  • Stripe

    All billing. We never see your card; Stripe gives us back a customer handle and the subscription state. If you cancel, Stripe handles refunds and we mirror the state.

  • Google Analytics

    Loaded on public marketing pages (the Landing, Pricing, About, FAQ — the sort of page you're on now). It is not loaded inside the authenticated inbox. We use it to see which pages people read on the way in. If you'd rather opt out, the standard browser-level Do-Not-Track and ad-blocker mechanisms both work.

We don't sell data. We don't sell ad inventory. There is no surveillance layer on top of the inbox itself, ever.

IV · The reader's rights

Every right you'd expect, spelled out.

  1. 01

    Read it back.

    You can ask for a complete export of your archive — raw .eml files in a single tarball — and we'll produce it. Most archives finish inside a working day; very large ones, a little longer.

  2. 02

    Take it away.

    Delete any message, any domain, or your whole account from inside the app. Account deletion removes the DynamoDB rows immediately; the S3 objects expire on the lifecycle stated above. Tell us if you need them purged sooner and we will.

  3. 03

    Correct it.

    Fix anything wrong on your account — address, billing handle, domain ownership — from the relevant page, or by writing to us. We'll respond in plain English, not a ticket number.

  4. 04

    Object.

    If you live somewhere with stronger statutory rights — the EU, the UK, California, others — those rights apply here, not in addition to ours. Write and tell us what you'd like done and we'll treat it as the binding instruction it is.

V · The small print, made small

Cookies, security, children, change.

Cookies
One session cookie for sign-in. Google Analytics drops its own on public marketing pages (see III). No other tracking pixels.
Encryption
Mail is encrypted in transit between MTAs wherever the other side supports it (TLS), and at rest in S3 and DynamoDB. DKIM private keys live in AWS KMS, not in the database.
Children
The product isn't designed for, marketed to, or sold to anyone under sixteen. We don't knowingly hold accounts for minors.
Breach
If something goes wrong with your data we'll tell you about it — in writing, by email, with what happened, what we know, and what we're doing. No silent disclosures.
Changes
When this page changes substantively, we revise the date at the top and email subscribers a one-paragraph note describing the change.

Write to the editor

Questions about your correspondence?

Mail privacy@emcognito.com with anything — an export request, a deletion, a question about a sub-processor, a correction. We answer every one ourselves; there is no ticket queue.

About the journalFAQ