shieldLegal

Privacy Policy

How we collect, use, and protect your information.

calendar_todayLast updated: May 1, 2026

1. Information we collect

Account information

When you create a RokMail account, we collect your name, email address, and password (hashed with bcrypt). If you sign up via Google or Microsoft OAuth, we receive your name and email from those providers — we never see your OAuth provider password.

Organisation and email credentials

To connect your mailbox, you provide SMTP and IMAP credentials. Passwords and tokens are encrypted at rest using AES-256 before being stored in our database. We do not store plaintext credentials.

Email content

We process email content (subject, body, attachments) to route messages to the correct alias. Email bodies are stored in Cloudflare R2 object storage (or your MongoDB cluster if R2 is not configured). We do not read your emails for advertising purposes.

Usage data

We collect aggregate usage metrics (number of emails processed, feature usage) to improve the product. We do not build individual behavioral profiles for advertising.

2. How we use your information

  • To operate the RokMail service — routing emails, managing aliases, sending outbound mail via SMTP/SES
  • To authenticate you and your team members
  • To send transactional emails (invitation links, billing receipts, password reset)
  • To provide customer support when you contact us
  • To detect and prevent abuse, fraud, and security threats
  • To comply with applicable laws and legal obligations

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

3. AI processing

RokMail uses Gemini AI (Google) as a fallback routing tier. When deterministic rules cannot route an email, we send the email subject and the first 200 characters of the body to Gemini for classification. Attachments and full email bodies are never sent to AI providers. Google's data handling for Gemini API calls is governed by their API terms of service.

4. Data sharing

We share your data only with the following categories of service providers, under data processing agreements:

  • MongoDB Atlas — primary database (metadata, credentials)
  • Cloudflare R2 — email body and attachment storage
  • AWS SES — outbound email delivery
  • Google (Gemini API) — AI routing classification (subject + 200-char body excerpt only)
  • Razorpay — payment processing (we never store full card numbers)

We may disclose your information if required by law, court order, or to protect the rights and safety of RokMail, its users, or the public.

5. Data retention

We retain your account and email data for as long as your account is active. If you cancel your account, we delete your data within 30 days, except where we are legally required to retain it longer (e.g. billing records for tax compliance, which are kept for 7 years).

Email content stored in R2 or MongoDB follows the same 30-day post-cancellation deletion schedule. Aggregate anonymised metrics may be retained indefinitely.

6. Security

We take security seriously:

  • All data in transit is encrypted via TLS 1.2+
  • SMTP/IMAP passwords and OAuth tokens are AES-256 encrypted at rest
  • User passwords are hashed with bcrypt (cost factor 10+)
  • JWT tokens are signed with HS256 and expire after 7 days
  • We perform regular dependency audits and prompt security patches

No system is perfectly secure. If you discover a vulnerability, please disclose it responsibly to security@rokmail.com.

7. Your rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data ("right to be forgotten")
  • Export your data in a portable format
  • Object to or restrict certain processing

To exercise any of these rights, email us at privacy@rokmail.com. We will respond within 30 days.

8. Cookies

RokMail is a web application that uses localStorage (not cookies) to store your authentication token client-side. We do not use advertising cookies or third-party tracking pixels. If you use our marketing website, we may set essential session cookies to remember your preferences.

9. Children

RokMail is not directed at children under 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, contact us at privacy@rokmail.com and we will delete it promptly.

10. Contact us

If you have questions about this Privacy Policy or our data practices, contact us at:

RokMail, Inc.
privacy@rokmail.com

We may update this policy from time to time. We will notify you of material changes via email or an in-app notice at least 14 days before they take effect.