Zero

Our Commitment to Privacy

At Zero, we believe that privacy is a fundamental right. Our open-source email solution is built with privacy at its core, and we're committed to being transparent about how we handle your data.

Important: Zero is a client-only email application. We DO NOT store your emails on our servers. All email data is processed directly between your browser and Gmail.

Our verified privacy commitments:

Zero Email Storage: We never store your emails - they remain in your Gmail account
Client-Side Processing: All email processing happens in your browser
Open Source: Our entire codebase is public and can be audited
Minimal Data: We only request essential Gmail API permissions
User Control: You can revoke our access to your Gmail at any time

Google Account Integration

When you use Zero with your Google Account:

We request access to your Gmail data only after receiving your explicit consent
We access only the necessary Gmail API scopes required for email functionality
Your Google account credentials are never stored on our servers
We use secure OAuth 2.0 authentication provided by Google
You can revoke our access to your Google account at any time through your Google Account settings

Data Collection and Usage

Google Services Data Handling

Email data is processed in accordance with Google API Services User Data Policy
We only process and display email data - we don't store copies of your emails
All data transmission between our service and Google is encrypted using industry-standard TLS 1.3 protocols
We maintain limited temporary caches only as necessary for application functionality, with a maximum retention period of 24 hours
Cached data is encrypted at rest using AES-256 encryption
We collect basic usage analytics (page views, feature usage) to improve the service, but this data is anonymized
Error logs are retained for 30 days to help diagnose and fix issues

Self-Hosted Instances

When you self-host Zero, your email data remains entirely under your control
No data is sent to our servers or third parties without your explicit consent
You maintain complete ownership and responsibility for your data
We provide detailed documentation on secure self-hosting practices
You can configure your own data retention and backup policies
Optional telemetry can be enabled to help us improve the platform

Data Processing Locations

All data processing occurs in secure data centers in the United States
Self-hosted instances can choose their own data processing location
We comply with international data transfer regulations
Data processing agreements are available for enterprise users

Data Protection and Security

Security Measures

End-to-end encryption for all email communications using industry-standard protocols
Secure OAuth 2.0 authentication for Google services with strict scope limitations
Regular third-party security audits and penetration testing
Open-source codebase for transparency and community security review
Compliance with Google API Services User Data Policy and security requirements
Real-time monitoring for suspicious activities and potential security threats
Automated security patches and dependency updates

Infrastructure Security

All servers are hosted in SOC 2 Type II certified data centers
Network-level security with enterprise-grade firewalls
Regular backup and disaster recovery testing
Multi-factor authentication required for all administrative access
Encryption at rest for all stored data using AES-256

Security Response

24/7 security incident response team
Bug bounty program for responsible security disclosure
Incident response plan with clear notification procedures
Regular security training for all team members

Google User Data Handling

Data Access and Usage

We access the following Google user data through the Gmail API:
- Email content and attachments
- Email metadata (subject, dates, recipients)
- Labels and folder structure
- Basic profile information
This data is used exclusively for providing email functionality within Zero
No Google user data is used for advertising, marketing, or profiling purposes
We maintain detailed audit logs of all data access for security and compliance
Access to user data is strictly limited to essential personnel

Data Sharing and Transfer

Google user data is never shared with third parties except as required for core service functionality
When necessary, we only work with service providers who comply with Google API Services User Data Policy
All service providers are bound by strict confidentiality agreements
We maintain a current list of all third-party service providers with access to Google user data
Data sharing agreements are reviewed annually
Users are notified of any material changes to our data sharing practices

Data Retention and Deletion

Email data is processed in real-time and not permanently stored
Temporary caches are automatically cleared after 24 hours
Users can request immediate deletion of their cached data
Account deletion process:
- All user data is immediately marked for deletion
- Cached data is purged within 24 hours
- Audit logs are retained for 30 days then permanently deleted
- Backup data is removed within 7 days
We provide a data export tool for users to download their settings

User Rights and Controls

Right to access: Request a copy of your data
Right to rectification: Correct inaccurate data
Right to erasure: Request deletion of your data
Right to restrict processing: Limit how we use your data
Right to data portability: Export your data
Right to object: Opt-out of certain data processing

Limited Use Disclosure

Our use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Your Rights and Controls

Right to revoke access to your Google account at any time
Right to request deletion of any cached data
Right to export your data
Right to lodge complaints about data handling

Contact

For privacy-related questions or concerns:

[email protected]Open an issue on GitHub

Updates to This Policy

We may update this privacy policy from time to time. We will notify users of any material changes through our application or website.