Short version: Voilo Mail does not collect, store, sell, or share your emails or personal data with anyone. Your messages live exclusively on the IMAP server you connect to (Gmail, Outlook, your own server, etc.) and are passed through Voilo only when you request them.
1. Who we are
Voilo Mail ("we", "us") is an email client web application operated under the voilo.eu domain. Our service allows users to access existing email accounts (Gmail, Outlook/Microsoft, iCloud, custom IMAP servers, etc.) through a unified, modern web interface.
2. Data we access
To deliver email functionality, Voilo Mail accesses, on your behalf and only at your request:
Email account credentials — either via OAuth tokens (Google, Microsoft) or via username/password (other IMAP providers). Credentials are stored encrypted (AES-256-GCM) and used solely to maintain your IMAP/SMTP connection.
Email message content — subject, sender, recipient, body, attachments, dates, and headers. This is fetched on-demand from your provider's IMAP server and rendered in your browser.
User profile preferences — display name, signature, vacation auto-reply, language, theme. Stored only on the server tied to your account.
3. What we do NOT do
We do not read, scan, parse, train AI on, or otherwise process the content of your emails for any purpose other than displaying them to you.
We do not share, sell, rent, or transfer your data to any third party.
We do not serve advertisements based on your email content.
We do not track you across other websites.
4. OAuth-specific (Google, Microsoft)
When you sign in with Google or Microsoft, we receive an access token and a refresh token from the provider. These tokens are used exclusively to fetch and send emails on your behalf via IMAP/SMTP through the providers' standard endpoints (imap.gmail.com, outlook.office365.com, etc.).
Voilo Mail's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
5. Data storage and retention
Email content: never persisted on our servers. Fetched live from your provider on each request.
OAuth tokens: stored encrypted on our server for the duration of your session. You can revoke them at any time via the provider (Google permissions, Microsoft permissions).
Profile preferences: kept until you explicitly delete your account or stop using Voilo Mail.
6. Security
All connections use TLS 1.2 or higher. Credentials are encrypted with AES-256-GCM before being stored. JWT session tokens are signed with HMAC-SHA256 and rotate automatically. Passwords sent to our servers are validated against your IMAP provider directly — we never check them ourselves.
7. Cookies and tracking
Voilo Mail uses localStorage for your session token, language preference, theme, saved accounts (encrypted), and confirmation prompt preferences. We do not use third-party analytics, tracking pixels, or marketing cookies.
8. Your rights (GDPR / similar regimes)
You have the right to:
Access the data we hold about you (which is limited to your encrypted credentials and profile preferences);
Request deletion of your account and associated data;
Revoke OAuth permissions at any time via the provider;
Export your data in a machine-readable format on request.