Built on a quiet, encrypted foundation.
Zer0Email handles your inbox — that means we take encryption, transport security, and third-party audits seriously. Verify everything below for yourself.
Trust signals
TLS 1.3 with forward secrecy and post-quantum key exchange (X25519MLKEM768).
HSTS preload, CSP, and frame protection headers enforced at the edge.
Independent security audit required for Google API restricted scopes.
How we protect your inbox
Encryption in transit
All traffic is served over TLS 1.3. HSTS is enforced with a 2-year max-age and includeSubDomains.
OAuth-only Gmail access
We never see your Google password. Tokens are scoped, refreshable, and revocable from your Google account at any time.
Minimal data retention
Email content is processed in memory for AI tasks. We store metadata required for rules and digests, not full message bodies.
No training on your data
Your email is never used to train models — ours or any third-party provider's.
How your data flows
When you connect Gmail or Outlook, Zer0Email receives an OAuth access token scoped to the permissions you grant. We never see your password. The token is encrypted at rest using AES-256 and stored in our database. It is used exclusively to call the Gmail API or Microsoft Graph API on your behalf.
When a new email arrives, your mail provider pushes a notification to our servers (Gmail via Pub/Sub, Outlook via Graph webhooks). We fetch the relevant email headers — sender, subject, date, and thread ID — and evaluate them against your active rules. If a rule condition requires reading the message body (for keyword matching or AI classification), we fetch the body in memory, evaluate the condition, and discard it. Message bodies are never written to disk or stored in our database.
Rule actions (labeling, archiving, forwarding) are executed immediately via the same API. The entire process — from notification to action — completes in under two seconds for the vast majority of messages.
We store the following in our database: your account email address, OAuth tokens (encrypted), rule definitions you create, and action logs (sender, subject, action taken, timestamp). We do not store message bodies, attachments, or full thread content.
GDPR & data protection
Zer0Email is operated by PopPush AI. If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) including the right to access, correct, export, or delete your personal data.
Our lawful basis for processing your email account data is contractual necessity — you connect your mailbox specifically to receive the automation service. AI classification features rely on the same basis.
We use the following sub-processors to operate the service: Microsoft Azure (infrastructure and database, hosted in the EU), Google Cloud (Pub/Sub notifications), and Zoho (email). Each sub-processor is bound by a Data Processing Agreement consistent with GDPR Article 28.
To exercise your data rights or submit a deletion request, email founder@zer0email.com. We will respond within 30 days.
Breach notification policy
In the event of a confirmed security incident affecting personal data, we will notify affected users within 72 hours of becoming aware of the breach. Notification will be sent to the email address associated with your account and will include: a description of the nature of the breach, the categories of data affected, the likely consequences, and the measures we have taken or propose to take.
Where required by law, we will also notify the relevant supervisory authority within the same 72-hour window.
Responsible disclosure
If you believe you have found a security vulnerability in Zer0Email, we encourage responsible disclosure. Email us a description of the issue, reproduction steps, and any relevant evidence. We will acknowledge receipt within 48 hours and aim to resolve confirmed issues within 14 days. We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to address it.