Security

Built on a quiet, encrypted foundation.

Zer0Email handles your inbox — that means we take encryption, transport security, and third-party audits seriously. Verify everything below for yourself.

Trust signals

How we protect your inbox

Encryption in transit

All traffic is served over TLS 1.3. HSTS is enforced with a 2-year max-age and includeSubDomains.

OAuth-only Gmail access

We never see your Google password. Tokens are scoped, refreshable, and revocable from your Google account at any time.

Minimal data retention

Email content is processed in memory for AI tasks. We store metadata required for rules and digests, not full message bodies.

No training on your data

Your email is never used to train models — ours or any third-party provider's.

How your data flows

When you connect Gmail or Outlook, Zer0Email receives an OAuth access token scoped to the permissions you grant. We never see your password. The token is encrypted at rest using AES-256 and stored in our database. It is used exclusively to call the Gmail API or Microsoft Graph API on your behalf.

When a new email arrives, your mail provider pushes a notification to our servers (Gmail via Pub/Sub, Outlook via Graph webhooks). We fetch the relevant email headers — sender, subject, date, and thread ID — and evaluate them against your active rules. If a rule condition requires reading the message body (for keyword matching or AI classification), we fetch the body in memory, evaluate the condition, and discard it. Message bodies are never written to disk or stored in our database.

Rule actions (labeling, archiving, forwarding) are executed immediately via the same API. The entire process — from notification to action — completes in under two seconds for the vast majority of messages.

We store the following in our database: your account email address, OAuth tokens (encrypted), rule definitions you create, and action logs (sender, subject, action taken, timestamp). We do not store message bodies, attachments, or full thread content.

GDPR & data protection

Zer0Email is operated by PopPush AI. If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) including the right to access, correct, export, or delete your personal data.

Our lawful basis for processing your email account data is contractual necessity — you connect your mailbox specifically to receive the automation service. AI classification features rely on the same basis.

We use the following sub-processors to operate the service: Microsoft Azure (infrastructure and database, hosted in the EU), Google Cloud (Pub/Sub notifications), and Zoho (email). Each sub-processor is bound by a Data Processing Agreement consistent with GDPR Article 28.

To exercise your data rights or submit a deletion request, email founder@zer0email.com. We will respond within 30 days.

Breach notification policy

In the event of a confirmed security incident affecting personal data, we will notify affected users within 72 hours of becoming aware of the breach. Notification will be sent to the email address associated with your account and will include: a description of the nature of the breach, the categories of data affected, the likely consequences, and the measures we have taken or propose to take.

Where required by law, we will also notify the relevant supervisory authority within the same 72-hour window.

Responsible disclosure

If you believe you have found a security vulnerability in Zer0Email, we encourage responsible disclosure. Email us a description of the issue, reproduction steps, and any relevant evidence. We will acknowledge receipt within 48 hours and aim to resolve confirmed issues within 14 days. We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to address it.