Truepost is an email client built around the idea that your inbox should feel like a conversation, not a filing cabinet. The Truepost app is operated by Truepost, LLC (a United States limited liability company, currently being formed). The marketing site lives at truepost.com and the app itself runs at truepost.net. In this policy, "Truepost," "we," "us," and "our" mean Truepost, LLC.
Truepost is privacy-first by design. We try to hold as little of your data as possible, for as short a time as possible, and only for purposes you would reasonably expect from an email client.
To connect Truepost to your Gmail, Yahoo, or Outlook mailbox, you sign in
through your provider's OAuth2 flow. Truepost receives an OAuth access
token and refresh token from your provider. These tokens are stored
on your own device (in files named token-{email}.json)
and are used only to fetch your mail from your provider on your behalf.
We do not upload, copy, or back up those tokens to any Truepost server.
Truepost fetches your email messages — headers, bodies, attachments, folders, and labels — directly from your provider via IMAP (or, where applicable, the Gmail API) so that the app can display them. By default, email content is processed on your device and is not transmitted to Truepost-operated servers. Some lightweight metadata (such as conversation grouping, signature detection, and quote stripping) is computed locally as well.
If you opt in to crash reports or diagnostics, we may collect technical information such as app version, operating system, error stack traces, and anonymized usage counters. We do not include the contents of your email in diagnostics.
If you contact us by email, fill out a form on truepost.com, or join the beta waitlist, we collect whatever you send (your name, email address, and the contents of your message).
We use the data described above only to:
We do not sell your personal information. We do not use your email content to build advertising profiles. We do not show ads in Truepost. We do not train generic, third-party AI models on your mail.
Truepost shares your information only in these narrow cases:
Truepost uses Google APIs (including the Gmail API) to access your Google account when you choose to connect Gmail. Truepost's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.
You can review and revoke Truepost's access to your Google account at any time at myaccount.google.com/permissions.
Because most Truepost data lives on your own device, deleting it is usually as simple as signing out of an account or uninstalling the app — this removes your local OAuth tokens and cached message data. For data we hold on our side (for example, support emails or diagnostics you opted in to), we retain it only as long as needed for the purpose it was collected, and then we delete or anonymize it. You can ask us to delete data we hold about you at any time using the contact information below.
We use OAuth2 and TLS for all connections to email providers, store tokens on-device, and limit access to any server-side systems we operate. No system is perfectly secure, but we follow industry practices and are actively building toward optional client-side end-to-end encryption for users who want even stronger guarantees. If we ever experience a breach that affects your personal information, we will notify you and the relevant authorities as required by law.
The marketing site at truepost.com uses only the cookies necessary for the site to function (for example, to remember that you dismissed a banner). We do not load third-party advertising trackers. The Truepost app itself uses session cookies to keep you signed in and does not run cross-site tracking pixels.
If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent laws give you specific rights over your personal data. Truepost is the "controller" of the limited personal data we hold about you.
We process your personal data on these lawful bases:
To exercise any of these rights, email privacy@truepost.com. You also have the right to lodge a complaint with your local data protection supervisory authority (for example, the CNIL in France, the ICO in the United Kingdom, or your national equivalent).
Truepost is based in the United States. Where personal data of European users is transferred to the US or other jurisdictions outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and apply additional safeguards as appropriate. You can request a copy of the relevant transfer mechanism by contacting us.
Truepost has not formally appointed a Data Protection Officer because our processing does not currently meet the GDPR thresholds that require one. For all data protection questions, contact our privacy team at privacy@truepost.com.
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you specific rights regarding your personal information.
Truepost does not sell your personal information, and Truepost does not share your personal information for cross-context behavioral advertising. Because we do neither, there is no opt-out to exercise — but if you would still like written confirmation in your specific case, email privacy@truepost.com with the subject line "Do Not Sell or Share."
We use your email contents (which we treat as sensitive personal information) only to provide you with the Truepost service that you requested. We do not use it to infer characteristics about you and we do not disclose it for any purpose that would require a CPRA opt-out.
To exercise any California right, contact privacy@truepost.com. We will verify your request using the email account associated with your Truepost session and respond within the timelines required by law. Authorized agents may submit requests on your behalf with proof of authorization.
The current consumer version of Truepost is not a HIPAA-compliant service. Truepost, LLC is not acting as a Business Associate to any covered entity through the standard consumer tier, and we have not signed a Business Associate Agreement (BAA) with consumer-tier users. Healthcare providers, health plans, healthcare clearinghouses, and their business associates must not use the consumer tier of Truepost to create, receive, maintain, or transmit Protected Health Information (PHI) as defined by HIPAA without first signing a BAA with us.
We are actively working on a HIPAA-covered Truepost tier for healthcare customers, which will be offered under a separate Business Associate Agreement, with administrative, physical, and technical safeguards appropriate for PHI. If you are a covered entity interested in this tier, contact us at privacy@truepost.com.
Truepost is not directed to children under 13, and we do not knowingly collect personal information from children under 13, in line with the Children's Online Privacy Protection Act (COPPA). If you believe a child under 13 has provided personal information to Truepost, contact privacy@truepost.com and we will delete it. For users in the EEA and UK, we apply the equivalent local minimum age (typically 16, or as set by the user's member state).
Truepost is building optional AI-powered features such as spam detection, summarization, and suggested replies. These features are opt-in. When you enable them:
We will update this policy as Truepost evolves — for example, when we launch the HIPAA tier, add new features, or change vendors. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you in the app or by email before the changes take effect.
Questions, requests, or complaints about privacy at Truepost? We want to hear from you.
Email: privacy@truepost.com
Mailing address: Truepost, LLC
[LLC mailing address — to be filled]