How Patriot Mail protects your data

Email is sensitive by nature. Patriot Mail is designed with that in mind. This page explains what we do to protect your credentials, your email content, and your privacy.

Credential protection

How you connect depends on your email provider, and we use the most secure method available for each one.

• OAuth providers (Gmail, Outlook, Yahoo). We use the official OAuth 2.0 flow. You sign in directly with your provider. Patriot Mail receives a limited access token but never sees your actual password.
• App-specific passwords (iCloud, others). Some providers do not support OAuth for third-party clients. In these cases, you create an app-specific password through your provider, which you can revoke anytime without changing your main password.
• IMAP/SMTP credentials. For custom or self-hosted setups, credentials are stored in encrypted session state and protected by HTTP-only cookies. They are not logged, not exposed to browser JavaScript, and not retained beyond your session.

How your email is handled

Patriot Mail is a client, not a mail server. We connect to your existing provider using standard protocols (IMAP, SMTP) or official APIs.

• No permanent server storage. Your email messages and attachments are not stored on our servers. We fetch them from your provider when you open the app and stream them to your device.
• Optional local caching. To improve speed, Patriot Mail can cache recent messages on your device using browser storage. This cache stays on your device, is not sent back to us, and can be cleared or disabled in settings.
• Session state only. We keep only what is needed to maintain your session: account configuration, preferences, and connection recovery data. No full mailbox copies.

Encryption in transit

All network communication is encrypted. There are no exceptions.

• Browser to Patriot Mail. All connections use HTTPS with TLS 1.3 minimum, enforced via HSTS. Older or unencrypted connections are rejected.
• Patriot Mail to your email provider. Backend connections to Gmail, Outlook, Yahoo, iCloud, and other providers use TLS-protected channels (implicit TLS or STARTTLS where required).
• Internal services. Communication between our application components runs over verified TLS paths within Cloudflare infrastructure.

Content sanitization

Email can contain malicious content. Before any HTML email reaches your screen, it is sanitized to remove potentially harmful elements.

• DOMPurify sanitization. All email HTML passes through DOMPurify, a trusted library that strips scripts, event handlers, and other dangerous payloads.
• Strict Content Security Policy. The app enforces a strict CSP that blocks inline scripts, eval, and other common attack vectors. Even if malicious content somehow reached the page, the browser would refuse to execute it.
• Image and link handling. External images are loaded through standard browser requests. Links are validated to reject dangerous protocols like javascript: or data: URLs.

Session security

Your session is protected by multiple layers to prevent unauthorized access.

• HTTP-only cookies. Session tokens are stored in HTTP-only cookies that cannot be accessed by JavaScript, protecting against cross-site scripting attacks.
• CSRF protection. Requests are validated using Sec-Fetch headers to prevent cross-site request forgery.
• Server-side enforcement. All access control decisions happen on the server. The client UI shows or hides elements for usability, but the server always verifies permissions before acting.

Infrastructure

Patriot Mail runs on trusted, security-focused infrastructure.

• Cloudflare edge. Traffic passes through Cloudflare, which provides DDoS protection, TLS termination, and edge caching for static assets.
• Vercel serverless. Application logic runs on Vercel serverless functions with automatic scaling and isolation between requests.
• Encrypted storage. When server-side persistence is enabled, data is stored in Cloudflare Workers KV and Durable Objects, both encrypted at rest using Cloudflare-managed keys.

What we do not do

Some things we intentionally avoid, because they would introduce unnecessary risk.

• We do not store your email on our servers. Your messages stay with your provider. We do not keep copies after fetching them for display.
• We do not sell or share your data. No advertising, no inbox data monetization, no third-party data brokers.
• We do not use your email to train AI models. If you use optional AI features, only the specific content you select is processed. It is not used for model training.
• We do not log email content. Technical logs capture errors and performance data, not message bodies, subjects, or personal details.

AI features and security

AI tools in Patriot Mail are optional and off by default. When you choose to use them:

• Only the content you explicitly select is sent to the AI provider.
• We configure AI services to avoid data retention and model training.
• AI providers act as processors under contractual data protection terms.

Responsible disclosure

If you believe you have found a security vulnerability, contact:

security@patriotmail.ai

Existing users can open a draft directly inside Patriot Mail. Public users can email from any mail client.

When reporting, please include:

• A clear description of the issue and its impact.
• Steps to reproduce or proof-of-concept details.
• Affected browser, operating system, or environment details.

Please avoid:

• Accessing data that is not your own.
• Running destructive tests or disrupting the service.
• Publishing details before we have had a chance to respond.

Patriot Mail does not currently run a public bug bounty program, but responsible disclosures are welcomed and reviewed, especially for issues involving authentication, authorization, or data handling.

Last updated

April 14, 2026