Privacy Policy

• No ads. No tracking. No selling your data. No AI training on your content.
• We collect what we need to run the services and bill you, nothing else.
• You can export your mail at any time (over IMAP) and delete your account at any time from account settings.

Account information. Your yeil address, a hashed password (we can't read it), your display name, and any recovery info you give us (recovery email, the salt used to derive your recovery phrase, passkey credentials, TOTP secrets). Active sessions are tracked by an opaque token; you can see and revoke them from your account's Security page.

Your content. The actual stuff you put into yeil:

• Mail. Messages you send, receive, draft, and store, plus attachments, filters, signatures, and vacation responder text.
• DNS. Zones you own and the records on them.
• Team. Team name, domain ownership, member list, group/role assignments, billing arrangement.

Billing information. For paid plans we store a Stripe customer ID and subscription metadata (plan, status, period end). We don't see or store your card details; Stripe does.

Operational logs. We run standard service logs for the apps and infrastructure that help us operate yeil, debug issues, and investigate abuse. We avoid retaining anything we don't need.

We use what we collect to:

• deliver the services to you (the obvious one)
• authenticate you and protect your account
• charge you for paid plans
• investigate abuse and respond to security issues
• communicate with you about the services (transactional email)
• comply with the law

We do not use your content for advertising, sell it, share it with data brokers, or use it to train AI models, ours or anyone else's.

All yeil apps and storage run on hardware we own in our own datacenter. The only third party that sees any of your personal data is:

• Stripe for payments. Stores your card and billing address; we never receive those.

A few other third parties handle network-level concerns that don't involve user content: TCP forwarding for the public mail edges, and the two authoritative DNS nameservers. The full list with details is on our subprocessors page. When we add or change one we update that page; for material changes we'll also surface a notice next time you sign in.

We retain different categories of data for different lengths of time:

• Account data (your address, profile, security settings, recovery info): while your account is active. On account deletion, removed within 30 days, with backups aging out within an additional 60 days.
• Mail content: while your account is active. Messages you move to Trash are automatically purged after 30 days. On account deletion, removed within 30 days, with backups aging out within an additional 60 days.
• DNS records: while you own the zone. Deleted zones are removed immediately; the dns-server cache may serve the old records for up to the configured TTL.
• Billing records (invoices, payment history): retained for the period applicable US tax law requires (currently 7 years).
• Operational logs (delivery, request, authentication): around 30 days, except where a specific investigation requires holding them longer.
• Abuse signals (records associated with TOS or AUP violations): retained as long as needed to enforce against repeat offenders or comply with the law.

Some of this you can do yourself; some needs us:

• View and edit profile, recovery email, passkeys, two-factor settings, and app passwords from your account settings at account.yeil.app. Mail filters, signature, and vacation reply live in mail settings.
• Export your mail over IMAP using a yeil app password. (DNS and team data don't have a dedicated export path yet.)
• See everything we hold on you under account.yeil.app/security/data, with a JSON download for portability.
• Account deletion is self-serve at account.yeil.app/security/delete-account. Cancels subscriptions, deletes personal data, and signs you out. If you'd rather we do it, email legal@yeil.org.

We aim to respond to verifiable requests within 30 days. If we need more time, we'll let you know.

If you're in the EU or UK, GDPR gives you rights of access, rectification, erasure, restriction, portability, and objection, plus the right to lodge a complaint with your local data protection authority. If you're a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, or another US state with a comprehensive privacy law, you have similar rights under that law: broadly, you can ask us to show you what we hold, correct it, delete it, or stop processing it for certain purposes. We don't sell personal information.

Passwords are hashed with a memory-hard password-hashing function. Sessions ride in httpOnly, same-site cookies. Recovery phrases are derived from user-supplied entropy and never stored; the salt we keep alone isn't enough to recover them.

Transport is TLS everywhere it's available, including inbound and outbound SMTP. Mail bodies and snippets are encrypted at rest with a per-message authenticated-encryption key, sealed to your asymmetric public key. The private key needed to unseal that is itself wrapped under a master key derived from your password (with a recovery-phrase path for password resets), so we can't decrypt your mail without your credentials. While you're signed in, our servers temporarily hold the unwrapped keys (encrypted to your session token) so we can render and search your mail for you; once you sign out, what we store on disk is opaque to us. The specific algorithms we use are current industry-standard primitives and may be upgraded over time without notice as a security matter.

Message headers (sender, recipient, subject, dates) are stored in plaintext for indexing and folder operations. Two open problems we haven't solved yet: end-to-end encryption of headers, and end-to-end encryption of the brief in-memory plaintext at the mail edge as messages cross between the public internet and your mailbox.

Breach notification. If we discover a security incident that affects your personal data, we'll notify you (and any required authority) without undue delay. Where applicable law sets a specific deadline (GDPR Article 33, for example, sets 72 hours), we'll meet it. The notice will include what we know about what happened, what data is involved, what we're doing about it, and what you can do to protect yourself.

No system is perfectly secure. If you discover a vulnerability, please email security@yeil.org.

We use a small number of cookies for sign-in: a session token that keeps you signed in, and a short-lived cookie that carries state during the two-factor authentication step. Both are httpOnly, same-site, and expire when their purpose is over. We don't use analytics cookies, advertising pixels, or third-party trackers anywhere in the apps. In mail, we strip external tracking pixels from incoming messages by default.

You must be at least 18 to use yeil. We don't knowingly collect data from anyone younger. If you believe a minor has signed up, let us know and we'll delete the account.

We'll update this page when we change practices. The “last updated” date at the top tells you when it last changed. For material changes we'll surface a notice the next time you sign in.

Questions, requests, or complaints? legal@yeil.org.

yeil
2 Main St #1402
Sparta, NJ, USA