Information We Access
Mailzap requests access to your Gmail account solely to provide its core functionality. Specifically, we access:
- Email metadata — sender addresses and names from the
Fromheader of your messages (never the body content of your emails). - Message IDs — to identify which emails belong to a given sender for bulk operations.
- List-Unsubscribe headers — to automate the unsubscribe process on your behalf.
- Account email address — via the OAuth
userinfo.emailscope, used only to associate cached sender data with the correct Google account.
We do not read, store, or transmit the content of your emails. We do not access your contacts, calendar, drive, or any other Google service.
How Your Data Is Stored
All data processing happens locally on your device. Mailzap has no backend servers, no databases, and no cloud storage. Sender analytics are stored exclusively in chrome.storage.local — isolated to your browser profile and never transmitted externally.
- Sender list (email address, display name, message count, latest message ID)
- Fetch progress (0–100%) to resume interrupted scans
- OAuth token cache (with a 1-hour expiry) to avoid repeated sign-in prompts.
This data is automatically cleared when you uninstall the extension, remove the extension data via Chrome → Extensions → Details → Clear Data, or manually trigger a reload in the extension UI.
OAuth 2.0 & Permissions
Mailzap authenticates via Google OAuth 2.0 using Chrome's identity API. We request the minimum scopes required to function:
gmail.modify— to fetch message metadata, move messages to trash, send unsubscribe emails, and create filters.gmail.settings.basic— to create Gmail filters that block unwanted senders.userinfo.email— to verify which Google account is signed in and prevent cross-account data contamination.
OAuth tokens are cached locally and validated against your current Gmail account on each use. A mismatch triggers re-authentication. You may revoke access at any time via Google Account Permissions.
Actions Performed on Your Behalf
Mailzap performs Gmail operations only when you explicitly initiate them:
- Delete: Moves emails from selected senders to the Gmail Trash. Trashed emails remain recoverable for 30 days before permanent deletion by Gmail.
- Unsubscribe: Parses the
List-Unsubscribeheader or email body link and either sends an unsubscribe email via the Gmail API or opens the unsubscribe URL in a new tab. - Block: Creates a Gmail filter (from: sender → add label: Trash) so future emails are automatically trashed. Filters can be removed at any time in Gmail Settings → Filters and Blocked Addresses.
All actions are confirmed through in-extension dialogs before execution. No operation is irreversible without your explicit confirmation.
Third-Party Sharing
We do not share your data with any third party. Because Mailzap processes everything locally, there is no data to share. The extension communicates only with:
- Google's Gmail API — to read and manage your Gmail data as instructed by you.
- Google OAuth endpoints — to authenticate your identity.
- Unsubscribe URLs — opened in a browser tab at your explicit request; those third-party sites have their own privacy policies.
No analytics, crash reporting, or telemetry data is collected or transmitted.
Data Retention & Deletion
Sender data is cached in chrome.storage.local to avoid rescanning your entire inbox on every use. This cache persists until you:
- Click Reload inside the extension (clears and re-fetches).
- Uninstall the Mailzap extension from your browser.
- Clear extension storage manually via chrome://extensions → Mailzap → Details → Clear Data.
OAuth tokens expire after 1 hour and are discarded automatically. We retain no persistent authentication credentials.
Security
Mailzap is designed with a security-first approach:
- All Gmail API calls are made over HTTPS.
- The extension is fully open source — you can audit every line of code on GitHub.
- Manifest V3 compliance — no persistent background pages, service-worker model.
web_accessible_resourcesrestricted tomail.google.comonly.- No remote code execution or external script loading.
Contact
If you have questions or concerns about this Privacy Policy, please reach out at:
You may also open an issue on our GitHub repository.
Changes to This Policy
We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated effective date. Continued use of Mailzap after changes constitutes acceptance of the revised policy. We encourage you to review this page periodically.
Last Updated: July 8, 2026 • Mailzap v1.0.0