Security model
Local-first by default. Explicit when it matters.
MailRight is designed so your mail does not pass through a MailRight cloud sync service. Google account access happens directly between the desktop app and Google APIs after user consent.
Encrypted local cache
MailRight stores mail metadata and cached content in an encrypted local database on the user's device.
Credential Manager tokens
OAuth refresh tokens are stored in the Windows Credential Manager, not in source files or plaintext app config.
No hidden mail proxy
The app does not require a MailRight server to read, sync, or search your mail.
No telemetry by default
MailRight is designed without default product analytics, inbox analytics, or behavioral tracking.
Safe attachment flow
Downloads can be routed through risky-file warnings and local antivirus scanning where available.
Action safety rails
Delete, empty trash, send, and automation features should use confirmation, undo, or explicit user intent.
Phishing and link safety
Lightweight checks before heavy cloud services.
MailRight's first layer is local: sender mismatch, reply-to mismatch, lookalike links, URL shorteners, punycode, and suspicious attachments.
Optional cloud checks
Pro can add Google Web Risk URL checks where the user enables it. When enabled, MailRight should disclose that suspicious URLs may be sent to Google for a verdict and cached locally.
- Local heuristics stay available to all users
- Web Risk is opt-in because it contacts an external service
- Risk banners explain the reason, not just the verdict
Google account access
OAuth permissions should match shipped features.
The private build may use broad scopes while features are under active development. Public release should request only permissions required for enabled features and explain each use in context.
| Data area | Why MailRight needs it | User control |
|---|---|---|
| Gmail | Read, organize, search, compose, send, label, archive, and sync messages. | Connect or remove accounts; remove local cache; revoke access in Google account settings. |
| Calendar | Show invites, create events from email, add Meet links, and help with availability. | Feature can be disabled if calendar workflows are not used. |
| People | Contact autocomplete and sender cards. | Contacts should be cached locally only for app functionality. |
| Drive | Attach files from Drive and save attachments to Drive. | Drive features should stay off until the user invokes them. |
| AI/translation | Summaries, proofreading, translation, and automation only after explicit user action. | Off by default, BYOK-first, provider disclosed before content leaves the device. |