Legal

Privacy Policy

Last updated: March 2026  ·  Effective immediately

🔒
The short version

We do not store your emails, email content, or personal data. Everything happens in real-time in your browser session and is discarded the moment you leave. We have nothing to sell and nothing to leak.

What we access

When you sign in with Google, we request read-only OAuth access to your Gmail account. This lets us fetch the From and List-Unsubscribe headers from your recent emails so we can identify senders.

We never read the body or subject of your emails. We never access attachments, contacts, calendar data, or any other Google service.

What we store

Nothing. We do not have a database. We do not write your email addresses, sender lists, or any scan results to disk or any storage system.

Your scan results exist only in your browser's memory for the duration of your session. When you close the tab or sign out, that data is gone.

  • No emails stored
  • No sender lists stored
  • No user profiles or accounts stored
  • No analytics or behavioural tracking

How unsubscribing works

When you click Unsubscribe, our server acts as a proxy and sends a request to the unsubscribe URL embedded in that email's headers, either a direct https:// link or a mailto: address. We do not log these requests or associate them with your identity.

We do not submit unsubscribe forms on your behalf beyond what the email's own header instructs.

How email deletion works

When you choose to delete emails from a sender, we call the Gmail API on your behalf to move those messages to Trash. We act only on your explicit instruction, and only within the scope of the read/write access you granted.

We do not keep a log of which senders you deleted or how many emails were removed.

Authentication & tokens

We use NextAuth to manage your Google sign-in. Your OAuth access token is stored in a short-lived, encrypted session cookie in your browser. It is never written to a database or sent to any third party.

The token expires when your session ends. You can revoke our access at any time from your Google account permissions page.

Third-party services

  • Google OAuth: for authentication and Gmail API access
  • Vercel: for hosting (no user data is logged by our configuration)

We do not use advertising networks, tracking pixels, or analytics SDKs.

Children's privacy

UnsubSpam is not directed at children under 13. We do not knowingly collect any information from children.

Changes to this policy

If we make material changes we will update the date at the top of this page. Continued use of UnsubSpam after changes constitutes acceptance of the updated policy.

Contact

Questions? Reach us at hello@unsubspam.com. We'll respond as humans, not bots.

© 2026 UnsubSpamBack to home →