Privacy Policy

Last updated: April 22, 2026

Serif ("we", "our", or "the app") is an email client for Gmail, available on macOS and iOS. This policy explains what data we access, how we handle it, and your rights.

1. Data We Access

When you sign in with your Google account, Serif requests access to the following through Google OAuth 2.0:

• Gmail data — your emails, threads, labels, attachments, and settings, to display and manage your inbox.
• Profile information — your name, email address, and profile picture, to identify your account within the app.
• Contacts (read-only) — your Google contacts, to provide autocomplete when composing emails.

2. Data Stored on Your Device

All your data is stored locally on your device:

• OAuth tokens — encrypted with AES-256-GCM and stored locally to keep you signed in.
• Email cache — emails and threads are cached locally for offline access and performance.
• Account metadata — your name, email, profile picture URL, preferences (theme, accent color), and email templates.
• Attachments & images — cached locally for faster loading.

This data never leaves your device except to communicate directly with Google's servers.

3. Push Notifications (iOS)

On iOS, Serif uses Firebase Cloud Messaging (FCM) to deliver push notifications for new emails. To enable this, the following is sent to Google Firebase:

• Your device push token
• Notification preferences
• Device name and platform

This data is used solely for delivering notifications and is not shared with any other party.

4. Tracking Protection

Serif includes a built-in email tracker blocker that detects and removes tracking pixels and redirect links from known email marketing and analytics services. This runs entirely on your device.

5. Auto-Updates (macOS)

On macOS, Serif checks for updates via Sparkle. This involves a standard HTTP request to download the update feed. No personal data is transmitted during this process.

6. No Analytics, No Ads

Serif does not collect analytics, usage data, or telemetry. There are no ads in the app. We do not use any third-party analytics services.

7. No Server-Side Storage

Serif does not operate its own backend servers. Your emails, contacts, and personal data are exchanged directly between your device and Google's APIs. We have no access to your data.

8. Data Retention & Deletion

All locally stored data is removed when you sign out of the app or delete it from your device. On iOS, Firebase notification data is cleaned up on sign-out.

You can revoke Serif's access to your Google account at any time from your Google Account permissions.

9. Children's Privacy

Serif is not directed at children under 13. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated date.

11. Contact

If you have any questions about this policy, contact us at dev.genyus@gmail.com.