Privacy Policy
Last updated: 2026-04-14
1. Data Controller
Kotekorbya Technologies di Jacopo Di Pumpo
VAT / P.IVA: IT14253050968
General inquiries: contact@imap.pm
Data Protection Officer (DPO): dpo@imap.pm
imap.pm is an email routing service that connects IMAP mailboxes to messaging platforms (Telegram, Discord, webhooks). This privacy policy explains what data is processed, how it is handled, and your rights regarding that data.
Kotekorbya Technologies di Jacopo Di Pumpo (“we”, “us”, “the Controller”) is the data controller (responsabile del trattamento) for all personal data processed through imap.pm, pursuant to EU Regulation 2016/679 (GDPR) and Italian Legislative Decree 196/2003 as amended.
2. Data We Process
2.1 Email Content
When a new email arrives in a monitored IMAP mailbox, imap.pm reads the following from the mail server:
- Sender address (From header)
- Recipient addresses (To, Cc headers)
- Subject line
- Date and time
- Message body (plain text and/or HTML)
- Attachments (file name, size, content type, binary data)
- Message UID (unique identifier on the IMAP server)
Processing: Email content is forwarded in real time to the configured destination (Telegram chat, Discord channel, webhook endpoint). The email body is truncated to platform limits (4,096 characters for Telegram). Attachments up to 20 MB are forwarded.
Storage: Email content is not stored persistently on the imap.pm server. When mail previews are enabled, a temporary encrypted cache may be created with a configurable TTL (default: 8 hours). Cached previews can be permanently destroyed by the user via PIN.
2.2 IMAP Credentials
- IMAP server address — stored in plaintext (e.g.
mail.example.com:993) - IMAP username — stored in plaintext
- IMAP password — encrypted at rest using a server-side secret key. Can optionally be revealed by the account owner after re-authentication, but will never be shown again if access to the account is obtained by password reset.
2.3 Admin User Accounts
- Username — stored in plaintext
- Password — stored as a cryptographic hash (not reversible)
- Role (owner/viewer) and account access scope
- Theme preference (light/dark)
2.4 Message UID Tracking
To avoid re-sending previously forwarded emails, imap.pm stores the UID (unique identifier) of each processed message. UIDs are numeric identifiers assigned by the IMAP server and do not contain email content.
2.5 Destination Configuration
- Telegram bot tokens (stored in plaintext, masked in the UI)
- Discord webhook URLs
- Custom webhook endpoints
- Telegram chat IDs, Discord channel identifiers
2.6 IP Addresses
IP addresses are processed for rate limiting on the mail preview destroy feature (PIN verification). They are stored in memory only and are not persisted to disk. No IP-based tracking or analytics is performed.
2.7 Failure Logs
A rolling buffer of up to 200 failure log entries is maintained in memory. Entries include: timestamp, HTTP status code, request path, and error message. Log entries may contain email addresses from failed operations. Logs are not persisted to disk and are lost on server restart.
3. How Data is Used
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Email content | Forwarding to configured destination | Legitimate interest / consent of mailbox owner |
| IMAP credentials | Connecting to mail server | Contract performance |
| Admin credentials | Authentication and access control | Contract performance |
| Message UIDs | Preventing duplicate delivery | Legitimate interest |
| IP addresses | Rate limiting (anti-abuse) | Legitimate interest |
| Failure logs | Debugging and operational monitoring | Legitimate interest |
4. Third-Party Services
imap.pm transmits data to the following third-party services as configured by the administrator:
| Service | Data Transmitted | Purpose |
|---|---|---|
| Telegram Bot API | Message text, attachments, chat ID | Delivering email notifications to Telegram |
| Discord Webhooks | Message text, attachments, channel ID | Delivering email notifications to Discord |
| Custom Webhooks | Message JSON payload | Delivering email notifications to user-configured endpoints |
| Google Fonts | Browser IP, user agent (client-side) | Loading web fonts for the admin interface |
The IMAP connection is made directly to the mail provider specified by the user. imap.pm does not proxy IMAP traffic through any third party.
5. Data Retention
| Data | Retention Period |
|---|---|
| Email content (forwarded) | Not stored. Forwarded in real time and discarded. |
| Mail preview cache | Configurable TTL (default 8 hours). Destroyed on PIN request or expiry. |
| Message UIDs | Indefinite (required to prevent re-sending). Deleted when account is removed. |
| IMAP credentials | Until the account is deleted by the admin. |
| Admin user accounts | Until deleted by an owner. |
| Subscription metadata (plan/customer/subscription IDs, billing status) | Stored while account is active and retained for compliance and accounting requirements. |
| Planless/expired account deadline data | Up to 2 months grace window before account expiry, shown live in the admin profile for GDPR transparency. |
| Short links | Configurable TTL (1 day to 1 year, or indefinite). |
| Failure logs | In-memory only. Rolling buffer of 200 entries. Lost on restart. |
| Session cookies | 24 hours. |
If no plan is selected, or if a subscription expires/cancels, the account remains viewable in admin with a live deadline countdown and expires after a grace period (2 months) unless a valid plan is added. This retention/expiry mechanism is applied to satisfy GDPR data minimization and storage limitation principles.
6. Data Security
- IMAP passwords are encrypted at rest using a server-side secret key file
- Admin passwords are stored as irreversible cryptographic hashes
- Mail preview tokens are encrypted and time-limited
- HTML email content is sanitized and rendered in sandboxed iframes
- Admin session cookies are HttpOnly and Secure (configurable)
- PIN verification is rate-limited per IP to prevent brute-force attacks
- Bot tokens and webhook URLs are masked in the admin interface
7. Your Rights (GDPR)
If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation:
- Right of Access — Request a copy of the personal data held about you
- Right to Rectification — Request correction of inaccurate data
- Right to Erasure — Request deletion of your data. For IMAP accounts, this means removing the synced account. For admin users, this means deleting the user account. For mail previews, use the PIN-protected destroy feature.
- Right to Data Portability — Request your data in a structured, machine-readable format
- Right to Object — Object to processing of your data
- Right to Restrict Processing — Request that processing be paused (use the “Pause syncing” feature)
To exercise these rights, contact the administrator of the imap.pm instance you are using.
8. No Analytics or Advertising
imap.pm does not use any analytics services, tracking pixels, advertising networks, or behavioral profiling. No data is sold or shared with data brokers.
9. International Transfers
Data is processed on the server where imap.pm is deployed. Email content is transmitted to third-party messaging platforms (Telegram, Discord) whose servers may be located in different jurisdictions. The administrator is responsible for ensuring appropriate data transfer mechanisms are in place.
10. Children
imap.pm is not intended for use by individuals under the age of 16. The service does not knowingly process data from children.
11. Changes to This Policy
This policy may be updated to reflect changes in the service. The “Last updated” date at the top indicates the most recent revision.
12. Contact
For privacy-related inquiries or to exercise your GDPR rights, contact us at:
Kotekorbya Technologies di Jacopo Di Pumpo
General inquiries: contact@imap.pm
Data Protection Officer (DPO): dpo@imap.pm
VAT / P.IVA: IT14253050968
You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) at www.garanteprivacy.it.