Mailwing

Privacy

No telemetry. No analytics. Ever.

You don't have to take our word for it — every byte of Mailwing is open source. This page describes what the app actually does, in plain English.

TL;DR

  • No telemetry. No analytics. No crash reporting.
  • Mailwing never sees your email — it connects you directly to your providers.
  • Open source, MIT licensed. Read every line on GitHub.
  • This website has zero analytics, zero tracking pixels, zero cookies.

What stays on your device

Mailwing keeps everything local. Specifically:

  • Account list and preferences — stored as JSON via electron-store in your OS user-data directory.
  • Per-provider sessions — cookies and localStorage live in isolated persist:mailwing-{accountId} partitions, managed by Electron. They never cross between accounts.
  • Notes and todosnotes.json in the same user-data directory.

The user-data directory paths:

  • macOS: ~/Library/Application Support/mailwing
  • Windows: %APPDATA%\mailwing
  • Linux: ~/.config/mailwing

What we don't do

  • No first-party telemetry or "usage statistics".
  • No analytics SDK (no Mixpanel, no Amplitude, no Google Analytics, no PostHog).
  • No crash-reporting service (no Sentry, no Bugsnag).
  • No third-party trackers — the app actively blocks them at the network layer for the provider pages.
  • No cloud sync. Your accounts only exist on the machine where you added them.

The two outbound calls Mailwing does make

To be precise — these are the only network requests Mailwing's own code initiates:

  1. Update check. Once on launch and every six hours, Mailwing requests api.github.com/repos/vinaysamtani/mailwing/releases/latest to know whether a newer version is available. The only header sent is a standard User-Agent — no identifying tokens, no fingerprint. The response stays in memory just long enough to show the in-app banner. (If you'd rather not even check, block api.github.com at your firewall — the feature degrades silently.)
  2. Your providers' own traffic. Once you're signed in, Gmail talks to Google, Outlook talks to Microsoft, and so on. That traffic obviously phones home — it's how those products work — but it's between you and them. Mailwing does not proxy, mirror, or intermediate any of it.

Ad & tracker blocking

Mailwing ships with a built-in block list (see src/main/adBlockList.js) that intercepts:

  • Analytics and product-telemetry domains
  • Common ad networks
  • Cross-site fingerprinters and pixel trackers

Provider domains (Google, Microsoft, Zoho, Fastmail, Yahoo, Proton) are deliberately left untouched — blocking them would break the products you're trying to use.

This website

https://mailwing.app is a static site hosted on Cloudflare Pages. We have zero analytics on it — no Google Analytics, no Cloudflare Web Analytics, no third-party scripts of any kind. The only cookies you might see are Cloudflare's own infrastructure cookies (no user-identifying ones). Cloudflare itself, as our host, will have standard request logs for IPs and timestamps; we do not access or analyse those.

Reporting a privacy issue

Spot something off, or have a question about an outbound request you're seeing in Little Snitch / Wireshark / netstat? Please open an issue or read SECURITY.md for responsible-disclosure contact details.