Which Email Clients Send Your Data to the Cloud? A Privacy Audit
We audited 10 popular email clients to find out exactly what happens to your data. The results are sobering.
Every email client promises to keep your data safe. But what does "safe" actually mean when your messages are being sent to cloud servers for AI processing, scanned for advertising signals, or stored on infrastructure you don't control? We decided to find out.
Over two weeks, we conducted a systematic email client privacy comparison across the 10 most popular email apps on the market. We examined their privacy policies, monitored their network traffic with packet sniffers, reviewed their terms of service, and documented every outbound connection. This is the most thorough email privacy audit we're aware of for 2026.
Methodology
We evaluated each email client across five dimensions. Each dimension was scored independently, then weighted to produce an overall privacy grade.
- AI Processing Location: Does the app process emails on-device, or does it send email content to cloud servers (OpenAI, Google Cloud, AWS, etc.) for AI features like summarization, smart replies, and categorization? This is the single most important factor. If your email leaves your device for AI processing, a third party has read it.
- Data Storage: Where is your email data stored? Solely on your device and your email provider's servers? Or does the email client maintain its own copy on company-owned infrastructure? Every additional copy is an additional attack surface.
- Third-Party Sharing: Does the app share data with analytics providers, advertising networks, or data brokers? We reviewed privacy policies and cross-referenced with network traffic analysis to verify claims.
- Telemetry: What usage data does the app collect? Can it be disabled? We used Little Snitch and Wireshark to monitor every connection each client made during normal usage, including background activity.
- Business Model: How does the company make money? Free products funded by advertising or data monetization have fundamentally different incentives than paid products. We followed the money.
The Audit Results
Here's what we found for each email client, ranked from worst to best. Which email apps read your emails? More than you think.
1. Gmail — F
Gmail is the world's most popular email service with over 1.8 billion users, and it is also one of the worst for privacy. Google scans every email that passes through Gmail's servers. While they stopped using email content for ad targeting in 2017, the scanning never stopped — it powers Gemini AI features, Smart Reply, Smart Compose, automatic categorization, and spam filtering.
Every email you receive is processed on Google Cloud infrastructure. Gemini AI features, introduced in 2024 and expanded throughout 2025, send your email content through Google's large language models for summarization, drafting, and search. Google's privacy policy grants them broad rights to process your data "to provide, maintain, and improve" their services.
Beyond AI, Gmail's integration with the broader Google ecosystem means your email data is cross-referenced with your search history, YouTube activity, location data, and browsing habits to build advertising profiles. Even if email content itself isn't used for ad targeting, the metadata — who you email, when, how often — absolutely is.
Our network analysis showed Gmail making connections to dozens of Google services during normal usage, including analytics endpoints, ad-serving infrastructure, and telemetry collectors. There is no way to disable this telemetry while using Gmail.
2. Edison Mail — F
Edison Mail earns an F for a specific reason: they were caught selling aggregated email data. In 2021, reports revealed that Edison's parent company was monetizing email data through a product called "Edison Trends," which sold purchase-related data extracted from users' inboxes to investment firms, hedge funds, and corporate clients.
Edison claimed the data was "anonymized," but the practice itself reveals the fundamental problem: your email content was being read, parsed, and packaged for sale. Even after the backlash, Edison's business model depends on extracting value from your inbox. The app is free, and there is no subscription tier — the product is your data.
Our network monitoring confirmed that Edison Mail makes connections to Edison's own analytics infrastructure, transmitting email metadata and engagement data. The AI features process content on Edison's cloud servers.
3. Outlook — D
Microsoft's Outlook is deeply integrated with the Microsoft 365 ecosystem, and that integration comes at a privacy cost. All email data is stored on Microsoft servers. Copilot AI features — summarization, drafting, scheduling — process your emails through Microsoft's cloud AI infrastructure, including Azure OpenAI Service.
Microsoft 365 telemetry is extensive and well-documented. The "Required Diagnostic Data" collection includes email activity patterns, feature usage, and performance metrics. While enterprise administrators can configure telemetry levels, individual users on personal accounts have limited control.
The new Outlook app (which replaced Windows Mail) routes all email through Microsoft's servers, even for third-party email providers like Gmail or Yahoo. This means Microsoft processes email from non-Microsoft accounts through their infrastructure — a significant privacy concern that drew criticism from European data protection authorities.
4. Spark — D
Spark, made by Readdle, stores your email credentials and message data on Readdle's own servers. This is required for their cross-device sync and collaboration features. Your emails don't just live on your device and your email provider — they exist on Readdle's infrastructure too.
Spark's AI features, including "+AI" powered by OpenAI, send your email content to OpenAI's API for processing. When you use AI to summarize a thread or draft a reply, that content leaves your device, travels to Readdle's servers, and then is forwarded to OpenAI. That is two additional parties reading your email beyond your original email provider.
Readdle's privacy policy acknowledges storing email content and metadata on their servers. They state this data is encrypted at rest, but encryption at rest only protects against physical theft of drives — Readdle's systems still have access to decrypt and process your data.
5. Superhuman — D+
Superhuman is a beautifully designed email client that charges $30/month, yet still processes your emails through cloud AI. Their AI features — auto-summaries, Instant Reply, Write with AI — send your email content to OpenAI's API. At $360/year, you're paying premium prices and still giving up your data.
Superhuman gets a marginally better grade than Spark because they don't store your emails on their own servers for sync purposes — they rely on direct IMAP/Gmail API connections. However, the AI processing pipeline still sends email content to third-party infrastructure.
Usage analytics are collected, including feature engagement and email processing patterns. Superhuman's privacy policy permits sharing anonymized data with service providers. Our network analysis showed connections to analytics services (Amplitude, Segment) during normal usage.
6. Canary Mail — C-
Canary Mail markets itself as a "private AI email client," which makes its actual data practices particularly disappointing. While Canary does offer end-to-end encryption for emails between Canary users (via PGP), their AI features tell a different story.
Canary's "Copilot" AI features use cloud APIs for processing. Despite the privacy marketing, when you ask Canary to summarize an email or draft a reply, that content is sent to external AI services. The disconnect between marketing claims and actual behavior is the reason for the C- rather than a D — the base product without AI features is reasonably private, but the AI upsell undermines the privacy promise.
Canary does store emails locally on-device for its core functionality, which is better than Spark's server-side storage. But the moment you engage AI features, your data leaves the device. The "private AI" marketing is misleading at best.
7. HEY — B-
HEY, from Basecamp (now 37signals), takes a genuinely different approach to email. All HEY email is stored on Basecamp's servers — it's a full email service, not just a client. But there is no AI scanning of your content, no machine learning categorization, and no data mining.
HEY's business model is straightforward: you pay $99/year for personal use, and that's how they make money. No ads, no data sales, no third-party AI processing. The Screener, Feed, and Paper Trail features are rule-based, not AI-driven, so your emails aren't sent to language models.
The reason HEY doesn't score higher is that your emails are still stored on servers you don't control. Basecamp has a strong privacy track record and their leadership is vocal about data rights, but you're still trusting a third party with your data. For users who want true local-only storage, HEY doesn't offer that. Additionally, HEY is a proprietary email service — you can't use your own domain's IMAP with HEY's client.
8. Apple Mail — A-
Apple Mail is the default email client on macOS and iOS, and it is one of the most privacy-respecting options available. Apple does not scan your emails for advertising. Mail data is stored locally on your device. There is no cloud AI processing of email content.
Apple's Mail Privacy Protection blocks tracking pixels by default, preventing senders from knowing when you open an email. The app connects only to your configured email servers — no intermediate proxy servers, no company-owned infrastructure storing copies of your messages.
Apple does collect some telemetry (crash reports, basic usage analytics), but it can be disabled in System Settings. Their privacy nutrition labels on the App Store are among the sparsest of any major tech company's products.
The A- instead of an A reflects one gap: Apple Mail has no AI features whatsoever. While Apple Intelligence has been introduced for other Apple apps, Mail's integration remains limited to basic smart suggestions. For users who want AI-powered email without privacy trade-offs, Apple Mail doesn't solve the full problem — it just avoids it entirely.
9. Proton Mail — A
Proton Mail sets the gold standard for email encryption. Based in Switzerland and protected by Swiss privacy laws, Proton uses end-to-end encryption and zero-access architecture. Even Proton's own servers cannot read your emails — they're encrypted with keys that only you hold.
There is no AI scanning, no data mining, no advertising. Proton's business model is paid subscriptions (free tier available with limitations). The codebase is open source and has been independently audited. Email between Proton users is end-to-end encrypted by default. Email to non-Proton users can be sent with password-protected encryption.
Proton earns an A rather than A+ because it lacks AI features entirely. For users who want intelligent email assistance — summaries, smart categorization, AI drafts — Proton doesn't offer that. The trade-off is maximum encryption with zero intelligence. Proton Mail is also a full email service, meaning you use their servers — albeit servers that cannot decrypt your content.
10. Inboxed — A+
Full disclosure: we built Inboxed, so take this assessment with that context. But the facts are verifiable. Inboxed processes 100% of AI operations on-device using llama.cpp optimized for Apple Silicon with Metal acceleration. Email summarization, smart replies, categorization, and search all happen locally. Zero email content ever leaves your Mac.
There is no telemetry. No analytics. No crash reporting. No background connections to Inboxed servers — because there are no Inboxed servers. The app connects only to your configured IMAP/SMTP email provider and nothing else. You can verify this with Little Snitch, Wireshark, or any network monitor: during AI processing, your network interface stays completely silent.
The business model is a one-time purchase. No subscription means no ongoing incentive to extract data for revenue. No cloud infrastructure means no servers to breach. Your emails exist on your device and your email provider's servers — nowhere else.
Inboxed earns an A+ because it is the only email client we tested that offers full AI capabilities (summarization, smart replies, categorization, intelligent search) with zero data leaving the device. It combines the AI intelligence of Superhuman with the privacy posture of Proton Mail.
Summary: Email Client Privacy Comparison
| Client | AI Location | Data Storage | Telemetry | Grade |
|---|---|---|---|---|
| Gmail | Google Cloud | Google servers | Extensive, non-optional | F |
| Edison Mail | Edison Cloud | Edison servers | Extensive + data sales | F |
| Outlook | Azure / OpenAI | Microsoft servers | Extensive, partially optional | D |
| Spark | OpenAI API | Readdle servers | Analytics collected | D |
| Superhuman | OpenAI API | Gmail/IMAP direct | Analytics (Amplitude, Segment) | D+ |
| Canary Mail | Cloud APIs | Local + cloud for AI | Some analytics | C- |
| HEY | None (no AI) | Basecamp servers | Minimal | B- |
| Apple Mail | None (no AI) | Local device | Optional, minimal | A- |
| Proton Mail | None (no AI) | Encrypted servers (zero-access) | Minimal, open source | A |
| Inboxed | 100% on-device | Local device only | None | A+ |
What "Private AI" Really Means
Several email clients market themselves as "private AI" or "privacy-first AI." These terms sound reassuring. But what do they actually mean in practice?
In most cases, "private AI" means one of two things: either the AI provider promises not to train on your data (OpenAI's enterprise API terms), or the email client claims to anonymize your data before sending it to the cloud. Neither of these constitutes actual privacy.
Not training on your data is not the same as not reading it. When Superhuman sends your email to OpenAI's API, OpenAI processes it — the model reads the content, generates a response, and returns it. Even if OpenAI doesn't store that data for training, your email content existed on their servers during processing. Their employees could theoretically access it. A breach could expose it. A subpoena could compel its disclosure.
Anonymization is not privacy. Research has repeatedly shown that "anonymized" data can be re-identified. When Canary Mail or Spark sends "anonymized" email data to cloud AI, the content itself — the words, the context, the meaning — is inherently identifying. An email about your tax return is identifiable no matter how many user IDs you strip from the metadata.
True AI privacy means one thing: the data never leaves your device. Not anonymized. Not encrypted-in-transit. Not temporarily-processed-and-deleted. Never leaves. Period. If your email content touches a server you don't control for AI processing, it is not private AI. It is cloud AI with a privacy marketing wrapper.
The Zero-Data-Exit Standard
We propose a simple, verifiable standard for email client privacy: Zero Data Exit. An email client meets this standard when no email content, metadata, or usage data leaves your device except to communicate with your configured email servers (IMAP/SMTP).
Zero Data Exit means:
- No cloud AI calls. All AI processing happens on-device using local models. Summarization, drafting, categorization, and search run on your CPU/GPU, not on a remote server.
- No telemetry. The app does not phone home with crash reports, usage analytics, feature engagement metrics, or any other data. You can verify this with network monitoring tools.
- No intermediate servers. The app connects directly to your email provider via standard protocols. There are no proxy servers, no company-owned infrastructure sitting between you and your email.
- No data retention by the client vendor. The email client company stores nothing about you. No accounts, no user profiles, no server-side data. If they get breached, there is nothing to leak because nothing exists.
- Verifiable by the user. You can confirm all of the above yourself using standard network monitoring tools like Little Snitch, Wireshark, or tcpdump. Privacy claims that cannot be independently verified are not worth making.
Of the 10 email clients we audited, only one meets the Zero Data Exit standard while also providing AI features: Inboxed. Apple Mail and Proton Mail meet most of the criteria but lack AI capabilities entirely. Every other client sends some form of your data to servers beyond your email provider.
Why This Matters Now
In 2026, AI is no longer optional in email. The productivity gains from AI-powered summarization, smart replies, and intelligent categorization are too significant to ignore. Refusing AI entirely — as Apple Mail and Proton Mail currently do — means accepting a growing productivity disadvantage.
But the current default — sending your emails to cloud AI for processing — is a privacy disaster waiting to happen. Every email client that routes content through OpenAI, Google, or Microsoft is creating a centralized honeypot of the world's private communications. One breach, one rogue employee, one government subpoena, and millions of private emails are exposed.
Local AI changes the equation. Apple Silicon hardware is now powerful enough to run sophisticated language models on a laptop. There is no technical reason your email needs to leave your device for AI processing. The only reason it still does is that most email companies built their AI features before local models were viable, and they haven't rebuilt.
The email privacy audit is clear: if you want AI and privacy, the answer is local processing. No exceptions.
Building Inboxed to prove that AI-powered email doesn't require giving up your privacy. Previously worked on native macOS applications and on-device ML systems.