Privacy

Privacy Policy

The plain-English version: everything you'd expect from Gmail or Workspace, minus the ads, the content mining, and the AI training on your inbox. Here's exactly what we collect, why, and what we will never do with it.

Effective April 1, 2026 · See changelog

Why this policy is short

We built AXO because email got gross. Free mail services scan your messages to sell ads; the encrypted alternatives feel nothing like the inbox you already know. AXO is the middle path: business-grade mail that works as easily as Gmail, that you simply pay for — no ads, no content mining, no surprises. You get the polished, familiar inbox; we just don't read it.

This policy describes what we collect, why, and what we do with it. If you have questions after reading, contact us — or, if you're ready for an inbox that keeps your business yours, get started.

Data we collect

Account information

When you sign up, we collect your name, email address, and password (hashed with bcrypt). If you choose the Concierge setup path or subscribe to a paid plan, we collect billing information through our payment processor — we store only the last 4 digits and the expiration date.

Mail content

We store the messages you send and receive so we can deliver them to you. Mail is encrypted at rest (AES-256) and in transit (TLS 1.3). Only you and people you've shared mailboxes with can read your mail — not advertisers, not us.

Usage data

We log request metadata (timestamp, IP address, user agent) for security, debugging, and abuse prevention. Logs are retained for 30 days and then deleted.

Cookies

We use first-party cookies for session management and remembering your preferences. We don't use third-party tracking cookies or advertising cookies.

How we use it

  • Deliver mail. Receive, route, and send messages on your behalf.
  • Protect accounts. Detect abuse, fraud, and compromise.
  • Improve the product. Aggregate, anonymized metrics — for example, how long setup typically takes — never individual messages.
  • Support you. Respond to tickets you open. Our agents only access mail content when you explicitly share it with them in a ticket.
  • Bill you. Process subscription payments.

What we never do — and never will

This is the part that separates us from free email. We will never:

  • Scan your mail to train AI models.
  • Sell or rent your data to anyone.
  • Use your mail content for advertising.
  • Read your mail without a narrow legal obligation or your explicit support ticket.
  • Store your password in plaintext.

Sharing & subprocessors

We share data with a small set of vetted subprocessors that help us operate the service:

SubprocessorPurposeRegion
Amazon Web Services (SES)Outbound mail relayUS
StripePayment processingUS
CloudflareDNS & web edgeGlobal
Backblaze B2Encrypted off-site backupsUS

We also disclose information if required by a valid legal process (subpoena, court order). We publish a transparency report annually.

Retention & deletion

Your mail stays until you delete it. When you delete a message, it's moved to Trash and purged after 30 days. When you close your account, all mail and metadata are scrubbed within 30 days. Billing records are retained for 7 years to comply with tax and accounting law.

Security

Our security practices are detailed on the security page. Highlights: TLS in transit, two-factor authentication for webmail, DKIM/SPF/DMARC on every outbound message, audit logs for admin actions, and daily encrypted off-site backups. To report a vulnerability, use our support form.

Your rights

Depending on your region (GDPR, CCPA, LGPD, etc.), you have the right to:

  • Access the data we hold about you (Settings → Account → Export data)
  • Correct inaccurate data
  • Delete your data (Settings → Security → Delete account)
  • Export your mail and contacts in standard formats (.mbox, .vcf) anytime — so your inbox is never locked in, and you can leave as easily as you arrived
  • Object to processing for a specific purpose
  • Lodge a complaint with a data protection authority

To exercise these rights, use in-app controls or open a ticket through our support form.

Children

AXO is not intended for children under 13. We don't knowingly collect information from children.

Contact us

For privacy, legal, or data-protection questions, open a ticket through our support form and we'll route it to the right person.

Changes

We'll notify you by email and in-app banner at least 30 days before any material change.