How we keep your email safe.

Verified under Google's CASA Tier 2 assessment

Pop3Fetch has been verified under Google's Cloud Application Security Assessment (CASA) at Tier 2 — an independent third-party security review required for apps that handle sensitive Gmail data. The assessment is conducted by a Google-authorized security lab and covers the full security posture of the application, not just the OAuth integration.

The assessment reviewed:

• OAuth scope justification — every Gmail permission we request, the specific reason we need it, and what we do (and don't do) with the data we receive
• Data handling practices — how user data flows through the system, what's retained, what's never stored, and how deletion works
• Encryption at rest and in transit — AES-256-GCM with KMS-managed keys for stored credentials; TLS for every network connection in and out
• Authentication and access control — admin-panel hardening, WebAuthn-required multi-factor authentication, and operator IP allowlisting
• Incident response and breach notification — documented runbooks, security alerting, and a pre-drafted user-notification process
• Dependency hygiene — automated static analysis (Bandit), dynamic scanning, and weekly dependency patches via Dependabot

Following the CASA assessment, Pop3Fetch's OAuth integration was also independently reviewed and approved by Google's own verification team — confirming our consent screen, scope justifications, and data-handling practices meet Google's published requirements for verified Gmail-handling apps.

Your Gmail password — we never see it

Pop3Fetch connects to your Gmail account using Google's official OAuth system. This means you log in directly with Google — we never see, store, or transmit your Google password at any point.

OAuth gives us a secure token instead of your password. You can revoke this token at any time by visiting myaccount.google.com/permissions and removing Pop3Fetch.

Your external email password — AES-256 encrypted

To connect to your external email account, we need your IMAP or POP3 password. Here is exactly how we handle it:

• Encrypted immediately on receipt using AES-256-GCM — the same standard used by financial institutions
• Stored only in encrypted form — plain text is never written to disk or logged
• Decrypted only in memory, only when needed to fetch your emails
• Never transmitted to any third party
• Deleted immediately when you remove the account

AES-256-GCM provides both confidentiality and integrity — meaning we can detect if stored credentials have been tampered with.

How emails are transferred

Pop3Fetch connects to your external mail server over an encrypted TLS connection. Emails are fetched and immediately delivered into Gmail via the official Gmail API over HTTPS.

Emails are never stored on our servers. They pass through memory only — fetched, delivered to Gmail, and discarded. We do not index, analyze, or cache your email content.

Connection monitoring

If a sync job fails three times in a row — due to a password change, server issue, or expired credentials — Pop3Fetch detects it and sends you an email alert immediately. Your dashboard shows a live connection status for each account.

Infrastructure and data storage

• Hosted on Render — SOC 2 compliant infrastructure
• Database on MongoDB Atlas — encrypted at rest and in transit
• Payments processed by Stripe — we never see or store card details
• All traffic served over HTTPS/TLS
• No advertising. No data selling. No third-party analytics on your email data.

Data deletion

You can delete your Pop3Fetch account at any time from your dashboard. When you do, we permanently delete all stored data including your encrypted credentials, sync history, and account settings. Deletion is immediate and permanent.