Privacy Policy

Last updated: April 7, 2026

LowFat Apps ("LowFat", "we", "us", or "our") is an open-source project that provides a lightweight, third-party email client. LowFat is not affiliated with, endorsed by, or sponsored by Google LLC. This Privacy Policy explains how we collect, use, and protect your information when you use the hosted version of LowFat at this domain, or self-host your own instance.

1. Overview

LowFat is primarily distributed as open-source software that you can self-host. We also operate a hosted version for convenience. This Privacy Policy applies to the hosted version. If you self-host LowFat, you are responsible for your own data handling practices.

2. Information we collect

2.1 Google account data

When you sign in to the hosted version via Google OAuth, we request access to the following scopes:

• Gmail API (read, send, and manage emails) — used solely to provide the email client functionality within LowFat.
• Basic profile information (email address) — used to identify your session.

We access your email data only to display, search, compose, and manage your email within the LowFat interface. Email content is fetched from Google's servers on each request and rendered server-side. We do not store your email content on our servers.

2.2 Data stored by the hosted version

• OAuth tokens — Your OAuth refresh and access tokens are encrypted and stored in Cloudflare KV storage to maintain your authenticated session. These tokens are automatically deleted when you log out.
• Session cookies — A session identifier is stored in your browser (HTTP-only, secure cookie), valid for 24 hours.

We do not store emails, contacts, attachments, or any other Google account content on our servers beyond the duration of a single request.

3. How we use your information

We use the data described above exclusively to:

1. Authenticate your session with the Gmail API
2. Display your email in the LowFat interface
3. Send, reply to, and manage emails on your behalf as you direct

We do not use your data for any other purpose, including but not limited to:

• Advertising, marketing, or ad targeting
• Data mining, profiling, or analytics
• Training machine learning or AI models
• Selling, renting, or sharing your data with third parties
• Any purpose unrelated to providing the email client functionality

4. Google API Services User Data Policy

LowFat's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use access to Google user data to provide the email client functionality described in this policy.
• We do not transfer Google user data to third parties, except as necessary to provide the service (i.e., communication with Google's API servers), as required by law, or as part of a merger/acquisition with prior notice.
• We do not use Google user data for serving advertisements.
• We do not allow humans to read Google user data, except with your affirmative consent for specific messages, for security purposes (e.g., investigating abuse), to comply with applicable law, or when the data is aggregated and anonymized for internal operations.

5. Data sharing and disclosure

We do not sell, rent, or share your personal data with third parties. We may disclose information only in the following limited circumstances:

• Infrastructure providers — The hosted version runs on Cloudflare Workers. Your requests are processed through Cloudflare's network. We recommend reviewing their privacy policy.
• Legal requirements — If required to do so by law, regulation, or valid legal process.
• Safety — If necessary to protect the rights, safety, or property of our users or the public.

6. Data security

We implement appropriate technical measures to protect your data:

• OAuth tokens are encrypted at rest in Cloudflare KV storage.
• All communication is encrypted in transit using TLS/HTTPS.
• Session cookies are HTTP-only and secure-flagged.
• No email content is persisted on our servers.

However, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

7. Data retention and deletion

• OAuth tokens are deleted immediately when you log out, or automatically expire if unused.
• Session cookies expire after 24 hours.
• No email content is retained beyond the duration of a single request.

To delete all your data from LowFat's hosted version, simply log out. To fully revoke LowFat's access to your Google account, visit your Google Account permissions page and remove LowFat.

8. Self-hosting

LowFat is open-source software. You may deploy your own instance and maintain full control over your data. Self-hosted instances are not covered by this Privacy Policy — the operator of a self-hosted instance is responsible for their own privacy practices.

9. Children's privacy

LowFat is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us so we can take appropriate action.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will indicate the date of the latest revision at the top of this page. Your continued use of the hosted version after any changes constitutes acceptance of the updated policy.

11. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, please open an issue on GitHub.

12. Operator

The hosted version of LowFat is operated by UPLUCID, K.K. (Japan).