Privacy Policy

Last updated: April 5, 2026

LowFat is an open-source, personal project. This policy is intentionally short and human-readable because we believe privacy policies should be easy to understand.

What we access

When you sign in with Google, LowFat requests access to your Gmail data (read, send, and manage emails) via the Gmail API. This access is used solely to provide the email client functionality.

What we store

• OAuth tokens — encrypted and stored in Cloudflare KV to maintain your session. These are automatically deleted when you log out.
• Session cookies — a session identifier stored in your browser, valid for 24 hours.

That's it. We do not store your emails, contacts, or any other personal data on our servers. Emails are fetched from Google's API on each request and rendered server-side.

What we don't do

• No analytics or tracking scripts
• No advertising
• No selling, sharing, or transferring your data to third parties
• No data mining or profiling

Third-party services

LowFat runs on Cloudflare Workers. Your requests pass through Cloudflare's network. We recommend reviewing their privacy policy as well.

Self-hosting

LowFat is open source. If you'd rather not trust our hosted version, you can deploy your own instance and keep everything under your control.

Data deletion

Log out from the app to delete your session and stored tokens immediately. If you want to revoke access entirely, visit your Google Account permissions page.

Contact

Questions? Open an issue on GitHub.