Privacy Policy
Last updated: 2026-06-17
1. Roles and Privacy Contact
Kotekorbya Technologies di Jacopo Di Pumpo
VAT / P.IVA: IT14253050968
General inquiries: contact@imap.pm
Privacy Contact: dpo@imap.pm
imap.pm is an email routing service that connects IMAP mailboxes to configured destinations, including Telegram, Discord, webhooks, SMTP relays, IMAP destination mailboxes and managed @imap.pm mailboxes. This privacy policy explains what data is processed, how it is handled, and your rights regarding that data.
For account registration, billing, admin access, security logs and service operation, Kotekorbya Technologies di Jacopo Di Pumpo acts as controller (titolare del trattamento), pursuant to EU Regulation 2016/679 (GDPR) and Italian Legislative Decree 196/2003 as amended.
For email content, mailbox data, routing rules and destination delivery configured by customers, Kotekorbya acts as processor (responsabile del trattamento) on the customer’s documented instructions. The customer is responsible for having a valid legal basis for the mailbox data and email content they route through imap.pm.
B2B customers: If you use imap.pm to route email content or mailbox data relating to other people, you may need a Data Processing Agreement (DPA) with us. Business customers can request our DPA by contacting dpo@imap.pm.
2. Data We Process
2.1 Email Content
When a new email arrives in a monitored IMAP mailbox, imap.pm reads the following from the mail server:
- Sender address (From header)
- Recipient addresses (To, Cc headers)
- Subject line
- Date and time
- Message body (plain text and/or HTML)
- Attachments (file name, size, content type, binary data)
- Message UID (unique identifier on the IMAP server)
Processing: Email content is forwarded in real time to the configured destination (Telegram chat, Discord channel, webhook endpoint, SMTP recipient, IMAP destination mailbox or managed @imap.pm mailbox route). The email body is truncated to platform limits where applicable (for example, 4,096 characters for Telegram). Attachments up to 20 MB are forwarded.
Storage: Email content is not stored persistently on the imap.pm server. When mail previews are enabled, a temporary encrypted cache may be created with a configurable TTL (default: 8 hours). Cached previews can be permanently destroyed by the user via PIN.
2.2 IMAP Credentials
- IMAP server address — stored in plaintext (e.g.
mail.example.com:993) - IMAP username — stored in plaintext
- IMAP password — encrypted at rest using a server-side secret key. Can optionally be revealed by the account owner after re-authentication, but will never be shown again if access to the account is obtained by password reset.
2.3 Admin User Accounts
- Username — stored in plaintext
- Password — stored as a cryptographic hash (not reversible)
- Role (owner/viewer) and account access scope
- Theme preference (light/dark)
2.4 Message UID Tracking
To avoid re-sending previously forwarded emails, imap.pm stores the UID (unique identifier) of each processed message. UIDs are numeric identifiers assigned by the IMAP server and do not contain email content.
2.5 Destination Configuration
- Telegram bot tokens (stored in plaintext, masked in the UI)
- Discord webhook URLs
- Custom webhook endpoints
- Telegram chat IDs, Discord channel identifiers
- SMTP relay hostnames, usernames, encrypted passwords, sender configuration and recipient addresses
- IMAP destination hostnames, usernames, encrypted passwords, mailbox folders and TLS settings
- Managed
@imap.pmmailbox addresses, original recipient metadata and managed mailbox routing settings
2.6 IP Addresses
IP addresses are processed for rate limiting on the mail preview destroy feature (PIN verification). They are stored in memory only and are not persisted to disk. No IP-based tracking or analytics is performed.
2.7 Failure Logs
A rolling buffer of up to 200 failure log entries is maintained in memory. Entries include: timestamp, HTTP status code, request path, and error message. Log entries may contain email addresses from failed operations. Logs are not persisted to disk and are lost on server restart.
3. How Data is Used
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Email content | Forwarding to configured destination | Legitimate interest / consent of mailbox owner |
| IMAP credentials | Connecting to mail server | Contract performance |
| Admin credentials | Authentication and access control | Contract performance |
| Message UIDs | Preventing duplicate delivery | Legitimate interest |
| IP addresses | Rate limiting (anti-abuse) | Legitimate interest |
| Failure logs | Debugging and operational monitoring | Legitimate interest |
4. Third-Party Services and Mail Infrastructure
imap.pm transmits data to the following third-party services and mail infrastructure as configured by the administrator:
| Service | Data Transmitted | Purpose |
|---|---|---|
| Telegram Bot API | Message text, attachments, chat ID | Delivering email notifications to Telegram |
| Discord Webhooks | Message text, attachments, channel ID | Delivering email notifications to Discord |
| Custom Webhooks | Message JSON payload | Delivering email notifications to user-configured endpoints |
| SMTP relay providers configured by the administrator | Message headers, message text, attachments, recipient address, relay credentials and sender configuration | Forwarding email to SMTP destinations selected by the administrator |
| IMAP destination providers configured by the administrator | Message headers, message text, attachments, destination mailbox folder and IMAP credentials where custom IMAP delivery is used | Appending routed email into a destination IMAP mailbox selected by the administrator |
Managed @imap.pm mailboxes | Inbound email addressed to managed imap.pm mailboxes, original recipient metadata, routing rules and delivery status | Receiving mail for managed imap.pm addresses, routing it to configured destinations and deleting processed source messages after successful delivery |
| Google Fonts | Browser IP, user agent (client-side) | Loading web fonts for the admin interface |
| netcup GmbH, Germany | Hosting, storage, network, backup and infrastructure data | Hosting provider. netcup GmbH provides hosting, storage, network, backup and infrastructure services for imap.pm and may process personal data stored or transmitted through the service as our processor. |
IMAP source and destination connections are made directly to the mail providers specified by the administrator, except for managed @imap.pm mailboxes, which are operated as part of the imap.pm service.
5. Data Retention
| Data | Retention Period |
|---|---|
| Email content (forwarded) | Not stored. Forwarded in real time and discarded. |
| Mail preview cache | Configurable TTL (default 8 hours). Destroyed on PIN request or expiry. |
| Message UIDs | Indefinite (required to prevent re-sending). Deleted when account is removed. |
| IMAP credentials | Until the account is deleted by the admin. |
| Admin user accounts | Until deleted by an owner. |
| Subscription metadata (plan/customer/subscription IDs, billing status) | Stored while account is active and retained for compliance and accounting requirements. |
| Planless/expired account deadline data | Up to 2 months grace window before account expiry, shown live in the admin profile for GDPR transparency. |
| Self-service account deletion requests | Sync is disabled immediately. Account data is scheduled for purge after a 2 month reversible window unless the request is reverted before the deadline. |
| Short links | Configurable TTL (1 day to 1 year, or indefinite). |
| Failure logs | In-memory only. Rolling buffer of 200 entries. Lost on restart. |
| Session cookies | 24 hours. |
If no plan is selected, or if a subscription expires/cancels, the account remains viewable in admin with a live deadline countdown and expires after a grace period (2 months) unless a valid plan is added. This retention/expiry mechanism is applied to satisfy GDPR data minimization and storage limitation principles.
If you request account deletion from the profile section, sync is disabled immediately, Stripe subscription cancellation is requested, and the account is purged after the 2 month deletion deadline. You can revert the deletion request from the profile section any time before that deadline.
6. Data Security
- IMAP passwords are encrypted at rest using a server-side secret key file
- Admin passwords are stored as irreversible cryptographic hashes
- Mail preview tokens are encrypted and time-limited
- HTML email content is sanitized and rendered in sandboxed iframes
- Admin session cookies are HttpOnly and Secure (configurable)
- PIN verification is rate-limited per IP to prevent brute-force attacks
- Bot tokens and webhook URLs are masked in the admin interface
7. Your Rights (GDPR)
If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation:
- Right of Access — Request a copy of the personal data held about you
- Right to Rectification — Request correction of inaccurate data
- Right to Erasure — Request deletion of your data. For IMAP accounts, this means removing the synced account. For admin users, this means deleting the user account. For mail previews, use the PIN-protected destroy feature.
- Right to Data Portability — Request your data in a structured, machine-readable format
- Right to Object — Object to processing of your data
- Right to Restrict Processing — Request that processing be paused (use the “Pause syncing” feature)
To exercise these rights, contact the administrator of the imap.pm instance you are using.
8. No Analytics or Advertising
imap.pm does not use any analytics services, tracking pixels, advertising networks, or behavioral profiling. No data is sold or shared with data brokers.
9. International Transfers
Data is processed on the server where imap.pm is deployed. Email content is transmitted to third-party messaging platforms (Telegram, Discord) whose servers may be located in different jurisdictions. The administrator is responsible for ensuring appropriate data transfer mechanisms are in place.
10. Children
imap.pm is not intended for use by individuals under the age of 16. The service does not knowingly process data from children.
11. Changes to This Policy
This policy may be updated to reflect changes in the service. The “Last updated” date at the top indicates the most recent revision.
12. Contact
For privacy-related inquiries or to exercise your GDPR rights, contact us at:
Kotekorbya Technologies di Jacopo Di Pumpo
General inquiries: contact@imap.pm
Privacy Contact: dpo@imap.pm
VAT / P.IVA: IT14253050968
You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) at www.garanteprivacy.it.