← Back to Blog

Your Email Data Never Leaves Your Device

·5 min read

When you hear "email cleanup tool," you probably assume it involves uploading your emails to some company's server. That's how most of them work. SpamBear is different — and this post explains exactly how.

Local-First Architecture

SpamBear uses a local-first architecture. That means your data lives on your device — in your browser's built-in database (IndexedDB) — not on our servers.

When you connect your Gmail account, here's what happens:

  1. You authenticate with Google directly. We never see your password.
  2. Your browser calls the Gmail API to fetch email headers (sender, date, subject line).
  3. SpamBear analyzes those headers in your browser to identify senders, detect newsletters, and calculate engagement.
  4. Results are stored in IndexedDB on your device.

At no point does email data pass through our servers.

What About the Server?

SpamBear does have a minimal server component, but it handles exactly two things:

  • OAuth token exchange: When Google sends back an authorization code, our server exchanges it for an access token. This is a one-time handshake required by Google's OAuth flow.
  • Unsubscribe proxy: Some email senders require a server-to-server POST request to process unsubscriptions (RFC 8058). Since browsers can't always make these cross-origin requests, we provide a thin proxy that forwards your unsubscribe request.

That's it. No email content ever passes through either of these endpoints.

What About Cross-Device Sync?

If you're a Pro user and enable cross-device sync, we store exactly three things per sender decision:

  • The sender's email address
  • Your decision (keep, unsubscribe, or nuke)
  • A timestamp

That's the complete list. No email content, no subject lines, no message bodies. Just the minimum needed to sync your decisions across devices.

Why This Matters

Your email is one of the most intimate datasets about your life. It contains financial records, medical correspondence, personal conversations, and business secrets. Any tool that asks you to hand that over to a third-party server is asking for an enormous amount of trust.

We didn't want to ask for that trust. So we built SpamBear to never need it.

← More posts