Privacy Policy

Last updated: February 19, 2026

1. Who We Are

SpamBear is operated by Bear & Eddy LLC. SpamBear is an email unsubscribe tool that helps you clean up your inbox by connecting to your Gmail account.

2. Local-First Architecture

SpamBear is built local-first. Your email data (sender information, decisions, and preferences) is stored in your browser's IndexedDB using Dexie.js. This data never leaves your device unless you explicitly enable Cloud Sync in Settings > Privacy & Data.

3. What We Access

When you connect your Gmail account, SpamBear accesses:

• Email metadata — sender addresses, subject lines, and dates to identify subscription emails
• Email headers — List-Unsubscribe headers to facilitate one-click unsubscription

We do not read, store, or transmit the body content of your emails.

4. Google OAuth & API Usage

SpamBear uses Google OAuth 2.0 for authentication. We request gmail.modify access to read email metadata and execute unsubscribe actions (such as managing labels). Despite this scope, SpamBear only reads email metadata headers and never accesses email body content. Your access token is stored locally in your browser and is used solely to communicate with the Gmail API on your behalf. We do not store your Google credentials on any server.

5. Optional Cloud Sync

Cloud sync is disabled by default. You can enable it in Settings > Privacy & Data > Cloud Sync. When enabled, the following data is synced to our cloud infrastructure (powered by Supabase, hosted in the US) to enable cross-device access:

• Sender email addresses and names
• Your keep/unsubscribe/delete decisions
• Your email address (for account identification)

Email content, subject lines, and message bodies are never synced to the cloud.

6. Payments

Payment processing is handled by Stripe. We do not store your credit card details. See Stripe's Privacy Policy for details.

7. Analytics

We do not use third-party analytics services. Basic usage metrics (feature adoption, error rates) are collected without any personally identifiable information.

8. Data Deletion & Export

You can manage your data at any time from Settings:

• Clear Local Data — deletes all locally stored email data from your browser
• Export My Data — downloads all your data as a JSON file
• Delete Account — permanently deletes all data, both local and cloud, and revokes Gmail access

You can also revoke SpamBear's Gmail access at any time from your Google Account permissions.

9. Your Rights

For details on your rights under GDPR (EU/EEA users), see our GDPR page. For California residents, see our CCPA page.

10. Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated through the app.