Effective date: April 28, 2026 · Last updated: April 28, 2026
This policy describes what data Silkwind accesses, why, where it lives, who can see it, and what your rights are. It applies to the Silkwind desktop application and the optional self-hosted webmail mode (collectively, “Silkwind”, “we”, “us”). It does not apply to the silkwind.app marketing website, which has a separate cookie/analytics policy. Silkwind is developed and maintained by Pulse S.r.l., based in Italy.
Silkwind’s core principle is local-first, end-user-controlled email. We are not a cloud service. Your mailbox does not flow through our servers, and we do not have a copy of it.
Silkwind connects directly from your device to your email provider (Gmail, Outlook, Yahoo, or any IMAP/JMAP server you configure) and to your CalDAV/CardDAV servers. Email content, calendars, contacts, and OAuth tokens stay on your device. They are never proxied through, stored on, or analysed by infrastructure operated by Silkwind or any third party we control.
The remainder of this policy details, per provider, exactly what data Silkwind reads and writes, and how that data is handled. Section 4 covers Google, Section 5 Microsoft, Section 6 Yahoo, and Section 7 generic IMAP/JMAP servers. Sections 8 onward apply to all data regardless of provider.
To provide email, calendar, and contact functionality, Silkwind needs to read and write data on your behalf:
Silkwind does not access location, device identifiers, browsing history, advertising IDs, or any data outside the scope of email/calendar/contact synchronisation.
We use the data above exclusively to:
We do not use this data for advertising, profiling, training machine-learning models, market research, or any purpose unrelated to your direct use of the app.
Silkwind’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
openid, email, profile — identify your Google account inside the app (display name, address, avatar).https://mail.google.com/ — full IMAP access: read messages, send mail, manage folders, manage flags, delete.https://www.googleapis.com/auth/calendar — (optional) read/write Google Calendar events when CalDAV is enabled.https://www.googleapis.com/auth/contacts — (optional) read/write Google Contacts when CardDAV is enabled.Google email content, headers, attachments, calendar events, and contact data are stored only on your device in the local Silkwind SQLite database. OAuth tokens are stored in your operating system keychain (Keychain on macOS, Credential Manager on Windows, libsecret on Linux). Nothing transits Silkwind-controlled infrastructure.
Silkwind uses Microsoft’s OAuth2 + IMAP (with XOAUTH2 SASL) for personal Outlook.com accounts and Microsoft 365 / Exchange Online accounts. Use of Microsoft data complies with the Microsoft Services Agreement and Microsoft’s API Terms of Use.
User.Read — identify your Microsoft account (display name, address).Mail.ReadWrite — read mail, manage flags, move/delete, save drafts, append.SMTP.Send — send outgoing mail through Microsoft SMTP.Calendars.ReadWrite — (optional) read/write calendar events.Contacts.ReadWrite — (optional) read/write contacts.offline_access — refresh access tokens without re-prompting you for sign-in.Identical to §4.3 — content lives in your local SQLite database, OAuth tokens in your OS keychain. Silkwind operates no servers that hold Microsoft data.
Silkwind uses Yahoo’s OAuth2 + IMAP (with OAUTHBEARER SASL) when Yahoo Mail API access is granted to our application. Until that approval is in effect, Yahoo accounts are added via app password (which Yahoo continues to support for IMAP/SMTP). Use of Yahoo data complies with the Yahoo Developer Network Terms of Use and the Yahoo Mail API access policies.
openid — identify your Yahoo account.email — retrieve your email address.profile — display name and (when available) avatar.mail-r — read mail (envelopes, bodies, attachments, folder structure, flags).mail-w — write mail (compose/send, append drafts, manage flags, move, delete).Identical to §4.3.
For accounts you configure manually — including self-hosted servers (Stalwart, Dovecot, Apache James, Nextcloud, etc.) and providers without OAuth — Silkwind connects with the credentials you provide (username + password, app password, or token).
For these accounts, data handling is governed by the policy of the server operator you configure. Silkwind itself applies the same local-only storage and zero-sharing rules described in §3 and §4.3, but we have no relationship with and make no representations about the third-party server you choose to connect to.
All mailbox content, calendar events, contact records, and account metadata are stored in a local SQLite database on your device:
SILKWIND_SECRET key derived at startup.OAuth refresh tokens, OAuth access tokens, and IMAP/SMTP passwords are stored in the operating system keychain (desktop) or encrypted in the database (server mode). They are never written to logs, telemetry, or backups under our control.
Silkwind does not run cloud servers that hold user mail, calendars, or contacts.
We do not sell, rent, license, or share your email, calendar, contact, or account data with any third party. The only network traffic Silkwind generates is:
If a court order or law-enforcement request compels disclosure of data we hold, we will challenge over-broad requests and notify you where legally permitted. As of the date above, we hold no user mailbox data on our infrastructure.
EXPUNGE, JMAP Email/set destroy, CalDAV DELETE, etc.). We do not retain a shadow copy.You may also request deletion of any data we may hold about you by contacting privacy@silkwind.app.
We follow industry-standard practices to detect and respond to vulnerabilities. Critical security fixes are released as soon as practicable; report issues responsibly to security@silkwind.app.
If you are in the European Economic Area, the United Kingdom, Switzerland, California, or another jurisdiction with comparable rules, you have the right to:
In practice, because Silkwind does not hold your mailbox data on our infrastructure, requests under (1)–(5) are largely satisfied by your direct control of the local database and the underlying provider’s tools. For account-level questions about telemetry, crash reports, or update-check logs we may hold, contact privacy@silkwind.app.
The data controller is Pulse S.r.l., Italy. You have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) or with the supervisory authority of your country of residence.
Silkwind is not directed at children under 13 (or under 16 in jurisdictions where that is the applicable threshold for digital consent). We do not knowingly collect data from children. If you believe a child has used Silkwind to connect a mailbox without appropriate consent, contact privacy@silkwind.app and we will assist in deleting any associated local data.
The following third parties may process data when their respective features are enabled:
You can disable all optional services in Settings → Privacy. Silkwind does not connect to any third-party service without your explicit action.
When we change this policy in a way that materially affects how we handle data, we will:
Continued use of Silkwind after the new effective date constitutes acceptance of the updated policy.
For Google-API-related questions specifically, you may also contact us at the address above and we will respond within the timeframe required by the Google API Services User Data Policy. For Yahoo-API-related questions, the same contact address applies; we will additionally honour any disclosure or deletion request escalated by Yahoo on your behalf.