CCullapse
Trust

Privacy policy

The shortest version: Cullapse reads message headers. It does not read message bodies, and it has no servers of its own. This page describes what happens to the small amount of metadata Cullapse does process.

Effective 2026-05-13 · Version 1.0

1. Summary

Cullapse is metadata-only by construction. It fetches headers from your IMAP mail accounts to surface senders, subjects, and engagement signals, and provides bulk actions to delete, archive, move, and unsubscribe. No body content is fetched, stored, or transmitted to any third party. There is no Cullapse account, no Cullapse server, and no advertising network.

2. Scope

This policy applies to the Cullapse application for macOS and iOS, the bundled cullapse command-line tool, and this website. References to “Cullapse” mean the application; references to the developer mean an individual maintaining the project as a personal endeavor.

3. Data Cullapse processes

Cullapse processes the minimum metadata needed to make triage decisions. The full list is small enough to enumerate:

  • Email envelope fields: From, To, Cc, Subject, Date, Message-ID, In-Reply-To, References.
  • List headers: List-Unsubscribe, List-Unsubscribe-Post, List-Id.
  • IMAP flags: \Seen, \Answered, \Flagged, \Deleted, custom keywords.
  • Server-reported message size in bytes (RFC822.SIZE).
  • A single boolean per message indicating whether at least one attachment is present. Computed from the IMAP BODYSTRUCTURE response when requested; the rest of BODYSTRUCTURE (attachment filenames, MIME types, part sizes) is parsed only to compute that boolean and then discarded. The cache stores only the boolean.
  • Folder names you have connected and the UIDs of messages within them.
  • Your account configuration: email address, IMAP host and port, display name, the preferences you choose in Settings.
  • The categories, rules, VIP lists, suggestion dismissals, and replied-to message IDs you generate while using the app.
  • A presence check, for each message, against a bundled list of ~5,400 known disposable / throwaway email domains (e.g., Mailinator, GuerrillaMail). The list is the public-domain (CC0) disposable-email-domains dataset, shipped inside the application binary. The check runs entirely on-device; no sender address is sent off-device for this purpose, no result is recorded outside the local cache.

4. Data Cullapse does not process

The following are not read, not stored, and not transmitted:

  • Message bodies, in any MIME part, in any format.
  • Attachment content, attachment filenames, MIME types, or per-part byte counts. Cullapse may observe (via BODYSTRUCTURE) that a message has attachments, as noted in §3 — but the only thing retained from that observation is a single boolean. Filenames, image bytes, document bytes, and embedded-media bytes are never fetched, never parsed beyond the presence check, and never stored.
  • Tracking pixels — external URLs in mail are never fetched by Cullapse.
  • Calendar, contacts, photos, location, or any other system data outside the IMAP accounts you connect.
  • Behavioral analytics: there is no advertising SDK, no fingerprinting, no cross-app tracking.

5. Local processing

All triage logic — grouping, deduplication, VIP detection, rule evaluation, the buffered-undo timer — runs on your device. Cached headers are persisted locally using Apple's SwiftData framework inside the application's sandboxed container. The cache is not mirrored to iCloud and is removed when you delete the application or disconnect the account.

6. Credentials

IMAP passwords, app-specific passwords, and any third-party AI provider API keys you enter are stored in the system Keychain (macOS Keychain or iOS Keychain). Cullapse routes every keychain operation through a single store so the iCloud-sync flag is consistent across items.

By default, credentials are marked kSecAttrAccessibleWhenUnlockedThisDeviceOnly and do not sync. If you enable “Sync passwords with iCloud Keychain” in Settings → General, existing items are migrated to kSecAttrAccessibleWhenUnlocked and become available on your other Apple devices via Apple's iCloud Keychain. This is a per-device preference; turning it off removes the synchronizable flag and restores device-only storage.

7. iCloud settings sync

“Sync settings with iCloud” in Settings → General is opt-in and separate from iCloud Keychain. When enabled, Cullapse mirrors a narrow allowlist of preferences to NSUbiquitousKeyValueStore:

  • Accounts list — email addresses, IMAP host and port, and display names. Passwords are not included.
  • Rules you have created.
  • AI provider preferences (provider choice, model). API keys are not included.
  • Triage state: sender categories, VIPs, suggestion dismissals, replied-message IDs.
  • UI preferences: window state, default views, undo buffer length.

The cached headers, IMAP UID validity, fetch progress, and any Keychain item are explicitly excluded from this sync path. The allowlist is enforced in code.

7.1 What “triage state” actually contains

Sender categories are stored as a map from sender address to a category label (newsletter, transactional, promotional, social, notification, personal, other). VIPs are a set of sender addresses. Suggestion dismissals are short fingerprints of already-rejected rule suggestions. Replied-message IDs are RFC 822 Message-Id strings of messages you have answered. All of these are derived from metadata — none of them contain body text, attachments, or anything fetched from a message payload. They ride iCloud KV under the same metadata-only contract as the rest of the allowlist.

7.2 How categories behave across devices

AI inference always runs on the device that requested it — either Apple Foundation Models locally, or a third-party provider you configured with your own API key. With iCloud settings sync enabled, each device's categorizations are mirrored to iCloud KV and merged: senders one device has classified that another hasn't are unioned in; if both devices classified the same sender differently, the most recently synced classification wins. With iCloud settings sync disabled, categories are per-device, and the same sender may end up labeled differently on different devices because AI inference has run-to-run variance. This is the tradeoff of running inference on your hardware rather than on a Cullapse-operated server: convergence is opt-in via Apple's KV store, never via anything Cullapse runs.

Even with iCloud sync on, message bodies still never leave the device, never reach iCloud, and never reach any third party.

7.3 Advanced Data Protection

Synced settings ride iCloud KV-store under Apple's Standard Data Protection: encrypted in transit and at rest, with Apple holding the keys. This is the same posture that covers iCloud Mail, Notes, Calendars, and Reminders for most users, and we consider it appropriate for metadata of the kind described in §7.1 (sender addresses, category labels, VIP sets, suggestion fingerprints, replied-message IDs).

If your threat model calls for stronger guarantees on the synced metadata, turning on Advanced Data Protection for iCloud extends end-to-end encryption to iCloud KV-store. With ADP on, the categories, VIPs, replied-message IDs, and accounts list that Cullapse mirrors to iCloud become readable only on your signed-in Apple devices — Apple no longer holds the keys.

What ADP does not change for Cullapse:

  • iCloud Keychain (where IMAP passwords and AI provider API keys live when “Sync passwords with iCloud Keychain” is on) is end-to-end encrypted regardless of ADP. Credentials do not gain anything from ADP and do not lose anything without it.
  • Message bodies are not synced either way. Cullapse never reads them and never transmits them; nothing on the iCloud side changes that.
  • Cached headers, IMAP UID validity, and fetch progress are not synced either way — they live only in the application's sandboxed container on each device.

ADP is an Apple feature, configured in Settings → [your name] → iCloud → Advanced Data Protection (or the equivalent on macOS). It requires all your signed-in Apple devices to meet Apple's minimum OS version and to have two-factor authentication enabled. See Apple's support article on Advanced Data Protection for current requirements and tradeoffs.

8. AI providers

Cullapse offers optional AI assistance for sender categorization, triage suggestions, and rule proposals. The default provider is Apple Foundation Models, which runs on-device or, for larger requests, in Apple's Private Cloud Compute. No content leaves Apple's privacy boundary.

You may instead configure Anthropic, OpenAI, Google, or Perplexity as a provider, using your own API key. When you do, the information sent for each request is limited to the metadata described in §3: sender addresses, subjects, list headers, dates, flags, read state, and your prompt. Cullapse acts as a client; the provider's own privacy policy governs what they do with the request. Cullapse has no inference server of its own and does not log AI requests.

See the AI processing page for the full list of what is sent for each feature.

9. Telemetry

Cullapse ships with no analytics SDK and collects no telemetry by default. If you opt in to “Share anonymous diagnostics” (off by default), Cullapse will submit crash reports through Apple's standard reporting mechanism. These reports contain stack traces and process metadata; they do not contain email content or account credentials. You can revoke this at any time in macOS or iOS system settings.

10. Third parties

Cullapse interacts with three categories of third parties on your behalf:

  • Your mail providers (for example, Fastmail, Gmail, iCloud Mail). Cullapse speaks IMAP to them directly using credentials you supply. Their privacy policies govern what they log about the connection.
  • Apple, for the Mac App Store, Universal Purchase, Family Sharing, iCloud Keychain, iCloud KV-Store, and Foundation Models. Apple's privacy policy applies to these services.
  • An AI provider you optionally configure, addressed directly from your device using your API key. Their privacy policy applies to those requests.

Cullapse has no other third-party data processors. There is no CDN for analytics, no error-reporting service, no marketing automation.

11. Retention

Local data lives for as long as the application is installed and the account is connected. Disconnecting an account removes its cached headers and per-account state. Deleting the application removes the local data store; Keychain items follow standard Apple behavior for app removal. iCloud KV-Store entries can be cleared from Settings → General → “Clear iCloud sync data”.

12. Your rights (GDPR, CCPA, and similar laws)

Because Cullapse does not collect personal data on its own servers, most data-subject rights are exercised directly on your device:

  • Access. Open the app. Everything Cullapse knows is visible in the UI.
  • Portability. Use the CLI's cullapse export command to dump your rules, categories, and VIPs.
  • Erasure. Delete the application, or disconnect the account.
  • Objection. Disable any optional feature in Settings.

If you have a question about these rights that you cannot answer by inspecting the app, you may write to dev@snxt.ai. The developer reads every message but makes no commitment to a response timeline; see the support page for the full as-is posture.

13. Children

Cullapse is not directed at children under 13 and is rated 4+ on the App Store for content reasons only. The developer does not knowingly collect data from children.

14. Changes

Material changes to this policy will be announced in-app and on this page at least 30 days before they take effect. The effective date and version number above always reflect the current policy.

15. Contact

Shawn M. Brown, individual developer.
All correspondence: dev@snxt.ai.