Privacy Policy
Last updated: May 2026
The short version
Unlisted helps you unsubscribe from emails. To do that, we read email headers — things like who sent it and whether it has an unsubscribe link — and where needed, briefly scan email footers to find unsubscribe links. We never store the content of your emails. Your data is yours, and we will never sell it.
Who we are
Unlisted is operated by Untamed Muse Ltd. If you have any questions about this policy, contact us at support@get-unlisted.com.
What we collect and why
Account information
When you sign in with Google or Microsoft, we receive your name and email address. We use this to identify your account. We do not receive your password.
How we read your email
When you connect your mailbox, you choose the scope of what we scan. By default, we scan your whole inbox to find subscription emails. Alternatively, you can restrict scanning to a specific Unlisted folder — only emails you move there will be processed. You can change this at any time in Settings.
Within whichever scope you choose, we scan email headers to identify subscription emails. Headers include things like the sender address, the List-Unsubscribe field, and the List-Id — the same information your email app shows in the "From" line. For most emails, headers are all we need.
As a fallback, if no unsubscribe link is found in the headers, we may briefly read the footer of an email to look for an unsubscribe link. Only the URL we find is saved — the email content is discarded immediately and never stored.
Subject lines
Subject lines are stored only as an irreversible hash (a fingerprint) for deduplication. We also store a truncated, masked version for display purposes. The full subject line is never stored.
OAuth tokens
To access your mailbox, Google and Microsoft issue us access tokens. These are encrypted before being stored in our database. They are used only to scan your mailbox and execute unsubscribe actions on your behalf.
Billing information
If you upgrade to Pro, payments are processed by Stripe. We never see or store your card details — Stripe handles all payment data directly. We only store a record of your access grant (plan type and expiry date).
Usage logs
We keep a log of unsubscribe actions you take (which sender, when, and whether it succeeded). This is your activity history, visible to you in the app, and is deleted when you delete your account.
What we never do
- We never store the content of your emails
- We never sell your data to third parties
- We never use your data for advertising
- We never share your email address with marketers
- We never store full subject lines
Who we share data with
We use a small number of trusted services to operate Unlisted:
- Supabase — database hosting (EU region)
- Render — backend server hosting
- Vercel — frontend hosting
- Stripe — payment processing
- Postmark — transactional email (e.g. account notifications)
- Sentry — error monitoring (no email content is ever included in error reports)
- Google / Microsoft — OAuth providers for mailbox access
We do not sell data to or share data with any other third parties.
Data retention
We keep your data for as long as you have an account. When you delete your account, all of your data is permanently deleted — including your mailbox connections, scanned email records, unsubscribe history, and OAuth tokens. Your OAuth permissions with Google and Microsoft are also revoked at that point.
Your rights
You have the right to:
- Access your data — everything we hold is visible in the app
- Delete your account and all associated data — go to Settings → Delete account
- Disconnect your mailbox at any time — this revokes our access to your email
- Contact us with any privacy concerns at support@get-unlisted.com
If you are based in the UK or EU, you also have rights under UK GDPR and the Data Protection Act 2018, including the right to lodge a complaint with the ICO (ico.org.uk).
Cookies
We use a small number of cookies strictly necessary for the app to function — specifically, session cookies that keep you signed in. We do not use advertising cookies or tracking cookies.
How we protect your data
We take the security of your data seriously, particularly given that Unlisted handles access to your mailbox. The following protections are in place:
- Encryption in transit — all data sent between your browser, our servers, and third-party services travels over encrypted HTTPS/TLS connections. This is enforced at the infrastructure level by our hosting providers (Vercel and Render).
- Encryption at rest — OAuth access tokens and refresh tokens (which grant us access to your mailbox) are encrypted using AES-128 symmetric encryption (Fernet) before being written to the database. They are never stored in plain text.
- Refresh tokens stored as hashes — session refresh tokens sent to your browser are stored in our database only as a one-way SHA-256 hash. The raw token value is never persisted on our side.
- Email body content never written to disk — when we scan an email footer as a fallback, the body is loaded into memory for processing only. It is discarded immediately and never written to the database, logged, or included in error reports.
- Subject lines protected — full subject lines are never stored. We keep only a truncated version (for display) and a one-way SHA-256 hash (for deduplication).
- Access controls — all API endpoints require a valid authenticated session. Access to production infrastructure and user data is limited to the application's core team.
- Security incident notification — in the event of a data breach affecting your personal data, we will notify you and the relevant authorities as required under UK GDPR.
Changes to this policy
If we make meaningful changes to this policy, we will update the date at the top and notify you by email if the changes affect how we use your data.
Contact
Questions about privacy? support@get-unlisted.com