Privacy-first by design, limited by MVP scope

ShieldMail stores the generated mailbox session in an HttpOnly browser cookie so the frontend cannot directly read provider tokens or generated passwords. The visible email address may be cached in localStorage for a smoother reload experience.

No logs statement

This MVP does not include application-level logging of email message content. Hosting providers, temporary email providers, and security tools may still process technical request data according to their own policies.

Provider data

Messages are fetched from the configured temporary email provider through server-side API routes. The provider may process mailbox addresses, message metadata, message content, and related technical data according to its own policies.

No sensitive content

Do not receive private documents, account recovery links, financial messages, health data, or personal information in a temporary inbox.

Before production

Add signed or encrypted server sessions, a finalized privacy policy, analytics consent if analytics are enabled, shared rate limiting, abuse prevention, cookie consent where required, and verified provider terms.