Privacy Policy

yoyo.email is an invite-only, single-operator inbound webmail service. It also offers an optional browser extension that creates per-domain email masks (aliases of the form <slug>-<rand>@yoyo.email) so the operator can sign up to third-party services without exposing a personal address.

This policy describes what the service stores, what it deliberately does not store, and who can see it. It is written in plain English. If anything is unclear, please email the address at the bottom of this page.

Account information: the chosen username, a bcrypt hash of the account password, an optional recovery email address used only for password and two-factor resets, and — if enabled — encrypted two-factor secrets and passkey credentials.

Email content: messages received at <username>@yoyo.email and at any active mask are stored in the operator's inbox. Threading metadata, attachments, and sender contact records are derived from the messages and stored alongside.

Masks: each mask records its domain (eTLD+1), generated local part, creation time, last-received-at timestamp, and whether it has been revoked. Revoked masks keep their row so the same address is never reissued.

Authorized browsers: when the browser extension is connected to an account, the server stores a bcrypt-hashed access token, an operator-supplied label (e.g. "Firefox on Tuxedo"), the creation time, and the last-used-at timestamp.

Sessions: each web session records IP address and user-agent string so an unexpected sign-in triggers a security alert. Sessions can be revoked individually from the profile page.

There is no analytics suite, no third-party tracker, no advertising identifier, no fingerprinting library, and no cross-site behavioural profile.

The browser extension does not phone home. It talks only to yoyo.email's JSON API at /api/v1/* and only to fetch the operator's masks or create new ones at the operator's explicit request.

Email content is never used to train models, to generate recommendations, or to derive marketing segments.

Account data, masks, and email content are never sold, rented, or shared with third parties.

Outbound email is delivered through SMTP2GO under the operator's contract; recipients of outbound mail see only the message itself and the From / Reply-To headers chosen at compose time.

Inbound email passes through DigitalOcean's network on its way to the Postfix server that fronts yoyo.email; standard internet transit applies.

yoyo.email sets a first-party session cookie (signed, HttpOnly, SameSite=Lax) so a signed-in browser stays signed in. The cookie carries an opaque session identifier and nothing else.

Two optional first-party cookies remember the chosen theme (light or dark) and locale. They contain only those preferences.

There are no third-party cookies, no advertising cookies, and no cross-site tracking pixels.

The yoyo-mask browser extension requests the minimum permissions needed to work: storage (to hold the authorized-browser token locally), activeTab and scripting (to inject the mask chip beside an email input on the page you're filling out), tabs (to track the auth flow's redirect), and host access to all sites (so the chip can appear on any signup page you visit).

The chip never autofills an email input on its own. It appears only after you focus an email field, and it only writes a mask address into the field when you click it explicitly.

The extension stores its bearer token only in browser-local storage. The token is sent to yoyo.email in the Authorization header on every API call and is never logged.

Masks remain until you revoke them. A revoked mask keeps its row so its address is never reissued, but no further inbound mail is stored for it — yoyo's incinerator drops matching messages before they hit your inbox.

Web sessions auto-expire after a period of inactivity and can be revoked individually from the profile page.

Account deletion removes the account record, sessions, passkeys, two-factor secrets, masks, threads, messages, attachments, contacts, and authorized browsers. Once the account is deleted, the username cannot be reused.

Server backups are encrypted and retained for 30 days, after which they are overwritten.

You can view and export your data, change account settings, revoke authorized browsers, and delete your account from the profile page at any time.

To request a copy of any data not surfaced in the profile UI, or to ask any other privacy question, email the address below.

Privacy questions, data requests, and security reports: privacy@yoyo.email.

Postal mail and incorporation details are not applicable — yoyo.email is operated by an individual, not a company.