GhstMail

Privacy Policy

Last updated: March 8, 2026

What GhstMail Does

GhstMail is an email alias service. You create disposable email addresses that forward incoming mail to your real inbox. Your real email address is never exposed to third parties.

Data We Collect

  • Email address — used to create your account and as the forwarding destination for your aliases.
  • Password — hashed with bcrypt before storage. We never store or see your plaintext password.
  • Alias metadata — alias addresses, labels, active/inactive status, creation dates, and aggregate counts (emails received/forwarded). We do not store the content of forwarded emails.
  • Filter rules — domains you choose to block or allow.

Data We Do Not Collect

  • We do not read, store, or log the content of your emails.
  • We do not track your browsing history or web activity.
  • We do not collect analytics, fingerprints, or telemetry.
  • We do not use cookies for tracking or advertising.

Chrome Extension

The GhstMail Chrome extension:

  • Stores your authentication token locally using chrome.storage.local so you stay logged in.
  • Detects email input fields on web pages to show the alias generation button. No page content is collected or transmitted.
  • Communicates only with api.ghstmail.space to generate aliases and authenticate. No other external requests are made.
  • Does not inject remote code or execute external scripts.

How Email Forwarding Works

When an email arrives at one of your aliases, our server parses it, rewrites the headers, and forwards it to your real email address. The email content passes through our server in transit but is never stored on disk or in our database. Reply tokens are generated to enable two-way communication without revealing your real address.

Third-Party Sharing

We do not sell, rent, or share your personal data with any third party. We do not use your data for advertising, analytics, or creditworthiness purposes.

Data Retention

Your account data is retained as long as your account is active. Deleting an alias permanently removes it and all associated reply tokens. You can delete your account at any time, which removes all your data from our systems.

Security

Passwords are hashed with bcrypt. All connections use TLS. DKIM signing is applied to forwarded emails. Authentication uses short-lived JWT tokens.

Contact

For questions about this privacy policy, contact us at privacy@ghstmail.space.