← MailFalcon

Privacy policy

Last updated 2026-06-15

What MailFalcon does

MailFalcon is a Chrome extension and web dashboard that lets a sender (you) see when emails you've sent through Gmail are opened, and whether recipients click links inside them. It works by injecting a 1×1 transparent image and rewriting outbound links to pass through our redirect server before reaching the destination.

Data we collect from you (the sender)

  • Email address. Used to sign you in via a one-time code and to identify your tracked emails.
  • For each email you choose to track: a random tracking ID, the time you sent it, the number of recipients, and the original URLs of any links you included (so we can redirect recipients back to them).
  • Billing information (Stripe customer ID, subscription tier) if you upgrade to a paid plan. Stripe processes payment details; we never see your card.

We store the subject line of tracked emails so you and MailFalcon administrators can identify them in the dashboard. We do not store the body. We do not store your recipients' email addresses — only a count.

Data we collect when a recipient opens a tracked email or clicks a tracked link

  • The tracking ID of the email (lets us attribute back to you).
  • Timestamp of the open or click.
  • A coarse classification of the user agent (desktop / mobile / bot) — used to filter out automated security scanners and Gmail's own image proxy from your stats.
  • Browser name and major version (e.g. "Chrome 130"), operating system name and version (e.g. "Windows 11"), and a coarse device descriptor where the user-agent string includes it (e.g. "iPhone").
  • Coarse geolocation derived by Cloudflare from the recipient's IP address: country, region/state, city, postal code, and IANA timezone (e.g. "America/New_York"). When available, approximate latitude/longitude at IP-block resolution (city-level, not GPS).
  • The recipient's IP address. We retain both a /24-truncated form (e.g. 192.168.1.0) for aggregate statistics and the full IP for abuse investigation. The full IP is only accessible to MailFalcon administrators and is deleted on the standard retention schedule.

We do not drop cookies on the recipient, do not fingerprint their device beyond the publicly-broadcast user-agent string, and do not share anything we collect with third-party advertising or analytics networks.

Privacy mode

Every Gmail compose window has a "Privacy mode" checkbox added by the MailFalcon extension. When checked, no pixel is injected, no links are rewritten, and no record of the send is created on our servers. That email is, from our perspective, completely untracked.

Email we send to you

We send one-time sign-in codes to your email address. If enabled (default on, toggle in Settings), we send a daily summary email at 6pm Eastern with that day's open/click counts and the subjects of your most-engaged emails. Days without activity are skipped. We do not include recipient addresses in the digest.

How long we keep your data

  • Free plan: tracked-email history and event log retained for 30 days, then automatically purged.
  • Pro plan: retained for 1 year.
  • Account closure: all of your data is deleted within 30 days of you signing out and not signing back in, or immediately on explicit deletion request.

Where your data is stored

Cloudflare D1 (database) and Cloudflare KV (session + rate-limit cache), both edge-replicated, primary region in eastern North America. Push notification subscriptions are stored in D1 alongside your account; we deliver pushes via the browser's standard Web Push protocol (no third-party push service).

Use of Google user data

The Chrome extension reads the body of a Gmail compose window only at the moment you click Send, and only to:

  • insert a tracking pixel image at the end of the body, and
  • rewrite outbound link URLs to pass through t.mailfalcon.app.

The modified body is then handed back to Gmail to send. The extension does not transmit your compose text, subject, recipient addresses, or any other Gmail content to our servers or to any third party. MailFalcon's use of information received from Google APIs adheres to Google's API Services User Data Policy, including the Limited Use requirements.

Reply detection

When a tracked email is opened in your Gmail and a new inbound message appears in the same thread, the extension reads the sender's email address and the first 400 characters of the message body locally so it can distinguish your own sends from replies and filter out auto-responders ("out of office", "vacation responder"). If the message is a real reply, the extension sends only the Gmail thread ID and message ID to MailFalcon — never the body, never the sender address — so the dashboard can show "Alice replied" alongside the open and click events for that email. If reply detection is undesirable, tick the privacy-mode checkbox at compose time; no threadId is stored and the extension will not correlate any inbound message back to that tracked email.

Your rights

You can sign in to your dashboard at any time to review every tracked email and event we've stored. Use the Settings page to:

  • Download your data — a JSON file with every row scoped to your account (user record, tracked emails, links, events, push subscriptions, templates, follow-ups, billing).
  • Delete your account — sends a 6-digit confirmation code to your registered email; on confirm we permanently remove your user record and cascade-delete every associated row.

Both actions are self-serve and complete within seconds. For anything else, email hello@mailfalcon.app from the address registered to your account. We respond within 7 days.

Contact

For any privacy question, write to hello@mailfalcon.app.