Security

Security practices.

Last updated: May 8, 2026

Transport and storage

MailPolish is intended to run over HTTPS. Production API keys and payment secrets are stored server-side in configuration files that are blocked from public web access.

Payments

Payment card and bank details are handled by payment processors. MailPolish stores subscription metadata needed to activate and support accounts, but not full card numbers.

Outlook add-in behavior

The add-in runs inside Outlook, adds a MailPolish task pane, and uses Microsoft Office JavaScript APIs to read the selected message or current compose item when the user opens and uses the add-in.

Report a concern

Send security reports to info@mailpolish.ai. Please include the affected URL, steps to reproduce, and any relevant timestamps.