Sable
Privacy

Privacy policy

Sable is a mail app for the domains you own on Resend. Because it holds your mail, we owe you a plain answer to what we store, why, where it lives, and how to remove it. This page is that answer.

Last updated July 8, 2026

The short version

Sable stores message metadata, compressed message bodies, and attachments so the app can render your inbox instantly and keep working past Resend’s 30-day retention window. Everything is scoped to your account, encrypted at rest, and yours to export or delete.

  • Your Resend API key never leaves the server, and never enters the mobile app.
  • AI summaries are opt-in and use a no-training, zero-retention tier.
  • You can export everything, delete individual messages, or delete your whole account and all its blobs at any time.

What we store, and where

Sable splits your data across two stores to keep costs low and the database small. Every large byte lives in object storage; only the light, searchable bits live in the database.

Structured data (Postgres)

  • Message metadata: from, to, cc, subject, dates, read/star state, importance score.
  • Threading headers we actually use: message_id, in_reply_to, references.
  • A short (~200 character) plaintext snippet used to render the inbox list.
  • Pointers (bucket keys) to the full body and attachment blobs.
  • Your account, connected Resend domains, notification and retention preferences.

Bulk data (object storage)

  • Full HTML bodies, compressed (zstd or gzip) before writing.
  • Attachments, stored by content hash and deduplicated across messages.

On your device (cache only)

  • Recently viewed threads and attachments are cached locally for speed and offline reads. The device is a cache, never the source of truth — wiping the app removes nothing you care about.

Why we store it

Resend keeps received email for 30 days on all plans. Anything Sable wants to show you after that has to be persisted before the cliff — otherwise your inbox would silently empty out. Storing bodies and attachments is what lets the app work as an actual mail client instead of a 30-day preview.

How long we keep it

You choose. Every account has a retention setting with three options:

  • Keep forever — nothing is auto-removed.
  • Archive after N months — older mail moves to cold storage but stays available.
  • Delete after N months — older mail (rows and blobs) is hard-deleted on a schedule.

You can also set per-domain rules (e.g. “don’t store attachments for this domain”) and delete individual messages at any time.

How it is protected

  • In transit: TLS everywhere — between Resend, our API, our storage providers, and your device.
  • At rest: the database volume and the object-storage bucket are both encrypted at rest by the underlying providers.
  • Application-layer encryption: message bodies and attachments are encrypted with a per-object key before being written to the bucket, so a bucket compromise alone yields ciphertext.
  • Tenant isolation: every row and blob is scoped to your account. Ownership is enforced in the API layer and again with database-level policies as defense in depth.
  • Keys stay server-side: your Resend Full Access API key is stored encrypted and used only by our server. It is never bundled in the mobile app.
  • No standing human access: we do not read your mail. Access is audited, and a documented breach-response plan is in place.

Who else touches your data

Sable relies on a small number of vendors (“subprocessors”) to run. We name them openly:

  • Resend — the mail processor. Your domains’ inbound mail flows through Resend before Sable pulls it. Resend is not a hidden middleman; it’s the reason Sable exists.
  • Cloudflare R2 (or the Railway storage bucket, depending on deployment) — where compressed bodies and attachments live.
  • Railway — hosts the API and the Postgres database.
  • An LLM provider — used only when you turn on AI summaries, and only under a no-training, zero-retention agreement (see below).

Data-processing agreements are in place with each. If a subprocessor changes, we update this list before the change takes effect.

AI summaries

Some emails are long. Sable can generate a short summary at the top of a message so you can triage without reading the whole thing.

  • Summaries are off by default and opt-in per account, with per-domain overrides.
  • When on, the message body is truncated before being sent, over TLS, to the LLM provider.
  • We use a zero-retention, no-training tier: the provider does not keep the request or use it to train models.
  • The generated summary is stored on the message row alongside the model version, so you can see which model wrote which summary.

Your rights and controls

You can exercise all of these from inside the app, in Settings → Privacy & data:

  • Export — download every stored message and attachment in a portable format.
  • Delete an account — hard-deletes your database rows and the bucket blobs they reference. Deduplicated blobs are only removed when the last referrer is gone.
  • Retention — choose how long Sable keeps your mail (see above).
  • Per-domain toggles — disable attachment storage or AI summaries for a specific domain.
  • Access & correction — ask us for a copy of what we hold about you, or to correct it.

Sable is operated from Canada and honors requests under PIPEDA, the EU/UK GDPR (access, portability, rectification, erasure, restriction, objection), and the California CCPA (know, delete, correct, opt-out). Email us at privacy@getsable.app and we will respond within 30 days.

Children's data

Sable is not directed at children under 13, and we do not knowingly collect personal information from them. If you believe a child has created an account, contact us and we will delete it.

Changes to this policy

If we make a material change — for example, adding a subprocessor or a new type of stored data — we’ll update this page and note the effective date at the top. Continued use of Sable after the effective date means you accept the update. Historical versions are available on request.

Contact us

Sable is a product operated from Canada. For privacy questions, data-access requests, or anything else in this policy: