When a company says “we don't store your emails,” that is a policy statement. Policies can be changed, overridden, or violated — by employees, by law enforcement requests, or by a data breach that exposes everything the server ever touched. When a system is architecturally incapable of persisting your email bodies, that is a structural constraint. No policy change, no insider threat, and no breach can expose content that was never stored. This is the difference between conventional email security and zero-persistence design.
Policy vs. Math
The security industry has trained users to trust privacy policies. Read the terms of service for most email security tools and you will find language like “we do not sell your email data” or “we do not access your email content except to provide the service.” These are policy commitments. They are meaningful, but they are promises made by humans about the behavior of systems that are technically capable of doing exactly what the policy forbids.
Mathematical constraints work differently. If email body content is never written to persistent storage, there is nothing to breach. If encryption keys are generated on the client and never transmitted to the server, no server administrator can decrypt your data even with full database access. These are not promises — they are properties of the architecture.
The practical distinction matters most when things go wrong. In 2024 and 2025, several major email security vendors suffered data breaches. In each case, the breach exposed cached email content because the vendor's architecture required storing email bodies to perform their analysis. A zero-persistence architecture makes this category of breach impossible by design.
Policy-Based Security
- ✗Server stores email content
- ✗"We promise not to look"
- ✗Breach exposes all stored emails
- ✗Trust is in the company
- ✗Privacy depends on policy compliance
Math-Based Security (Glance)
- ✓No email content persisted
- ✓Cannot read what was never stored
- ✓Breach exposes only metadata
- ✓Trust is in the architecture
- ✓Privacy is a structural property
How Conventional Email Security Works
Most email security tools operate as a man-in-the-middle between the email server and your inbox. Incoming email is routed through their infrastructure, where it is scanned for threats. This requires the tool to have full access to the email body — including everything in the message: personal details, financial information, health data, private communications.
Many tools cache this content to improve detection over time, to train their machine learning models, or to provide features like email search and archiving. This is not inherently malicious — it is the logical consequence of building a useful feature set. But it means that the vendor holds a copy of your email history, and that copy becomes a liability.
When these vendors are breached — and several high-profile breaches have occurred at exactly this category of company — the exposed data is not just login credentials. It is the full text of user emails: medical correspondence, legal communications, financial records, personal conversations going back years.
How Glance's Zero-Persistence Architecture Works
Glance analyzes threat signals that exist entirely in email metadata — and deliberately avoids touching the body content where possible. Here is exactly what flows through Glance's servers and what does not:
For the Tier 4 AI deep scan — which only activates for emails in the ambiguous threat score range — a redacted version of the email body is sent to Anthropic's Claude API. All personally identifiable information is stripped before the API call. The result (a threat classification and confidence score) is returned and stored. The body content is discarded.
What Glance permanently stores: sender reputation scores, threat classification results, scan counts, and account-level settings. No email body content appears in any persistent data store.
What This Means for You
The practical implication is straightforward: if Glance were ever breached, the attacker would find threat scores, domain reputation data, and metadata. They would find no email content. There is nothing to read. The most sensitive data — what you actually said in your emails, what your doctor wrote, what your lawyer advised — was never there to steal.
This also means Glance cannot be compelled to hand over email content it does not have. A lawful data request can obtain metadata and account information. It cannot obtain email bodies because they do not exist in Glance's data estate.
Privacy By Design
Zero-persistence architecture is not a marketing claim — it is a structural constraint that can be verified. The absence of email body content in Glance's database is not a policy you have to trust. It is a fact you can audit.
The Trade-Off
Zero-persistence design comes with real limitations. Glance cannot offer email search because it does not index email content. It cannot offer content-based smart categorization because it does not store bodies. It cannot train its models on your email history because that history is not stored.
These are intentional omissions. Every feature that requires storing email content is a feature we have chosen not to build, because the privacy cost outweighs the product value. Some users will find this limiting. For users who believe their email content is private, this is the only design that makes that belief technically defensible.
The threat signals Glance needs to protect your inbox — domain reputation, authentication failures, link analysis, behavioral anomalies — exist entirely at the metadata layer. Protecting you from phishing does not require storing what your doctor said. So Glance does not.
Glance is free to start. No credit card required. Your email content stays yours.
Try Glance FreeFrequently Asked Questions
What data does Glance actually store?
Glance stores email metadata only: sender address, sender domain, subject line, and timestamp. It stores threat scores and reputation signals derived from that metadata, and scan counts for analytics. It never stores email body content. Any content that enters the processing pipeline is held in Redis with a strict time-to-live (TTL) and discarded after analysis — it is never written to persistent storage.
Can Glance read my emails?
No. Glance's architecture is specifically designed to make this impossible. Email body content is processed ephemerally — it is analyzed in memory and discarded without being written to disk. The server never has persistent access to your email content. This is not a policy promise; it is a structural constraint.
How do encryption keys work with Glance?
Glance uses AES-256-GCM for any content that must temporarily pass through its processing pipeline. Keys are derived per-session and never stored persistently on the server. The architecture is moving toward full client-side key generation, where encryption keys never leave the user's device — meaning even a server breach yields no decryptable content.
Is Glance GDPR compliant?
Yes. Because Glance does not store email body content, the most sensitive category of personal data — the content of private communications — is simply not in Glance's data estate. This makes GDPR compliance structurally simpler than for tools that cache or index email content. Glance stores only metadata, which it handles in accordance with standard data minimization principles.
Email Security That Never Stores Your Emails
Zero-persistence architecture by design. Free to start — no credit card required.
Get Protected Free