Zero-knowledge by design. Encrypted at rest. Auditable by you. This page is a plain-English explanation of how that works — with links to the cryptography underneath.
Your mail provider hands us envelopes. We classify envelopes. Bodies stay encrypted under keys we cannot hold.
On install, your device generates an RSA-OAEP-4096 keypair. The private half never leaves. We only ever see the public half.
A fresh AES-256-GCM key encrypts each message body in memory. That AES key is then RSA-wrapped with your public key before it touches disk.
Our servers handle From, To, Subject, routing metadata, and the wrapped ciphertext. No body, no attachments. Our ML reads envelopes — and never plaintext.
We respond to lawful legal process. But we can only produce what we hold — and we do not hold plaintext.
| The court order demands | What Glance can actually produce |
|---|---|
| Email body content | Nothing readable — ciphertext only. |
| Attachments | Nothing readable — we never touch them. |
| Metadata / routing | Only what the SMTP header already reveals. |
| Sender identity | A salted hash. The plaintext address lives with you. |
| Our ML inference signals | Aggregated counts. No sender-level data beyond hashes. |
| Companion approval history | Yes — with notice to the account holder, when law permits. |
We publish the reports. You read them. That's the deal.
Continuous-window audit by an AICPA-accredited firm. Report available under NDA for teams; summary is public.
Download summaryBusiness Associate Agreement available for Pro customers handling PHI. Envelope-only architecture makes BAA scope trivial.
Request BAAFull data map published. One-click export, deletion, and correction requests. No dark patterns. No "sorry, 30 days."
View data mapAll endpoints score A+ on Qualys SSL Labs. HSTS preloaded. TLS 1.3 only. Cipher suites documented and pinned.
See reportScope: everything at glance.email, glance.app, and the mobile clients. We respond within 48 hours. No legal threats against good-faith reporters, ever.
Reproducible, non-chained. Credited in the hall of fame.
Meaningful impact on a real customer. Bonus for clean PoC.
Anything that violates zero-knowledge. Our worst nightmare is your biggest payday.
Not when our lawyers finish drafting. Not when regulators require it. Within 72 hours of confirming any incident touching customer data, we publish a full post-mortem: what happened, what was exposed, what we're doing next. That's the commitment — signed into our articles of incorporation.
Cryptography changes, auth changes, and infrastructure changes that touch customer data. Nothing cosmetic.
It means the servers running Glance do not possess the keys required to decrypt message bodies. We designed the system so that even with full administrative access to our infrastructure — including physical access to disks and active memory dumps — an attacker cannot read customer email. The private halves of those keys live on your devices, wrapped by your OS keystore.
No. We don't sell data in any form — anonymized, aggregated, hashed, or otherwise. Our revenue comes exclusively from subscriptions. If that ever changes, you'll see it on this page first, with at least 30 days of notice.
You do. Your devices generate them, your devices hold the private halves, and your devices sign every decryption request. If you delete your account, we delete our copy of the public halves and you're back to being a stranger to us.
Architecturally, no — they don't have the keys. Operationally, we also run least-privilege access, mandatory MFA with hardware tokens, and quarterly access reviews. Every production access is logged to an append-only audit trail that's reviewed by an outside firm during the SOC 2 window.
US customers: AWS us-east-1 and us-west-2, dual-region. EU customers: AWS eu-west-1 and eu-central-1, dual-region, with no US failover. You can pin your region at signup. Moving between regions is a deletion-plus-reimport, never a silent migration.
Envelopes are retained as long as your account is active, so Companion decisions can stick. Ciphertext bodies follow your provider's retention — we don't store them independently. Logs are retained for 90 days. Billing records follow US tax law (seven years, hashed identifiers only).
30-day grace period during which you can export everything as a signed, portable bundle. After 30 days, full cryptographic erasure: your public keys are destroyed, all remaining ciphertext is unreadable forever, and the audit log of the deletion is preserved for one year for regulatory requests.
We respond to valid, narrowly-scoped legal process from jurisdictions where we operate. We notify account holders whenever law permits. We challenge overly broad requests, and publish a transparency report twice a year listing request counts, rejection counts, and scope negotiations. What we produce is limited by the table above — we cannot hand over what we do not hold.
A real person you love can sign off on the unfamiliar email. Apple Intelligence cannot do this. Abnormal cannot do this. Sublime cannot do this.
Sub-50ms LightGBM + ONNX runs locally — no cloud round-trip. Zero-knowledge by architecture, not by promise. Even a subpoena gets nothing readable.
Every approval makes the household — and the network — safer. Crowd-sourced reputation means a scam stopped for one family is stopped for thousands.
If you read this whole page and still have questions, that's the right instinct. Ours, too. Reach out.