Skim
Home GitHub Download

Privacy Policy

Last updated: July 13, 2026

This document is provided in English, which is the authoritative version.

Skim is a local-first, open-source email client for Windows. It runs entirely on your own computer. This policy explains what data Skim handles, where that data goes, and — importantly — what the Skim project does not collect.

The short version

  • Skim has no servers. The Skim project does not collect, receive, store, or transmit your email, contacts, credentials, or usage data.
  • Your mail is synced directly between your device and your mail provider over IMAP/SMTP, and cached locally on your device.
  • AI features are optional and only work when you supply your own API key. Nothing is sent to an AI provider unless you trigger an AI action.
  • There is no telemetry, no analytics, and no tracking of any kind.

Who this policy is from

"Skim", "we", or "the project" refers to the developer and contributors of the open-source Skim application, distributed under the MIT license at github.com/nikserg/skim. Because Skim runs locally and operates no backend service, the project is not a data controller of your mailbox content — you connect Skim directly to services you already control.

Information Skim handles, and where it stays

All of the following is processed and stored only on your device. It is never sent to the Skim project.

Account credentials and tokens

To connect to your mailbox, Skim needs either an app password or an OAuth token. These secrets — along with any AI API key — are stored in the Windows Credential Manager, the operating system's secure credential store. They are never written to Skim's database or to any configuration file, and are used solely to authenticate with the services you chose.

Email content and metadata

Skim synchronizes your messages, folders, and flags over IMAP straight from your mail provider into a local SQLite cache on your device. This local copy powers offline access and instant full-text search. It is stored on your machine and is not shared with anyone. Outgoing mail is sent through your provider's SMTP server.

AI feature data (optional)

Skim's AI features are disabled until you add your own API key for Anthropic or OpenRouter. When — and only when — you invoke an AI action (for example "Draft reply", "Summarize", "AI Recap", or a mailbox question), Skim sends the relevant message content and your prompt directly from your device to the AI provider you selected, over an encrypted connection, in order to generate the result. That request is governed by the chosen provider's own privacy policy. Skim adds no proxy, no intermediary server, and no account of its own. If you never add a key, no email content ever leaves your device for AI purposes.

Local application settings

Your preferences (language, theme, writer profile, and similar) are stored locally on your device so the app remembers them between launches.

What the Skim project collects

Nothing. Skim contains no analytics SDKs, no telemetry, no crash reporting to us, no advertising identifiers, and no phone-home behavior. We have no way to see your mailbox, your usage, or whether you use AI features at all.

Google user data and Limited Use

If you connect a Gmail account using "Continue with Google", Skim uses Google OAuth to obtain access to your Google mailbox on your behalf. The token is stored in Windows Credential Manager and used only to display and manage your mail within Skim, on your device.

Skim's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. Specifically:

  • Google user data is used only to provide and improve the app's user-facing email features that you can see in Skim.
  • Skim does not transfer Google user data to the Skim project or to any third party, except (a) as necessary to provide a feature you invoke — such as sending message content to an AI provider you configured — or (b) as required by law.
  • Skim does not use Google user data for advertising, and does not sell it.
  • Skim does not allow humans to read your Google user data, except where you give explicit consent for specific messages, where it is necessary for security purposes (such as investigating abuse), or where required by law.

Third-party services

Because you connect Skim directly to services you choose, the data you route through them is subject to their privacy policies:

  • Your email provider (e.g. Google, Microsoft, Yahoo, Apple, or any IMAP/SMTP host).
  • Your chosen AI provider, if you enable AI: Anthropic or OpenRouter.

Security

All connections to mail servers and AI providers use TLS encryption. Secrets are held in the Windows Credential Manager rather than in plaintext. Because your data never leaves your device except to the services you connect, the attack surface controlled by the Skim project is effectively limited to the application code itself, which is open source and auditable.

Data retention and deletion

You are in full control of your data because it lives on your machine. To remove it:

  • Disconnect an account in Skim to delete its local cache and remove its stored credentials.
  • Remove your API key in Settings → Skim AI to revoke AI access; the key is deleted from Credential Manager.
  • Uninstall Skim to remove the application. You may also delete the local database and any remaining entries in Windows Credential Manager.
  • You can revoke Skim's Google access at any time from your Google Account permissions page.

Children

Skim is a general-purpose productivity tool and is not directed to children under 13 (or the minimum age of digital consent in your jurisdiction).

Changes to this policy

We may update this policy as the software evolves. Material changes will be reflected here with a new "Last updated" date, and the history is publicly visible in the project's Git repository.

Contact

Questions about this policy or Skim's data practices can be raised via GitHub Issues.

MIT © Skim contributors
Home Source Privacy Terms Issues