Overview
Alias routes mail from aliases you create to your real inbox without exposing that inbox to the sender. To let you review deliveries in the dashboard, we temporarily store forwarded email (with user-controlled retention). Everything else we keep is metadata you configured yourself — aliases, forwarding destinations, custom domain records. This policy spells out each piece.
Data we collect
Email & optional password
Your email address is used to sign in and as the default forwarding destination. You can sign in with a one-time six-digit code, or — if you choose — set a password, which we store as a bcrypt hash.
Session token
A short-lived JWT kept in localStorage or extension storage to keep you signed in. The extension also caches your own aliases, domains, and preferences locally to stay responsive offline.
Aliases & domain records
The alias prefix, forwarding target, on/off state, and — if you add a custom domain — the SPF / MX / DKIM / DMARC values set during verification so re-checks work later.
Forwarded email & logs
To make past deliveries viewable in the dashboard, we store the raw message (up to 10 MB), parsed HTML/text, attachments, and metadata (sender, recipient, subject, status). An hourly cleanup purges expired rows per your retention setting.
How we use your data
- check_circleRoute inbound mail from your aliases to your configured forwarding address.
- check_circleSign you in — via a one-time code, or a password if you set one.
- check_circleLet you view, toggle, or delete any alias from the dashboard or extension popup.
- check_circleLet you open past deliveries in the dashboard until they fall outside your retention window.
blockWhat we don't do
- closeWe do not sell, rent, or transfer your data to third parties.
- closeWe do not embed third-party trackers, analytics, or ad pixels in the dashboard or extension.
- closeWe do not read or transmit the content of pages you visit with the extension installed — it reads only the current tab's hostname.
- closeWe do not keep forwarded email content or logs beyond the retention window you set. Scheduled cleanup permanently deletes anything past that window.
Chrome extension permissions
Every permission the extension requests exists to generate and manage aliases for you. Details below.
| Permission | Why we need it |
|---|---|
| storage | Persist your session token, preferences (prefix style, default domain), and a local cache of your own aliases/domains so the popup opens quickly. All of it stays on your device. |
| activeTab | Read only the hostname of the current tab so we can suggest a site-derived alias like "amazon-xxx@". We never read page content or form values. |
| contextMenus | Add the "Create mxalias for this site" item to the browser's right-click menu. |
| clipboardWrite | Copy the freshly generated alias to your clipboard so you can paste it into a signup form. |
| scripting | Inject the small inline "mx" button next to email input fields so you can create an alias without leaving the form. |
Host permissions: https://api.mxalias.com/* for API calls, plus https://mxalias.com/* and https://www.mxalias.com/* so signing out in the popup also clears the web dashboard. The extension makes no other network requests and loads no third-party scripts.
Data retention
Default. Adjust (or shorten) the window in Settings; a cron purges expired rows hourly.
Sender, recipient, subject, status. Auto-purges alongside content when you enable "content + logs" mode.
No automatic expiry. Remove any alias, domain, or email individually in the dashboard.
Your rights
Control retention
Shorten the retention window or switch to "content + logs" auto-purge mode in Settings at any time.
Delete items
Delete any alias, custom domain, or stored email from the dashboard. Removal is immediate.
Opt out of forwarding
Toggle an alias off; inbound mail is rejected with "no such recipient" at the SMTP layer and is not logged.
Full account erasure
Email privacy@mxalias.com and we will remove your account and all associated data; self-serve account deletion is on the roadmap.