why the hell should i trust you with inbox access?
fair question. this is a high-trust permission. the short version: you should only use poststack if the controls are strong enough that you can verify behavior, revoke access fast, and limit what gets processed.
does this give you access to all of my emails, ever? (spoiler: yes)
at the Google permission layer: yes. the OAuth scope allows mailbox read access. that is exactly why we treat this as serious and why the app is designed around strict workflow limits.
- mail is first checked at headers/metadata to identify newsletter candidates.
- newly discovered publications are paused by default.
- full content processing is limited to sources you explicitly approve.
- you can disconnect Google and delete your data from the account page at any time.
why the hell would i do that?
only if the value is worth the trust tradeoff for you personally.
- you get a print-first weekly digest from subscriptions you already pay for.
- you control cadence and source approvals, not us.
- the goal is less fragmented screentime and a clean paper reading workflow.
- if that is not worth mailbox-read access to you, do not connect it.
how can i know you will do what you say?
don’t rely on promises. verify controls.
| check | what to verify |
|---|---|
| Google consent screen | scopes shown are identity + Gmail readonly only: openid, email, profile, https://www.googleapis.com/auth/gmail.readonly |
| source approval gate | new publications appear paused until you approve them in sources |
| token revocation | use disconnect Gmail token in account to cut off future access immediately |
| data deletion | use delete my data to remove saved records for your account |
| provider auth gate | mail auth checks are currently on for newsletter candidate processing |
| retention windows | auto cleanup is configured for message rows (90 days) and post rows (365 days) |
do any other apps do this?
yes. inbox-read scopes are common across categories like:
- email clients and search tools
- crm and sales automation tools
- ai email assistants and summarizers
- backup/compliance and archiving products
what matters is not whether the permission exists, but whether limits, auditability, and revocation are good enough for your risk tolerance.
poststack is optional. if your trust threshold is not met, do not connect. if you do connect, approve only the sources you actually want printed, and revoke access the moment that changes.