Flick MailMerge is a small, focused tool. We hold the minimum data needed to send your mail well — encrypted at rest, isolated per user, never sold or rented.
We hold the minimum needed to send mail and run your account. Nothing is sold or rented; nothing is read for advertising.
We use no analytics, no ad networks, no session-replay tools.
session — keeps you signed in (HttpOnly, Secure, SameSite=Lax)csrf — anti-CSRF token for write actionsmm-theme — local-storage only, your colour preferenceThat's the entire cookie list. No tracking, no advertising IDs.
Reach: info@codeftech.com
Flick MailMerge's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Your Google data is used only to provide these features — never for advertising, never sold or transferred to third parties. No human reads your Gmail content; access is automated, except with your consent (e.g. support), for security/abuse investigation, or to comply with law.
Every credential — provider tokens, SMTP passwords — is sealed with Fernet AES-128 before it touches the database. Single-session, idle auto-logout, and a full audit log on top.
OAuth tokens, refresh tokens, SMTP passwords and any user-uploaded credentials are encrypted with Fernet (AES-128-CBC + HMAC-SHA256) using a per-deployment key held outside the database.
TLS 1.3 only, on every endpoint, with HSTS preloaded. We refuse old ciphers, refuse plain HTTP, and refuse mixed content.
One active login per ID. Signing in elsewhere kicks the previous session immediately — and the audit log records both events with IP and user-agent.
5-minute inactivity timer with a 60-second warning. Tab visibility checks fire on return so a session left open overnight is killed before you blink twice.
Every authentication event, password change, OAuth connect/disconnect, and impersonation request is appended to an immutable activity log with IP, user-agent, and detail string.
Standard Gmail / Outlook sign-in returns a refresh token to our server.
OAuth 2.0Fernet encrypts the token with a per-deployment master key before it touches Postgres.
AES-128-CBCFor each dispatch we decrypt in memory, send via your provider, then forget the plaintext token.
In-memory onlyBy using Flick MailMerge, you agree to the following. None of it is exotic.
Email us in plain language — we'll respond in plain language.
Send a short message — we usually reply within a few hours. Or ping us live on WhatsApp / email.