
Beware: Nylas cloud email retains all emails after account deletion - pheeney
TLDR:<p>- Nylas stores the keys to access your account even after you delete it.<p>- Nylas doesn&#x27;t actually delete your data, or it takes many many months.<p>Full story:<p>I was an early adopter of Nylas N1 when it first came out: https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10333193. I had contributed to the project and hoped that self hosting the sync engine was going to become easier. In the interim I used the built in nylas cloud.<p>When they switched to paid only, I cancelled my account in mid july (you had to manually mail a deletion request from each account). I loaded up the email client a few days later to find my emails were still syncing. Come to find out the API request re-activates any account and voids any deletion.<p>So they re-marked it for deletion and told me to wait a &quot;bit&quot;. I never got any answer back to how long that was. I followed up later in the week and they had this new tool to cancel your account. I utilized the tool which said my account deletion was successful and a staff member confirmed it.<p>I checked again 6 weeks later and sure enough it still syncs. They don&#x27;t actually delete anything despite several confirmations that it is deleted. They can request your emails at any time even though I no longer have a Nylas account. This means they can pull my emails into their system without my knowledge or approval. They also failed to delete any of my existing data despite numerous requests over a 2 month period.<p>I reached out to support several times and was told that my account is still in queue. I also filed a security disclosure and was not taken seriously.<p>I combed through the privacy policy (https:&#x2F;&#x2F;nylas.com&#x2F;privacy-policy&#x2F;) and they will delete your data &quot;as soon we can&quot;. The security (https:&#x2F;&#x2F;nylas.com&#x2F;security&#x2F;) policy doesn&#x27;t reference data retention.<p>Beware.
======
grinich
Hi Patrick-- I work at Nylas and thought I'd drop a comment here too.

We did get your emails and queued your account for deletion but our logs
indicate you kept signing-in again and again, which removes your account from
the deletion queue.

Depending on your account provider, you can also revoke the Google Apps oAuth
token or change your provider's mail password.

We also deactive inactive accounts about ever 3 months, though that is on a
slower rolling basis.

Going forward the best option is to use the new deletion tool at
[https://billing.nylas.com/login](https://billing.nylas.com/login)

Sorry for this frustrating. Because a mail system inherently deals with a lot
of data (often millions of objects) deleting them all safely is not a
synchronous operation.

If you'd like to read a bit more about the security of your system, you can
check out [https://nylas.com/security](https://nylas.com/security)

And of course, if you want to keep using Nylas N1 without our managed cloud
sync, you can always run the open source sync engine yourself. More on that
here:
[https://github.com/nylas/N1/blob/master/CONFIGURATION.md](https://github.com/nylas/N1/blob/master/CONFIGURATION.md)

