Inbox at the speed of intent.
TwinMail is a local-first, desktop-first email operations platform for people who manage many inboxes across many people — with encrypted on-device vaults, password-free delegation, large-archive ingest, and AI that asks before it acts.
Pre-launch
What you get.
- Local-first by default: message content, subjects, addresses, thread structure, search indexes, and provider identifiers stay on your device and never leave it in readable form.
- People-centric, not just account-centric: group accounts under a Person and operate across all of someone's inboxes from one view, with identity-safe reply selection to prevent wrong-from-address mistakes.
- Delegation without shared passwords: grant scoped access with Owner / Full / Triage / Read roles, gate destructive actions by role, and keep a complete audit trail of every delegated action.
- Archive and live mail in one searchable workspace: ingest large MBOX and EML exports (PST/OST targeted post-v1) with resumable, checkpointed imports alongside live provider sync.
- Glass-box AI with per-action consent: local intelligence runs by default; any off-device AI request shows the exact payload in a consent sheet first and is written to an encrypted audit log.
- Encrypted vaults with a documented cryptographic design: XChaCha20-Poly1305 AEAD, Argon2id-derived keys, Ed25519 signatures, X25519 key envelopes, and epoch-based rotation.
Built for control, not lock-in.
People-centric views
Organize email by Person rather than by account alone. Each Person groups related Accounts so you see aggregated unread counts and contact history across every connected inbox, with identity-safe reply selection built in.
Multi-inbox delegation
Give permissioned access to an Account or a Person without sharing passwords. Owner, Full, Triage, and Read tiers control what each operator can do; destructive actions are gated by role and every delegated action is logged.
Archive ingest
Import and search exported archives directly on-device with deterministic progress and checkpoint recovery for large imports. MBOX and EML are supported for v1; PST/OST ingest is a planned post-v1 milestone. Local FTS5 full-text indexing makes mail searchable right after ingest.
AI tools (glass-box)
Summarize threads, extract entities, draft replies, create handoff plans, and search by intent. Local AI handles classification, importance scoring, and entity extraction by default; cloud AI (summarization, drafting, Q&A) runs only after explicit per-action consent, with inputs and outputs both shown and audited. Drafts are pre-fill only — nothing is auto-sent.
Vault encryption
Every local data boundary is an encrypted Vault. Content, indexes, and connection metadata are protected with XChaCha20-Poly1305 under a per-Vault key hierarchy derived via Argon2id and HKDF, with Ed25519 event signatures, X25519 envelope encryption, and epoch-based key rotation. Lost keys cannot be recovered by Twindevs.
Handoff plans
Generate guided action plans to transfer responsibility for a thread or inbox to its owner — context bundle, checklist of next steps, and visible provenance so nothing falls through the cracks during operator handoff. Final assignment respects active role permissions.
Provider support
Connect Gmail/Google Workspace and Outlook/Microsoft 365 via OAuth where available, plus iCloud, Yahoo, Proton (via Bridge), and generic IMAP/SMTP. All provider credentials are stored in your encrypted local Vault, never on Twindevs servers.
Encrypted, optional multi-device sync
A zero-knowledge overlay relay can synchronize read/triage state, labels, workflow definitions, and audit events across devices. The relay stores only encrypted objects and minimal routing metadata (vault id, object id, size, epoch, device id, timestamps) — it cannot read your mail. Sync is opt-in.
Connect, organize, operate.
- Connect: Add live accounts via OAuth or application-specific passwords, and import archive files (MBOX, EML) directly from disk. Result: an encrypted local vault with indexed, searchable messages.
- Organize: Assign accounts to people and define delegation roles — Owner, Full, Triage, or Read — to control access without sharing passwords. Result: people-centric views across all accounts, with destructive actions gated by role.
- Operate: Summarize threads, draft replies, search by intent, and create handoff plans. Every AI action shows a consent sheet with the exact payload before any off-device transmission, and produces an auditable action with full provenance.
Questions, answered.
Is TwinMail available now?
Not as a general release. TwinMail is in Technical Preview and the program charter is explicit that it is not launchable today — early access is offered to qualified teams for evaluation, with unlimited accounts, AI tooling, and priority support during the preview. We will not claim general availability until the canonical build and its launch evidence support it.
What actually stays on my device?
Message bodies and attachments, subjects, sender/recipient addresses, timestamps, thread structure, full-text indexes and embeddings, and provider folder names and identifiers — all of it stays local and never leaves your device in readable form. If you enable multi-device sync, only encrypted overlay objects (read/triage state, labels, permissions, key envelopes, audit records) and minimal routing metadata are sent to the relay, which cannot decrypt them.
Does TwinMail send my email to an AI provider?
Only when you explicitly ask it to, one action at a time. Local intelligence (classification, importance scoring, entity extraction) runs on-device by default. Off-device actions like summarization, drafting, and Q&A are an explicit boundary crossing: a consent sheet shows the exact content to be transmitted, the request and response are written to an encrypted audit log, and drafts are pre-fill only — nothing is sent automatically.
How does delegation work without sharing passwords?
You grant scoped, role-based access to an Account or a Person using four tiers — Owner, Full, Triage, and Read — plus capability flags for things like provider sync and send-as. Destructive actions are hidden or disabled below Full/Owner, and every delegated action emits an audit log entry. Provider credentials remain in your encrypted vault and are never shared with delegates.
What archive formats and providers are supported, and what is planned later?
For v1, archive ingest covers MBOX and EML with resumable, checkpointed imports; PST/OST ingest is targeted as a post-v1 milestone. Live providers include Gmail/Google Workspace and Outlook/Microsoft 365 (OAuth where available), plus iCloud, Yahoo, Proton via Bridge, and generic IMAP/SMTP. Microsoft is IMAP-backed in v1, with Graph delta sync planned for a later milestone.
What encryption does TwinMail use?
Vaults use XChaCha20-Poly1305 AEAD for symmetric encryption, Argon2id for passphrase-derived secrets, HKDF for key expansion, Ed25519 for event signatures, and X25519 for key-envelope exchange, organized as a per-vault key hierarchy with epoch-based rotation. Provider tokens are encrypted at rest and never written to logs. One consequence of true local-first encryption: if you lose your key material, Twindevs cannot recover your data.
One privacy standard, five tools.
-
TwinContacts
Make your contacts trustworthy — and keep them that way.
-
TwinVault
Your household's accounts, credentials, and security posture — in one local vault.
-
TwinHermes
Your always-on agent, hosted on infrastructure you control.
-
TwinSystem
One repo for the whole smart home.
Start with TwinMail.
Privacy-first by default. Your data stays yours.