# Trust and security URL: https://warmerly.com/trust > How Warmerly secures mailbox credentials, handles your data, and supports GDPR compliance. ## Security - **Encrypted at rest** — OAuth refresh tokens and any mailbox credentials are encrypted with AES-256-GCM before they touch our database. Encryption keys are stored separately from the data they protect. - **Encrypted in transit** — Every request to Warmerly is served over TLS 1.2 or higher. Internal service-to-service calls and outbound mailbox connections enforce TLS as well. - **OAuth, not passwords** — We connect Gmail and Microsoft 365 mailboxes through Google and Microsoft OAuth. We do not ask for, store, or transmit SMTP passwords or app passwords for these providers. - **Least-privilege scopes** — We request only the OAuth scopes required to send, read, and organise warmup messages. You can revoke access from your Google or Microsoft account at any time. ## Data handling - **Where your data lives** — Warmerly is hosted in the European Union and the United Kingdom. Primary databases run in Frankfurt and Dublin, with backups kept in the same region. - **Backups** — Encrypted, point-in-time backups run continuously with a 30 day retention window. - **Retention and deletion** — OAuth tokens are deleted immediately on mailbox disconnect. Account data is removed within 30 days of an account deletion request, except where retention is required by law. ## Sub-processors - **Stripe** — payment processing and subscription billing. - **Cloud hosting provider** — compute, database, and object storage in the EU and UK regions. - **Transactional email provider** — service notifications such as login codes, receipts, and security alerts. --- Source: https://warmerly.com/trust Site index: https://warmerly.com/llms.txt Full content: https://warmerly.com/llms-full.txt