Private Temp Email — No Tracking
NukeMail collects no personal data, uses no tracking pixels, sells no information, and employs HTTP-only cookies exclusively for session management....
What "No Tracking" Actually Means
Many services claim to be "privacy-friendly" while still collecting significant amounts of data. They might not sell your email address, but they log your IP, timestamp every action, track which pages you visit, and use analytics tools that build behavioral profiles. "We do not sell your data" is a low bar.
NukeMail defines privacy at the architectural level. There is no user account system, so there is nothing to link activity to an identity. The only cookie is the session cookie for your inbox — no tracking cookies, no advertising cookies, no third-party cookies. Analytics use a privacy-friendly tool that does not track individual users and does not require a cookie banner.
The database stores only what is necessary to make the service work: your access code (a random string), your email address, and your received emails. None of this is connected to your real identity because your real identity was never collected.
No Tracking Pixels in Received Emails
When you receive an email through NukeMail, the email content is processed before it reaches your inbox. One important part of this processing is how images are handled. Marketing emails are riddled with tracking pixels — tiny 1x1 images with unique URLs that notify the sender when you open the email, what time you opened it, what device you used, and sometimes your approximate location.
NukeMail strips base64-encoded inline images during processing and renders email HTML in a sanitized environment. External image loading is controlled to prevent tracking pixels from phoning home when you read an email. This means that as far as the sender is concerned, their email was received but never opened.
This matters because temporary email is often used to sign up for services without revealing your real identity. If the service can track when and where you opened their verification email (via a tracking pixel), they have collected data about you without your consent. NukeMail prevents this data collection.
HTTP-Only Cookies and Security
The session cookie that keeps you logged into your inbox is set with three security attributes: HttpOnly, Secure, and SameSite=Lax. HttpOnly means that JavaScript running on the page (or injected by a malicious script) cannot read the cookie. Secure means the cookie is only sent over encrypted HTTPS connections. SameSite=Lax prevents the cookie from being sent on cross-site requests, protecting against CSRF attacks.
These are not exotic security measures — they are best practices that many websites still do not implement. The combination ensures that your session cannot be hijacked by malicious scripts, intercepted over unencrypted connections, or exploited by cross-site attacks.
The cookie contains only your access code — a random alphanumeric string. Even if it were somehow intercepted, it does not reveal your identity. It is a key to a temporary inbox that will be deleted within 14 days. There is no long-term value in stealing it and no personal data behind it.
What NukeMail Does Not Collect
No real name. No real email address. No phone number. No password. No IP address logging tied to user activity. No device fingerprinting. No browser fingerprinting. No cross-site tracking. No advertising profiles. No behavioral analytics on individual users. No referral tracking that ties your visit to where you came from.
The analytics system tracks aggregate metrics — page views, visitor counts, popular times — without identifying individual users. It does not use cookies for analytics, does not store IP addresses, and is compliant with GDPR, CCPA, and ePrivacy without requiring a cookie consent banner.
When your inbox is deleted (after 14 days for free users, or after the dormant period for premium), all associated data is permanently removed from the database via CASCADE deletion. There is no soft-delete, no archive, no backup retention of user data beyond the stated lifecycle. Once it is gone, it is truly gone — there is no way to recover it, and that is the point.
Privacy as a Feature, Not a Constraint
Some services treat privacy as a limitation — "we would love to offer personalized recommendations, but we respect your privacy, so we cannot." NukeMail treats privacy as a feature that actively makes the service better. Not collecting personal data means there is nothing to leak. Not tracking users means the system is simpler and faster. Not building profiles means there are no creepy "we noticed you..." emails.
The access code system exists specifically because traditional account systems require identity. By replacing accounts with random codes, NukeMail delivers the same functionality (persistent access, cross-device usage) without any of the privacy costs. The code is not a workaround for a missing login system — it is a deliberate replacement that is better for the use case.
This philosophy extends to every design decision. Email content is sanitized not just for security (preventing XSS attacks) but also for privacy (blocking tracking pixels). The cookie is HTTP-only not just as a security measure but because there is no reason for client-side JavaScript to access it. Privacy and good engineering happen to point in the same direction. When a service is designed from the ground up around privacy, every technical decision naturally reinforces that goal rather than working against it.