- Nylas stores the keys to access your account even after you delete it.

- Nylas doesn't actually delete your data, or it takes many many months.

Full story:

I was an early adopter of Nylas N1 when it first came out: https://news.ycombinator.com/item?id=10333193. I had contributed to the project and hoped that self hosting the sync engine was going to become easier. In the interim I used the built in nylas cloud.

When they switched to paid only, I cancelled my account in mid july (you had to manually mail a deletion request from each account). I loaded up the email client a few days later to find my emails were still syncing. Come to find out the API request re-activates any account and voids any deletion.

So they re-marked it for deletion and told me to wait a "bit". I never got any answer back to how long that was. I followed up later in the week and they had this new tool to cancel your account. I utilized the tool which said my account deletion was successful and a staff member confirmed it.

I checked again 6 weeks later and sure enough it still syncs. They don't actually delete anything despite several confirmations that it is deleted. They can request your emails at any time even though I no longer have a Nylas account. This means they can pull my emails into their system without my knowledge or approval. They also failed to delete any of my existing data despite numerous requests over a 2 month period.

I reached out to support several times and was told that my account is still in queue. I also filed a security disclosure and was not taken seriously.

I combed through the privacy policy (https://nylas.com/privacy-policy/) and they will delete your data "as soon we can". The security (https://nylas.com/security/) policy doesn't reference data retention.

Beware.