AI Data & Audit Log
This page explains what data the AI assistant processes, how MailCopilot records that processing in a local audit log, and what controls you have over that data.
What the AI Assistant Sends to Providers
When you use the AI assistant, MailCopilot transmits the following to your chosen AI provider:
- The content of the email or conversation thread you are currently viewing (subject, body, sender, recipients).
- Any attachments you explicitly ask the assistant to read.
- Your AI memory notes (if the Memory feature is configured).
- The text of your chat message to the assistant.
What is never sent:
- Emails or folders you have not opened or referenced in the current session.
- Your IMAP/SMTP credentials or server configuration.
- Your email account passwords.
- Any data from accounts you have not explicitly used in the current AI request.
The AI assistant is entirely optional. If you do not configure a provider, no email data is ever transmitted to any external service.
AI Egress Policy
MailCopilot intercepts every outbound internet-tool call the AI makes — web search, web fetch, and external MCP tool calls — and pauses the AI to ask for your approval before the call is executed. This prevents a malicious email from silently exfiltrating your data through a prompt-injection attack.
How It Works
When the AI wants to use an internet tool (for example, to search the web), MailCopilot pauses the response and shows an inline confirm modal in the AI panel with the prompt "AI wants to access the internet". The modal displays:
- The type of action — "Web search:", "Fetch URL:", or "External tool call"
- The requested query, URL, or external tool name when available
- Allow and Deny buttons
Click Allow to let the AI proceed, or Deny to refuse. Your decision applies for the entire current response turn — if the AI makes multiple internet-tool calls in one reply, you are only asked once. Clicking Allow grants access for all remaining calls in that turn.
If you do not respond within 30 seconds, MailCopilot denies the tool call automatically.
Shield Icon
A shield icon is shown in the AI panel header whenever egress interception is active. Hovering over it shows: "AI web access is intercepted — you will be asked to approve each outbound call". This icon confirms that the interceptor is running and no internet call can bypass your approval.
Policy Settings
You can adjust the egress policy in Settings → AI (under the AI web access control). Controls when the AI can use internet tools. With Deny by default or Ask each turn, MailCopilot prompts on the first internet-tool call in each response turn. With Always allow, the prompt is skipped — internet tools execute without confirmation:
- Deny by default (recommended) — intercept all internet-tool calls; you approve or deny each turn via the confirm modal.
- Ask each turn — same behavior as default-deny: explicit per-turn opt-in via the confirm modal.
- Always allow — AI may freely call web tools even with email content in scope. Warning: AI may send email content to external services.
Audit Log
Each intercepted internet-tool call creates an audit row; denied calls increment Blocked, while approved calls are recorded with Blocked = 0. Each entry is also counted in the telemetry event ai.egress.intercepted with tags indicating the tool name, outcome (approved or denied), and whether per-turn consent was already in effect. For query/URL details, the audit log stores only a SHA-256 hash truncated to the first 16 hex characters; raw queries and URLs are never written to disk.
The Audit Log
MailCopilot maintains an append-only local audit log of every AI action. The log is stored in your local database on your device and is never transmitted to MailCopilot or any third party.
What Each Entry Records
| Field | Description |
|---|---|
| Timestamp | Exact date and time when the action occurred. |
| Provider | The AI provider used (e.g., Anthropic, OpenAI, Google). |
| Model | The specific model version that handled the request. |
| Goal | A brief description of what the assistant was asked to do. |
| Tool | The MCP tool called, if any (e.g., send_email, mail_action, move_email). |
| Tokens in / out | Input and output token counts for this action. Token counts are recorded when the AI provider exposes them through the SDK; columns may show n/a when the provider does not surface per-request counts. |
| Cost (USD) | Estimated cost based on the provider's published pricing, or n/a for subscription providers. Cost is always recorded when available and is the primary signal for spending tracking. |
| Wrapped | Number of wrapUntrusted() boundary marker invocations. Each invocation means a block of email content was sandboxed before being passed to the AI to prevent prompt injection. |
| Blocked | Number of outbound egress attempts blocked by the security policy during this action. |
| Outcome | Result of the action: OK (completed successfully), Error (failed), or Aborted (cancelled by you or the system). |
Append-Only Design
New entries are always appended. All columns except deleted_at are immutable after insert — existing records are never modified once written. This preserves a tamper-evident history of AI activity. Soft-deleting an entry (see below) sets the deleted_at timestamp and hides the entry from the view, but every other column remains unchanged.
Accessing the Audit Log
Open Settings → AI and expand the Privacy & Audit section. The log is paginated and sorted newest-first.
Exporting
Click Export JSON or Export CSV to download the complete log. The export includes all fields listed above. The CSV export uses RFC 4180 format with CRLF record separators and proper quoting (fields containing commas, quotation marks, or embedded newlines are escaped). The CSV file is compatible with Excel, Numbers, and LibreOffice. You can use the export to:
- Review AI activity at any time.
- Respond to personal data access requests under GDPR or similar regulations.
- Keep an offline copy for your own records.
Deleting Entries
Per-row soft delete — click the delete icon on a log entry to hide it from the view. The record's deleted_at timestamp is set and the entry disappears from the list and aggregates, but the underlying data is retained to preserve audit integrity.
Clear All — marks all audit entries as soft-deleted (sets deleted_at on every record). Entries remain in the local database for compliance and forensic purposes; they are hidden from the list, aggregates, and exports. There is no public hard-delete path — the append-only invariant guarantees historical integrity.
Token and Cost Aggregates
The top of the Privacy & Audit panel shows per-provider token and cost totals. Select a period — Today, Last 7 days, or Last 30 days — to filter the aggregates. These are rolling windows (not calendar week or month). The totals are computed from the local audit log and are never sent to any server.
For subscription-based providers, costs are shown as n/a because per-request pricing does not apply.
Prompt Injection Protection
Every block of email content passed to the AI is wrapped with wrapUntrusted() boundary markers. These markers instruct the AI to treat the enclosed content as untrusted user data — not as instructions — so a malicious email cannot hijack the assistant's behavior. The Wrapped column in the audit log lets you see exactly how many times this protection was applied in each session.
See Also
- AI Assistant — full guide to using the AI assistant.
- Telemetry — anonymous diagnostic data collected by MailCopilot (separate from the AI audit log).