I’m excited to introduce Paperweight, a local-first open-source desktop app I’ve been building to help people understand and reduce their digital footprint.
Your inbox is a paper trail of every company that has ever had your data. Every account you created, every service you tried, every online purchase. It’s all connected to your email. Most people have 100+ accounts they’ve forgotten about, each a potential security, or privacy risk. For me the final push was the Odido data breach in the Netherlands. I hadn’t been a customer for more than 8 years, but all my data was still in their systems.
What it does:
- Account inventory — Maps every company that has ever emailed you, with risks classifications and recommendations for action.
- Bulk unsubscribe — Find and unsubscribe from any marketing and mailing lists (auto RFC 8058 where supported).
- Breach alerts — Alerts when any company you’ve been in contact with has been breached (via HaveIBeenPwned).
- GDPR requests — Generates pre-filled GDPR requests in multiple languages.
Supports Gmail, Outlook, Apple Mail, Proton (via Bridge) and any other email provider via IMAP.
Privacy approach:
Everything runs on your machine. Email content, credentials, and connection details never leave your device. No telemetry, no cloud sync, no analytics. The code is fully open source and auditable on GitHub.
Most alternatives in this space all require your to share your data through their services. Some of them have actually been caught selling your data. Paperweight is the only tool I’m aware of that does this entirely local and is open-source.
Website
Feedback welcome! Thanks
I have a question—I suspect the answer is yes even if indirectly, but thought I’d ask in case you already thought of this. I have many email addresses, and one in particular is the source of lots of spam. Unfortunately it’s also one I’ve used to login to many services I actually use so I can’t easily delete it. Can I use Paperweight to make a list of services I need to go change my email on before consigning my 20+ year old address to the bin?
Either way, you should reduce the active subscribtions and reuse it as a spamhole (because it 100% was in some leaks already). Never “delete” an old E-Mail address, they can be used to hijack your accounts.
And maybe forward the phishing mails to your countries @antiphishing address.
This was on a custom domain, and I started off with xyz-1@domain.com, and when it became saturated I moved to -2, -3, etc. But then got lazy and used my current ‘version’ to sign up for things I’d want to keep, not just any old random stuff. So now it’s a mix, and much better ways of doing that exist, like +tagging and hide-my-email services.
I even wondered about setting up a catch-all account on the domain so I can just invent them on the fly, and then when one becomes spammy, create an ‘actual’ account as a spamhole.