Why we never store raw email body text

On day one, before writing a single feature, we made an architecture decision: raw email body text never touches disk. It is read into memory, processed, and discarded. Only the extracted output — a suggestion title, a short source quote under 200 characters, a confidence score — persists.

This is harder to build around than you would think. Re-processing requires re-fetching from Gmail. Debugging extraction quality means reproducing from source, not inspecting stored text. Every engineering shortcut wants you to just cache the body.

We resisted because the trust math is simple: a database of millions of stored emails is a catastrophic breach. A database of suggestion titles and 200-character quotes is a bad day. The blast radius difference is the whole product.

Metadata gets the same discipline. Cleanup clustering and health scoring run on sender, subject, date, and read-state only — no LLM ever reads your newsletter content to tell you that you have 87 unread Substacks.

Privacy posture is not a compliance checkbox you add before launch. It is load-bearing architecture. Either you build on it from day one, or you retrofit it never.