diff --git a/privacy-policy.md b/privacy-policy.md
new file mode 100644
index 0000000..3a004f9
--- /dev/null
+++ b/privacy-policy.md
@@ -0,0 +1,57 @@
+# Korax Privacy Policy
+
+_Last updated: 22 May 2026_
+
+## Who we are
+
+Korax is a PGP-first email client developed and distributed by **K-Ops Oy**. Questions about this policy can be sent to: **korax@k-ops.eu**
+
+## What data Korax processes
+
+Korax connects directly to your email provider using the IMAP and SMTP protocols. The following data is processed on your device:
+
+| Data | Purpose | Where it is stored |
+|------|---------|-------------------|
+| IMAP/SMTP server addresses, port, and TLS settings | Connect to your mail server | On-device SQLite database |
+| Email account credentials (username and password) | Authenticate with your mail server | OS secure credential store (Android Keystore / iOS Keychain) |
+| Email message content (headers, body, attachments) | Display your mail | On-device SQLite cache |
+| Email addresses of senders and recipients | Display contacts and compose mail | On-device SQLite database |
+| PGP keys you generate or import | Encrypt and decrypt mail | On-device SQLite database |
+
+## What we do not collect
+
+- Korax does **not** operate any servers that receive your data.
+- Your email content, credentials, and keys never leave your device through Korax. All network communication goes directly between your device and your configured mail server.
+- Korax does **not** collect analytics, crash reports, usage statistics, or any telemetry.
+- Korax does **not** display advertising.
+- Korax does **not** sell, share, or transmit your data to any third party.
+
+## Permissions
+
+Korax requests only the **INTERNET** permission, used solely to connect to your configured IMAP/SMTP servers.
+
+## Data retention and deletion
+
+All data is stored locally on your device. To delete your data, remove your accounts within the app (Settings → Accounts) or uninstall Korax. Uninstalling the app removes all locally cached messages and settings.
+
+## Security
+
+- Credentials are stored in the OS secure credential store and are not accessible to other apps.
+- All connections to mail servers use TLS encryption.
+- PGP private keys are stored in the OS secure enclave (Android Keystore / iOS Keychain) and never written to disk in plaintext.
+
+## Children
+
+Korax is not directed at children under 13 and does not knowingly collect data from children.
+
+## GDPR (EU residents)
+
+Korax processes data solely on your own device under your control. Because no data is transmitted to or stored by K-Ops Oy, we do not act as a data controller or data processor under the GDPR for your email content. You have full control over your data at all times.
+
+## Changes to this policy
+
+If we update this policy, the new version will be published at this URL with an updated "Last updated" date.
+
+## Contact
+
+Privacy questions: **korax@k-ops.eu**