Are my Gmail attachments stored encrypted?

No. Gmail attachments are stored unencrypted on Google's servers. Google's automated systems can access them. That W-2 from 2019 with your SSN is sitting in plain text — accessible to anyone who gains access to your account or Google's infrastructure.

What file types does ThunderSweep scan?

ThunderSweep scans PDF, Word (.docx), Excel (.xlsx), text files, and CSV files. It also opens and scans files inside ZIP archives. Password-protected files can't be scanned but are flagged for your review.

ThunderSweep — Scan Gmail & Google Drive for Sensitive Data

MFA protects your login, not your files

The documents sitting inside your Gmail and Google Drive are stored unencrypted, completely exposed in the cloud.

💾

Your Gmail & Drive are not encrypted

Gmail attachments and Google Drive files are stored unencrypted on Google's servers. Google's automated systems can access them natively. That W-2 from 2019 with your SSN? It's sitting in plain text — accessible to anyone who compromises your account or Google's infrastructure.

💥

A breach exposes everything

When an account is compromised (via session hijacking or a breached endpoint), the attacker gets every tax return, bank statement, medical record, and SSN you've ever stored. It's your complete financial and personal identity, going back years.

🏦

Google is a target, not a vault

Google is one of the most secure companies in the world — and also the biggest target on the internet. If there's ever a data incident, what gets exposed isn't your fake birthday from registration — it's every unprotected document stored in your drive and inbox.

⚖️

You're keeping more than the law requires

The IRS only requires you to keep tax returns for 3 years (6 in some cases). That 2015 tax return in your inbox? You don't need it, and keeping it only increases your liability. The less sensitive data you store, the less there is to steal.

📋

More data means more legal exposure

From a legal standpoint, the more data you keep, the more discoverable and liable you are. In audits, lawsuits, or investigations, that old data can be requested and used against you. Hoarding 10 years of tax documents when you only need 3 doesn't make you cautious — it makes you a bigger target.

📤

You might be sending sensitive data too

It's not just what you receive. Accidentally sending a tax return or bank statement to the wrong person — or to someone whose inbox isn't secure — creates another copy you can't control. Once you hit send, it's gone. You can't unsend a Social Security number.

"The best way to protect sensitive data is to not have it in the first place. If it doesn't need to be in your inbox, it shouldn't be."

Data minimization principle — recommended by NIST, GDPR, and every major security framework

MORE BELOW

How It Works

Three steps to lock down your digital identity.

Connect Your Google Account

One-click Google sign-in. ThunderSweep requests permissions to scan your files locally. We never see your data, and we never delete anything without your explicit confirmation.

Scan Gmail & Google Drive

ThunderSweep scans your Gmail attachments and Google Drive files locally in your browser — reading actual file contents, not just filenames. Sensitive PDFs, Word docs, and spreadsheets going back years are surfaced instantly.

Vault, Delete, or Share

Encrypt sensitive files into your private vault, permanently delete exposed copies from Google's servers, or share directly from the vault — no plaintext copies left behind.

Bank-Grade Encryption, Zero Server Involvement

Your files stay in your own Google Drive. ThunderSweep encrypts them locally — we never see your data, your keys, or your password.

🛡️

AES-256-GCM Encryption

The same encryption standard used by banks and governments. Every file in your vault is individually encrypted — without your vault password, the contents are unreadable.

🔑

Keys Derived, Never Stored

Your vault key is derived on the fly from your password using PBKDF2 with 600,000 iterations — making brute-force attacks computationally expensive. We never store, transmit, or see your password or keys.

☁️

Your Drive, Your Files

Encrypted files are stored in a dedicated folder inside your own Google Drive. ThunderSweep holds nothing on its servers — your vault travels with your Google account, not ours.

Protected at Every Stage

ThunderSweep doesn’t just secure files sitting in your vault. It covers every way sensitive data moves through your life.

🔒

At Rest — Encrypted in Your Vault

Files pulled from Gmail or Drive are encrypted with AES-256-GCM and stored in a dedicated folder inside your Google Drive. Unreadable to anyone without your vault password — including us.

🔗

In Transit — Share Without Exposure

Need to send your accountant a tax return? ThunderSweep lets you share files directly from your vault. The recipient gets the document — you don’t get a plaintext copy sitting in your Sent folder forever, waiting to be compromised.

📝

Secure Notes — No File Needed

LIVE

Not everything sensitive is a file. Create encrypted text notes directly inside your vault — passwords, recovery codes, account numbers, anything you’d rather not store as a document. Encrypted alongside your files in your Drive. Nothing leaves the vault.

Everything ThunderSweep Can Do

Deep content scanning across Gmail and Google Drive, an encrypted vault, monitoring, and more — all running locally in your browser.

📊

Complete Security Overview

Get a bird's-eye view of your exposure across both Gmail and Google Drive. See your privacy score, exposure by category, and top senders of sensitive data at a glance.

🔒

AES-256-GCM Vault

Securely store your most sensitive extracted documents locally. Encrypted with strong AES-256-GCM standards, only you have the keys.

📂

Google Drive Scanner

ThunderSweep now scans your Google Drive files using the same deep content analysis as Gmail. PDFs, Word docs, spreadsheets, and text files stored in Drive are scanned locally in your browser — sensitive data found regardless of filename. Nothing leaves your device.

🔍

Deep Content Scanning (Not Just Filenames)

Gmail search can't find "document.pdf" containing your SSN. ThunderSweep scans the actual content of PDFs, Word docs, Excel spreadsheets, and files inside ZIP archives — across both Gmail and Drive — locally in your browser. Nothing is uploaded.

🛡

Smart Pattern Detection

Goes beyond keyword matching. Validates SSN structure, runs Luhn checks on credit card numbers, and uses context awareness to reduce false positives.

📥

Vault Before You Delete

Move sensitive attachments into your encrypted Vault for safekeeping before removing them permanently from your vulnerable Gmail and Google Drive accounts.

🗑

Safe Bulk Delete

4-step safety confirmation before any deletion. Emails move to Gmail trash with a 30-day recovery window — nothing is permanently destroyed.

📊

Filter & Sort Results

Filter by category (tax, financial, medical), date range, or keyword. Sort by sensitivity, date, or sender. Find exactly what you're looking for.

⏸

Pause & Resume

Large inbox with years of email? Pause your scan anytime and pick up right where you left off. Progress is saved automatically.

What ThunderSweep Detects

Comprehensive pattern matching across Gmail and Google Drive — smart validation to reduce false positives.

📄

Tax Documents W-2, 1099, 1040, tax returns

🏦

Financial Records Bank accounts, routing numbers, credit cards

🔐

Social Security Numbers SSN format with structure validation

🏥

Medical Records Patient IDs, NPI numbers, health insurance

🏢

Business Documents EIN numbers, LLC formation docs

📦

ZIP Archives Scans files inside ZIP attachments

You cleaned up. Now stay clean.

A one-time scan fixes today. Shield makes sure the problem never comes back.

📨

New sensitive docs arrive constantly

Your accountant sends a new W-2. Your bank emails a statement. Your doctor sends records. Without monitoring, in 6 months you're right back where you started. Shield watches your inbox and alerts you the moment a new sensitive attachment arrives.

⚠️

Your last chance before hitting Send

About to email a tax return to the wrong person? Once you hit send, you can't unsend a Social Security number. Shield scans your outgoing attachments and warns you before you make a mistake. It doesn't block you — it just asks you to take a second look.

📊

Privacy score that actually moves

Every scan updates your privacy grade. Clean up an old tax return? Your score goes up. A new sensitive document arrives? Shield flags it and your grade reflects the new exposure. You always know exactly where you stand.

Simple, Affordable Pricing

Start free. Your first scan starts a 7-day trial of Shield — no credit card required.

Free

Includes 7-Day Shield Trial

Scan Gmail & Google Drive
3 results shown in detail — Gmail priority, then Drive
2 scans per week
1 Google account
Full Shield trial on first scan — 7 days, no card

Install Free

Shield Plan

$4.99/mo

$49.99/year (save $10) • Cancel anytime

Unlimited Gmail & Google Drive scans
All scan results unlocked
Bulk delete & download
Encrypted Vault (AES-256-GCM)
Secure Notes in vault
Secure file sharing from vault
Real-time inbox monitoring
Real-time inbound & outbound monitoring
Privacy Reports Soon
1 Google account

Start Shield Plan

Family Plan

$9.99/mo

$99.99/year (save $20) • Cancel anytime

Everything in Shield Plan
Up to 5 Google accounts
One subscription for your whole household

Start Family Plan

One-Time Option

Clean Sweep

$14.99

One-time payment • No subscription

Unlock all results from your scan
Bulk delete sensitive emails & Drive files
Download attachments locally
Export full CSV report
Mark items as safe
No vault, no monitoring
Run a scan first (free), then activate

Unlock My Results

What’s Coming Next

ThunderSweep is growing into a full privacy companion for your entire Google account.

📊

Privacy Reports Coming Soon

Generate a comprehensive privacy report covering everything ThunderSweep found and cleaned up across Gmail and Drive — downloadable as a PDF. A clear record of your exposure and the steps you took to protect yourself.

🏆

Privacy Score & Achievements Coming Soon

Track your privacy grade over time. Earn badges as you clean up your inbox and Drive, and see your score improve month over month. A clear, motivating picture of your ongoing digital privacy health.

We Don't Want Your Data. Seriously.

Most security tools ask you to trust them with your data. We built ThunderSweep so we never have to. Everything runs locally in your browser — we have no servers, no databases, no analytics on your emails.

All scanning happens in your browser — no servers, no cloud, no uploads
We never see, store, or transmit your email or Drive file content
Trust but Verify: Open your Chrome DevTools Network Tab while scanning. You will see absolutely zero outbound traffic to our servers.
Disconnect anytime — we have nothing to delete because we stored nothing
Minimal permissions — read-only until you choose to delete

Read our full Privacy Policy →

Frequently Asked Questions

The install dialog says ThunderSweep can "Read your browsing history." Why does it need that?

This is misleading Chrome wording — ThunderSweep does not read or record your browsing history. Chrome labels the tabs permission as "Read your browsing history" for all extensions, even if all they do is check which site is currently open. ThunderSweep uses this only to detect whether you are on Gmail, so it knows when to show the real-time attachment warning. It never reads, stores, or transmits any tab data. Here is what each permission line in the install dialog actually means:

Read and change your data on api.gumroad.com, mail.google.com, googleapis.com — Gumroad is used only to verify your license key. Gmail and googleapis are required to read and scan your attachments via the Gmail API. Nothing is uploaded or sent to our servers.

Read your browsing history — Chrome's label for the standard tabs permission. ThunderSweep only checks whether the current tab is Gmail to know when to display the monitoring warning. No history is read or stored.

Display notifications — Used by Shield to alert you when a new sensitive attachment arrives in your inbox.

Manage your downloads — Used when you download sensitive attachments to your local drive for safekeeping before deleting them from Gmail.

Chrome says "This extension is not trusted by Enhanced Safe Browsing." Should I be worried?

No — this warning has nothing to do with whether the extension is safe. It's shown by Chrome's optional Enhanced Safe Browsing feature for any extension that is new and doesn't yet have a large install history. Google already reviewed and approved ThunderSweep before listing it on the Chrome Web Store. The warning simply means the extension hasn't accumulated enough users yet for Chrome to assign it a reputation score. It will disappear automatically as more people install it. You can safely click Continue to install.

When connecting Gmail, I see "Google hasn't verified this app." Is ThunderSweep safe?

Yes, completely safe. This screen appears because Google's manual OAuth app verification is still in progress — we submitted our verification request and are waiting on Google's review, which typically takes a few weeks. It does not mean the extension is malicious or that your data is at risk. ThunderSweep is already approved and listed on the Chrome Web Store; this is a separate Google review process for OAuth access.

To proceed: click "Advanced" at the bottom left of that screen, then click "Go to ThunderSweep (unsafe)". The word "unsafe" is Google's generic disclaimer for any unverified app — it is not a security finding. Once Google completes verification, this screen will disappear entirely. See our Setup Guide for step-by-step instructions.

Why should I worry? I have MFA and a strong password.

MFA protects your login — it doesn't protect data already stored inside your account. Session hijacking, OAuth token theft, and real-time phishing proxies can bypass MFA. If someone gets in, they get access to every unencrypted attachment in your inbox going back years. Plus, Google's own systems can access your unencrypted attachments. The best protection is to not have sensitive data sitting there in the first place.

I trust Google. Why do I need this?

Google is highly secure — but your email attachments are still stored unencrypted on their servers. In a data incident, it's not your display name that gets exposed — it's every tax return, bank statement, and SSN in your inbox. ThunderSweep helps you move sensitive files to your local drive where you control them, and remove them from the cloud.

Do I really need to delete old tax returns from Gmail?

The IRS requires you to keep tax returns for 3 years (6 years in some cases). A 2018 tax return sitting in your Gmail serves no legal purpose — it only increases your exposure. If your account is compromised, every year of tax documents is an additional weapon for identity theft. Download what you need to local storage and remove the rest.

What's included in the 7-day free trial?

Every Gmail account automatically gets 7 days of Shield features when you run your first scan. During the trial, you get unlimited scans, all results unlocked, continuous monitoring, security score tracking, and all Shield features. No credit card required. After 7 days, you'll return to the Free plan (2 scans/week, 3 results shown) unless you upgrade to Shield or Clean Sweep.

Why would I pay $4.99/month for Shield?

The free tier gives you 2 scans per week (view 3 results) plus a 7-day Shield trial. Clean Sweep ($14.99) lets you view all results from one scan, but doesn't give you the ability to run new scans. Shield ($4.99/mo or $49.99/year) gives you unlimited scans plus real-time monitoring. New sensitive documents keep arriving — tax returns from your accountant, bank statements, medical records. Without monitoring, the problem rebuilds itself. Shield also warns you before you accidentally send a sensitive attachment. Think of it this way: identity theft monitoring (LifeLock, etc.) costs $10-25/month and only alerts you after the damage is done. Shield helps prevent it for a fraction of the cost.

Can't I just search Gmail for "SSN" or "tax return" myself?

No — Gmail search only searches email text and attachment filenames, not the contents of attachments. If your 2022 tax return is named "document.pdf" or "scan_2023.pdf", Gmail won't find it even though it contains your SSN. ThunderSweep opens and scans every PDF, Word doc, and spreadsheet locally in your browser to find sensitive data regardless of filename. All processing happens on your device — nothing is uploaded or sent anywhere. That's why manual Gmail searching misses 70-80% of sensitive documents.

Can ThunderSweep see my emails?

ThunderSweep requests read access to scan your attachments for sensitive patterns. All processing happens locally in your browser — our code never sends your data anywhere. We have no servers to send it to. You can verify this yourself by checking your browser's network activity while the extension runs.

What happens when I delete emails?

Deleted emails are moved to your Gmail trash, where they remain for 30 days before Google permanently removes them. ThunderSweep never permanently deletes anything — you always have a recovery window. We recommend downloading attachments to your local drive before deleting.

What's the difference between Clean Sweep and Shield?

Clean Sweep ($14.99 one-time) unlocks all results from your current scan so you can review, download, and delete. Important: Each Clean Sweep key is tied to a specific scan and cannot be reused. If you deactivate the license and run a new scan later, you'll need a new Clean Sweep key to view those results. Shield ($4.99/mo or $49.99/year) adds unlimited future scans, real-time monitoring for new sensitive attachments, inbound & outbound attachment warnings, security score tracking, and ongoing pattern updates. Think of Clean Sweep as a one-time cleanup and Shield as ongoing protection.

Can I reuse my Clean Sweep license after deactivating?

You can reactivate the same Clean Sweep license only if you haven't run any new scans since deactivating it. The Clean Sweep key is permanently tied to the scan results it was originally used for. Once you deactivate and run a new scan (using your free tier scans), the old Clean Sweep key will no longer work for the new results — you'll need to purchase a new Clean Sweep key. This prevents abuse where one $14.99 purchase could unlock unlimited scans. For unlimited scanning ability, subscribe to Shield ($4.99/mo or $49.99/year) instead.

Does ThunderSweep scan Google Drive too?

Yes — ThunderSweep now scans both your Gmail inbox and your Google Drive. The Drive tab scans PDFs, Word docs, spreadsheets, and text files stored in your Drive using the same deep content analysis as Gmail. Everything is processed locally in your browser — no Drive files are ever uploaded to our servers. You can scan Gmail and Drive independently or together from the same dashboard.

What is the Encrypted Vault?

The Encrypted Vault is a secure local feature that lets you lock away sensitive files before deleting their original versions. When you choose to vault an attachment or Drive file, ThunderSweep encrypts it locally in your browser using AES-256-GCM encryption. The encrypted file is then saved to a dedicated ThunderSweep folder in your Google Drive, while the unencrypted original is deleted. You create the master Vault password, and because of our zero-knowledge architecture, your password never leaves your device. We cannot recover your files if you lose it.

What is TS Share (Secure File Sharing)?

TS Share lets you securely send files from your Vault to anyone else, even if they don't use ThunderSweep. When you share a file from your dashboard, ThunderSweep decrypts it locally and immediately re-encrypts it using a one-time transfer key generated on your device. This unique key is embedded directly into the recipient's email link as a URL fragment (e.g., #token=...). Because web browsers are hard-coded to never transmit URL fragments to backend servers, the decryption key is literally never sent to us or stored on our servers. The encrypted blob is temporarily stored for 7 days before being auto-deleted, guaranteeing a true zero-knowledge file transfer.

How do I share files with someone who doesn't use ThunderSweep?

For recipients who cannot install ThunderSweep, you can use the TSxport feature directly from your Vault. TSxport safely packages your selected files into a standard, password-protected ZIP archive right on your device. Your recipient can then open the ZIP using any standard extraction app like 7-Zip, WinZip, WinRAR, or Keka. For maximum security, always set a strong password and share it with your recipient through a separate channel (like a text message or Signal), never in the same email as the file itself.

What file types does it scan?

ThunderSweep scans PDF, Word (.docx), Excel (.xlsx), text files, and CSV files — in both Gmail attachments and Google Drive. It also opens and scans files inside ZIP archives attached to Gmail. Password-protected files can't be scanned but are flagged for your review.

How do I cancel my Shield or Family subscription?

Subscriptions are billed and managed through Gumroad. There is no cancel button inside ThunderSweep — you'll need to follow these steps directly through Gumroad.

Your access continues until the end of your current billing period — you won't lose any features the moment you cancel.

Step 1 — Open your Gumroad receipt email
Find the original purchase email from Gumroad. Scroll down to the billing section and click the "subscription settings" link.
Step 2 — Check your inbox for the magic link
Gumroad will send a sign-in link to the email address on your purchase. Check your inbox (and spam folder) and click the link. It expires after a few minutes — use "Resend magic link" if needed.
Step 3 — Click "Cancel membership"
After clicking the magic link, you'll be taken to your membership page. Click "Cancel membership" to confirm the cancellation.

✅ After cancelling: Your Shield or Family plan stays fully active until your next billing date. If you change your mind before then, just reactivate in the extension using the same license key — no new purchase needed.

Need help? Email us at [email protected]

Your email gets hacked —it’s not just your emails.It’s your entire identity.