What does non-custodial mean for an email service?

Non-custodial means the service never holds funds, tokens, or email content on the user's behalf. The user retains control of their wallet, payment proofs, and message data. The service automates a process the user could do manually, without taking custody of anything in the flow.

Is Gmail or Outlook non-custodial?

Neither is non-custodial in the strict sense. Both Gmail and Outlook store user mail on their servers as part of the service. They are custodial of the content, though they do not hold user funds. Non-custodial in the email context refers more specifically to inbox-defense services that do not retain mail content or payment tokens.

Why does non-custodial architecture matter?

Three reasons. First, the user does not have to trust the service to handle their funds correctly. Second, if the service shuts down, the user loses nothing they did not already control. Third, the service avoids the regulatory burden of money transmission, which usually translates to lower prices and fewer compliance constraints on the user.

Can a non-custodial service still process payments?

Not in the traditional sense. Rythm, for example, is a non-custodial email service that automates the verification of bearer-instrument tokens (Cashu tokens) attached to emails. Rythm verifies the token and triggers the redemption to the recipient's own Lightning wallet. The actual payment flow is peer-to-peer and Rythm is not in the money path.

How is non-custodial different from end-to-end encryption?

End-to-end encryption hides message content from anyone other than the sender and recipient. Non-custodial architecture means the service does not hold the assets (funds, tokens, content) it operates on. The two are related but not identical. A service can be non-custodial without being end-to-end encrypted, and vice versa.

What Is a Non-Custodial Email Service?

A non-custodial email service does not hold your funds, store your tokens, or read your email. Here is what that means in practice and why it matters.

The phrase “non-custodial email service” is borrowed from the cryptocurrency wallet world, where it has a precise meaning. A non-custodial wallet is one where the user holds the private keys; the wallet vendor cannot move the user’s funds because the vendor never had the keys to begin with. A custodial wallet is the opposite: the user trusts the vendor with the keys, and the vendor holds the funds.

Applied to email, the term means something analogous. A non-custodial email service does not hold the funds, the payment tokens, or the email content that flows through it. The service automates a process the user could do manually, without taking custody of anything in the path.

This post is the long answer to “what is a non-custodial email service?”, why the architecture matters, and what it does and does not promise.

The Plain Definition

A non-custodial email service operates on email and payment data without holding any of it on the user’s behalf. The user retains control of their wallet, their message content, and any payment proofs that flow through the system. The service is structurally a pass-through, not a custodian.

Three things flow through such a service:

The email content. Scanned in memory for whatever the service is doing (detecting a payment token, applying a filter rule, routing to the right folder). Discarded immediately after the scan. Not written to disk, not logged, not archived.

The payment proof. Verified in memory if a payment is involved. Redeemed to the recipient’s wallet in a single operation. Discarded immediately after redemption. Not stored.

The funds themselves. Settle directly from the payment source to the recipient’s wallet. The service is never in the path. The funds do not pass through any account the service controls.

If any of these three holds, even briefly, the service is to that extent custodial. Non-custodial services hold none of them.

Why the Architecture Matters

The custodial-vs-non-custodial distinction has practical consequences for users.

Trust requirements drop. A custodial service requires the user to trust the vendor with whatever the vendor holds. The vendor can be hacked. The vendor can shut down with the user’s assets inside. The vendor can be subpoenaed. The vendor can change terms. A non-custodial service requires no such trust because the vendor never holds anything to begin with.

Failure modes are bounded. If a non-custodial service goes down, the user loses access to the automation but loses no assets. The wallet still exists. The email still exists. The user’s relationship to their own data is unaffected by the service’s status.

Regulatory burden is lower. Holding user funds usually triggers money transmitter licensing, anti-money-laundering compliance, and other regulatory frameworks designed for custodial financial services. A non-custodial service avoids these because it is not, in the regulatory sense, in the financial flow. Lower regulatory burden translates into lower prices for users and fewer constraints on the product.

Privacy is structural. A service that does not store data cannot be subpoenaed for data it does not have. A service that does not hold funds cannot freeze them. A service that does not retain email content cannot leak it through a breach. The privacy properties are properties of the architecture, not promises the vendor can later renege on.

How Rythm Implements It

Rythm is the consumer-scale non-custodial email service for Gmail and Outlook. The architecture, in plain language:

Email content scan. When mail arrives, Rythm scans the body in memory for a single pattern: the presence of a Cashu payment token. If the token is found, the verification step runs. If not, the message is held in a separate folder for the user’s review. The content is discarded immediately after the scan. The only record kept is the provider’s messageId, which is a reference to the email, not its content.

Payment verification. If a token is present, Rythm checks with the issuing mint to confirm the token is valid and unspent. The verification is a stateless network call. Rythm does not store the token before, during, or after the verification.

Token redemption (melt). Valid tokens are immediately redeemed via the Lightning Network to the recipient’s wallet. The user configured their LNURL at setup; the melt produces a Lightning payment that settles directly into the user’s wallet. Rythm never holds the funds, never has access to them, and is not in the money path.

No storage. Tokens are referenced by messageId only. Email content is in-memory only. No bodies, no subjects, no headers beyond what the email provider’s API returns to the active scan operation. This is enforced architecturally, not just by policy.

Fail-open delivery. If any part of the verification fails, the email delivers to the inbox normally with a SCAN FAILED label. The user never misses an email because of a Rythm issue. This is also non-custodial in spirit: when the service cannot do its job, it gets out of the way.

We described the technical flow at length in how Rythm’s non-custodial architecture works and how it actually works under the hood. The compliance framing for what Rythm is and is not is in Rythm isn’t a cryptocurrency service.

What Non-Custodial Does Not Promise

The term is sometimes misread to imply more than it does. Worth being explicit about the limits.

Non-custodial is not end-to-end encryption. Encryption hides content from the service operator. Non-custodial architecture means the service does not hold the assets it operates on. The two often overlap (services that do not store content tend not to encrypt anything because there is nothing stored to encrypt), but they are conceptually distinct. ProtonMail is end-to-end encrypted but custodial of message content (it stores encrypted mail on its servers). Rythm is not end-to-end encrypted in the ProtonMail sense, but it is non-custodial in the sense that it does not store mail content.

Non-custodial does not mean the email provider is non-custodial. Gmail and Outlook still hold the user’s mail on their servers as part of their service. A non-custodial email-defense layer running on top of those providers does not change what the provider holds. It only changes what the layer holds (which is nothing).

Non-custodial does not mean anonymous. The user still has an identity at the email provider. Rythm still knows who the user is for billing and OAuth purposes. The non-custodial property applies to the data and assets in the email-and-payment flow, not to the user’s account at the service.

Non-custodial is not a security guarantee. A non-custodial service can still have bugs, security issues, or operational failures. The architecture limits the blast radius (the service cannot lose what it does not hold), but it does not eliminate all risk. The CASA Tier-2 audit and the broader security posture matter independently of the custodial classification.

Where the Term Comes From

The non-custodial concept originated in Bitcoin wallet design. In the early Bitcoin years, exchanges held user funds in pooled accounts. Users had ledger entries showing their balance, but the actual coins were custodied by the exchange. When exchanges failed or were hacked, users lost the funds because the exchange was the legal owner.

Non-custodial wallets emerged as the alternative. The user generates and holds their own private keys. The wallet software is just an interface. The user can move funds whether the wallet vendor exists or not.

The same logic transfers to any service that operates on user assets. If the service holds the assets, it is custodial. If the service operates on assets the user controls, it is non-custodial. Email-defense services using the term are applying the same architectural distinction to the email-and-payment flow.

For the related concept of how Rythm’s payment flow works in detail, see what is an email paywall and what is a cover charge for email.

The Practical Test

The simplest test for whether a service is genuinely non-custodial: if the service shuts down tomorrow, what does the user lose?

If the user loses access to assets they cannot recover (funds, tokens, exclusive data), the service was custodial. If the user loses only the automation convenience (and their wallet, mail, and identity remain intact), the service was non-custodial.

For Rythm specifically, a shutdown tomorrow would mean the user’s existing Lightning wallet still works, their Gmail or Outlook account still functions normally, their mail is unchanged, and they would simply not have the automated cover-charge filter running until they replaced it. No funds would be lost. No tokens would be inaccessible. No mail would be inside Rythm to be recovered.

That is what non-custodial means in practice.

The Bottom Line

A non-custodial email service is one that does not hold funds, tokens, or message content on the user’s behalf. The user retains control of all of these. The service automates a process the user could do manually. The architecture has practical advantages: lower trust requirements, bounded failure modes, lower regulatory burden, and structural privacy.

Rythm is the consumer-scale non-custodial email service for Gmail and Outlook. The cover charge filter runs at $1.65 per month, settles cover charge payments directly to the user’s wallet, and stores none of the email content or payment tokens it scans in the process. The architectural choice is not marketing; it is the design.