what Watch can — and can’t — see.
Watch can’t tell you whether anyone read your email. Nobody can. Mail clients have gotten too good at hiding that. What Watch can tell you is what loaded the tracking pixel, when, from what kind of system — and probably whether the loader was a person or a machine.
Other trackers conflate Apple Mail prefetches, corporate link scanners, and your own browser preview into one number called “opens.” Watch labels each one. The signal is the signal, never the celebration.
how Watch classifies opens
Every event in your dashboard carries one of these five labels. The label is the same string in the API, the dashboard, the export, and any email digest. Never abbreviated, never re-translated.
| label | what it means | false-positive risk |
|---|---|---|
| confident_human | The open survived every machine-detection heuristic: browser-shaped User-Agent, residential ASN, dwell time, no self-open pattern. The strongest claim Watch will make. | Low. We undersell on purpose. |
| apple_mpp_prefetch | Apple Mail Privacy Protection loaded the pixel from one of Apple’s anonymous proxies, usually within seconds of you sending. This isn’t a person reading the email; it’s Apple pre-loading images so users don’t have to. | High. Roughly 70% of opens on Apple-heavy lists are MPP since iOS 15 (2021). |
| bot | A scanner, link-checker, security tool, or known crawler. Usually a corporate Microsoft Defender or similar pinging every link before forwarding the message to its real recipient. | Very high. Bots are designed to look like opens. |
| self_open | The open looks like you, on the device that just sent the email. Browser preview, your own inbox check, opening the message in “sent” folder. | High by design. Filtered so your dashboard isn’t a mirror of yourself. |
| inconclusive | Watch saw an event but couldn’t classify it confidently. Surfaced as “inconclusive” rather than fabricated as “opened.” | N/A. Inconclusive is a first-class output, not a hedge. |
what Watch doesn’t collect
- —Raw IP addresses. The Cloudflare Worker hashes incoming IPs at ingestion with HMAC-SHA256 and a daily-rotated salt. Yesterday’s salt is destroyed; yesterday’s hashes become non-reversible.
- —Precise location. Country code only, from Cloudflare’s edge metadata. No city, no postal code, no IP-to-location service.
- —Full User-Agent strings. Bucketed into a coarse class (
Apple Mail iOS,Gmail Web,Outlook Desktop) before storage. The full string is dropped at the worker. - —Anything from EU/UK recipients. The Chrome extension auto-suppresses tracking at compose time when any recipient looks EU/UK. No pixel embedded, no link wrapping, no event row written.
- —Recipients on the global opt-out list. Public opt-out form at tomicc.me/recipients/optout.
DNT: 1andSec-GPC: 1headers honored automatically.
what Watch won’t do
- —No “Sent with Tomicc” in your emails. Ever. Free or paid, every tier. (Compare: Mailtrack injects branding on every tier; HubSpot Sales gates removal behind the $15/seat plan.)
- —No real-time “they just opened it!” pings. No toast notifications, no desktop pops, no Slack alerts. State changes surface in the daily summary email or as inline updates on the affected thread. (Compare: Mixmax sells this as “follow up while they’re reading.”)
- —No single-number open count without the breakdown. If a thread has 7 events and 5 are Apple MPP prefetches, the dashboard shows 2 of 7 are confident_human, not opened 7 times.
- —No fabricated metrics. No “engagement score,” no “forwarded count” (pixels can’t see forwards), no “archived without reading” (we have no way to know that).
See also: the recipient privacy notice for the recipient-side rights story. The architectural commitments behind these labels live in docs/adr/0003 (EU auto-suppression), docs/adr/0004 (hashed IP), and docs/adr/0009 (honest tracking presentation).