Aside from remote images, they store all of your emails on their servers. Not sure why they don't receive the same scrutiny that other email apps like Edison have [1].
I've heard enough fishy stories from former engineers there — people should think twice before logging in and letting them ingest your full account history (as with any third party email app, which Gmail is already cracking down on [2]).
Edison packages up info from user emails and sells that on the data market. Maybe Superhuman isn't doing this (yet), and therefore aren't being scrutinized for this security/privacy lapse in the same way.
I do not think this is true. I'm pretty sure it's all locally stored aside from "scheduled emails" which are temporarily stored on their services before they are deleted.
Note: I'm not using Superhuman currently, but tried it briefly a few months ago.