Morphee Privacy Policy

Status: DRAFT | Last updated: 2026-02-21

Pending publication at a user-accessible URL (L-RETAIN-005). Legal review recommended before wide distribution.

1. Who We Are

Morphee is a conversational AI assistant for groups (families, classrooms, teams). This privacy policy explains how we collect, use, and protect your personal data when you use the Morphee application.

Data Controller: [Your legal entity name and address] Contact: [privacy@morphee.app] Data Protection Officer: Sébastien Mathieu (privacy@morphee.app). DPO appointment under Art. 37 will be assessed as user base grows.

2. What Data We Collect

2.1 Account Data

Email address — for authentication and account recovery
Name — for personalization and display within your group
Password — stored as a hash by our authentication provider (Supabase Auth)
Role — your role within each group you belong to (e.g., parent, member, child)
Group memberships — the groups you belong to, your role (owner/admin/member/child) within each group, and the date you joined. A single user may belong to multiple groups (e.g., a family group and a work team). Membership metadata (group_id, role, joined_at) is stored per group in group_members and is deleted when you leave the group or delete your account.

2.2 Conversation Data

Messages — text you send to and receive from the AI assistant
Conversation metadata — titles, timestamps, space associations

2.3 AI-Extracted Memories

Facts, preferences, and events — automatically extracted from your conversations to improve the AI's understanding of your group's context
You can opt out of memory extraction in your settings

2.4 Task & Schedule Data

Tasks — descriptions, statuses, and assignments you create
Schedules — recurring events and reminders you configure

2.5 Third-Party Integration Data

Google account email — when you connect Google Calendar or Gmail
Calendar events and email metadata — accessed via Google APIs with your explicit consent

When a minor creates an account, we collect their parent/guardian's email address to verify parental consent (GDPR Art. 8). This email is:

Used solely to send the consent verification email
Automatically deleted 30 days after consent is verified
Not shared with any third party
Subject to the same rights as any personal data — the parent can request its removal at any time by contacting privacy@morphee.app

Morphee supports face and voice recognition for child identity verification. This data is classified as special category data under GDPR Art. 9(1) ("biometric data for the purpose of uniquely identifying a natural person"). We process it under Art. 9(2)(a) — your explicit consent.

What is collected:

Face recognition — A photo is captured by your device camera and converted to a 128-dimensional mathematical embedding (using the MobileFaceNet model). The original photo is immediately discarded after processing.
Voice recognition — A voice recording is captured by your device microphone and converted to a 192-dimensional mathematical embedding (using a d-vector CNN model). The original audio is immediately discarded after processing.

Where it is stored:

Biometric templates are stored exclusively in your device's secure vault (macOS Keychain, Windows Credential Manager, iOS Keychain, or Android secure storage).
Biometric data is NEVER sent to our servers or any third party.
The backend only records that a biometric method is registered (method type and verification status) — no biometric data is stored in the database.

Your rights:

You can delete biometric templates at any time via the child's profile settings.
When a child account is deleted, biometric templates are automatically removed from the device vault.
You can withdraw biometric consent at any time in Settings > Privacy > Consent Management.

Retention: Biometric templates are retained in the device vault until you delete the authentication method, delete the child account, or uninstall the application.

2.5.3 Visual Analysis & Screen Capture

Morphee can analyze images, video frames, and screen captures using AI:

Image/video analysis — When you share an image or video in chat, frames may be sent to Claude AI (Anthropic) for analysis. This requires video_analysis consent, separate from text chat consent.
Screen capture (desktop only) — You can share your screen with the AI. Screen captures are sent to Claude AI for analysis. This requires screen_capture consent.
Gesture recognition — Camera-based gesture recognition is processed entirely on your device. No gesture data is stored or transmitted.

Visual data is transient — it is not stored after processing. It is sent to Anthropic under the same security and data protection measures as chat messages (see Section 4.1).

2.6 Technical Data

Authentication tokens — stored locally on your device
Device push tokens — for mobile notifications (if enabled)
Theme preferences — stored locally in your browser
Normalized browser/platform category — when you grant or withdraw consent, we record a normalized category (e.g., "Chrome/Desktop") for audit trail purposes. We do not store your full browser user agent string.

2.6.1 Local Storage (ePrivacy Art. 5(3))

Morphee uses your browser's localStorage to store the following data locally on your device:

Key	Purpose	Duration
`access_token`	Authentication session (JWT)	Until logout or expiry
`theme`	Your light/dark mode preference	Persistent
`feature_tour_completed`	Whether you've seen the onboarding tour	Persistent

This data never leaves your device and is not sent to any third party. It is required for the application to function. You can clear this data at any time via your browser settings, which will log you out.

2.7 What We Do NOT Collect

We do not use cookies for tracking or advertising
We do not collect analytics or telemetry data
We do not fingerprint your device or browser
We do not sell or share your data with advertisers

3. Why We Process Your Data (Legal Basis)

Purpose	Legal Basis (GDPR)	Data Used
Provide the chat service	Art. 6(1)(b) — Contract performance	Account data, conversations
AI memory extraction	Art. 6(1)(a) — Consent	Conversations, extracted memories
Send AI responses	Art. 6(1)(b) — Contract performance	Conversations
Google Calendar/Gmail integration	Art. 6(1)(a) — Consent	Google account data
Push notifications	Art. 6(1)(a) — Consent	Device tokens, notification content
Account security	Art. 6(1)(f) — Legitimate interest	Authentication tokens, IP addresses
Face biometric enrollment	Art. 9(2)(a) — Explicit consent (`biometric_face_enrollment`)	Face embeddings (local only)
Voice biometric enrollment	Art. 9(2)(a) — Explicit consent (`biometric_voice_enrollment`)	Voice embeddings (local only)
Visual analysis	Art. 6(1)(a) — Consent (`video_analysis`)	Images, video frames
Screen capture	Art. 6(1)(a) — Consent (`screen_capture`)	Desktop screenshots

4. Third-Party Processors

We use the following third-party services to provide Morphee:

Processor	Purpose	Data Shared	Location	Safeguards
Anthropic	AI language model (Claude)	Conversation content, user names, group name	United States	[DPA required — pending]
Supabase	Authentication (GoTrue)	Email, password hash	[Region dependent]	[DPA required — pending]
Google	Calendar & Gmail integration	OAuth tokens, calendar/email data	United States	Google DPA, EU SCCs
Apple (APNs)	iOS push notifications	Device token, notification content	United States	Apple DPA
Google (FCM)	Android push notifications	Device token, notification content	United States	Google DPA

Note: Data Processing Agreements (DPAs) with Anthropic and Supabase are pending. All US transfers require documented legal basis (DPF certification or SCCs).

4.1 Anthropic (Claude AI) — Detailed Disclosure

When you use the chat feature, the following data is sent to Anthropic's Claude API:

Your messages — the full text of your conversation
Your name and group name — included in the system prompt for personalization
Relevant memories — previously extracted facts/preferences injected for context (via RAG)

This data is sent to Anthropic's servers in the United States. Anthropic processes this data solely to generate AI responses and does not use it to train models (per their API Terms of Service).

You must explicitly consent to this data sharing before using chat. You can grant or withdraw this consent at any time in Settings > Privacy > Consent Management. If you withdraw consent, the chat feature will be unavailable until consent is re-granted. You can still use other Morphee features (tasks, spaces, etc.) without this consent.

To avoid sending any data to cloud AI providers, you can use Morphee in self-hosted mode with a local AI model (via the Tauri desktop/mobile app).

You have the following rights regarding your personal data:

5.1 Right of Access (Art. 15)

You can request a copy of all your personal data. Use Settings > Export My Data or call GET /api/auth/export.

5.2 Right to Rectification (Art. 16)

You can update your profile information at any time through Settings > Profile.

5.3 Right to Erasure (Art. 17)

You can delete your account and all associated data. Use Settings > Delete Account or call POST /api/auth/delete-account. This permanently deletes:

Your user profile
All your conversations and messages
All AI-extracted memories attributed to you
Your tasks, schedules, and notifications
OAuth connections and vault secrets
Push notification tokens
Skills you created
Consent records
Biometric templates from your device vault (face and voice)

This action is irreversible.

5.4 Right to Data Portability (Art. 20)

You can export your data in a structured, machine-readable JSON format via the data export feature.

5.5 Right to Object (Art. 21)

You can object to AI memory extraction by disabling it in Settings > Privacy. This stops the automatic extraction of facts, preferences, and events from your conversations.

You can withdraw consent for any processing activity at any time through Settings > Privacy > Consent Management. Withdrawal does not affect the lawfulness of processing before withdrawal.

Morphee uses AI to extract memories and generate responses. These are assistive features, not automated decisions with legal effects. You can opt out of memory extraction at any time.

6. Data Retention

Data Type	Retention Period	Deletion Trigger
Account data	Until account deletion	User request
Conversations	Until account deletion	User request or conversation deletion
AI memories	Until account or source conversation deletion	Cascade delete
OAuth tokens	Until disconnect or account deletion	User disconnect or account deletion
Push tokens	Until device unregistration or account deletion	User action
Group invites	7 days after expiry	Automated cleanup (ScheduleRunner)
Biometric templates	Until method deletion, child deletion, or app uninstall	Manual deletion or account cascade
Visual/screen capture data	Not retained (transient)	Discarded after AI processing

Note: Stale push tokens are automatically cleaned up after 90 days of inactivity.

7. Data Security (Art. 32)

We implement the following security measures:

Authentication via industry-standard JWT tokens
Vault storage for sensitive credentials (OAuth tokens are never stored in the database)
Group-based isolation — users can only access data within their group
Row-Level Security on database tables
No tracking or analytics — we collect no telemetry
Self-hosted option — you can run Morphee on your own infrastructure

Additional measures:

Encryption at rest for chat messages and AI-extracted memories (Fernet symmetric encryption)
HttpOnly cookies for refresh token storage (Secure, SameSite=Lax)
Biometric data isolation — templates stored in OS-level vault, never transmitted
Consent audit trail — consent records preserved (anonymized) after account deletion for accountability (Art. 5(2))

8. Children's Data (Art. 8)

Morphee supports child accounts within family and classroom groups. Children can be added without an email address — they authenticate via PIN, face recognition, or voice recognition.

Protections for children's data:

Age verification — users under 16 (EU) or 13 (US) require parental consent before account creation
Parental consent workflow — a verification email is sent to the parent/guardian; the child cannot use the app until consent is verified
Biometric data (Art. 9) — face and voice recognition for children requires the parent's explicit Art. 9(2)(a) consent, recorded with audit trail
Data minimization — child accounts collect only name and optional birthdate; no email required
Parent control — parents can delete child accounts and all associated data at any time

9. Self-Hosted Deployment & Data Localization

Morphee is designed with an offline-first, privacy-first architecture. This means:

Self-hosting keeps data local: When you host Morphee on your own infrastructure (e.g., within the EU/EEA), your personal data never leaves your servers. This eliminates most cross-border transfer concerns under GDPR Chapter V (Articles 44-49).
You are the data controller: You decide where data is stored, how long it is retained, and who has access.
Local AI eliminates cloud data sharing: The Tauri desktop and mobile apps can run AI models locally on your device using ONNX (desktop) or candle (mobile). When using local AI, no conversation data is sent to any cloud provider.
Minimal external dependencies: In self-hosted mode with local AI enabled, the only remaining external data transfers are push notifications (if enabled) and any third-party integrations you explicitly connect (Google Calendar, Gmail).
EU data residency: By deploying Morphee on EU-based infrastructure, you can ensure full compliance with EU data localization requirements without needing DPF certification or Standard Contractual Clauses for the core application.

10. Changes to This Policy

We will notify you of significant changes to this privacy policy through the application. The latest version is always available at [URL to be determined].

11. Contact & Complaints

For privacy inquiries or to exercise your rights:

Email: [privacy@morphee.app]
In-app: Settings > Privacy

You have the right to lodge a complaint with your local data protection supervisory authority (e.g., CNIL in France, ICO in the UK).

This privacy policy was drafted on 2026-02-13 and requires legal review before publication.

1. Who We Are​

2. What Data We Collect​

2.1 Account Data​

2.2 Conversation Data​

2.3 AI-Extracted Memories​

2.4 Task & Schedule Data​

2.5 Third-Party Integration Data​

2.5.1 Parent/Guardian Data (GDPR Art. 14)​

2.5.2 Biometric Data (GDPR Art. 9 — Special Category)​

2.5.3 Visual Analysis & Screen Capture​

2.6 Technical Data​

2.6.1 Local Storage (ePrivacy Art. 5(3))​

2.7 What We Do NOT Collect​

3. Why We Process Your Data (Legal Basis)​

4. Third-Party Processors​

4.1 Anthropic (Claude AI) — Detailed Disclosure​

5. Your Rights (GDPR Articles 15-22)​

5.1 Right of Access (Art. 15)​

5.2 Right to Rectification (Art. 16)​

5.3 Right to Erasure (Art. 17)​

5.4 Right to Data Portability (Art. 20)​

5.5 Right to Object (Art. 21)​

5.6 Right to Withdraw Consent (Art. 7(3))​

5.7 Rights Related to Automated Decision-Making (Art. 22)​

6. Data Retention​

7. Data Security (Art. 32)​

Additional measures:​

8. Children's Data (Art. 8)​

9. Self-Hosted Deployment & Data Localization​

10. Changes to This Policy​

11. Contact & Complaints​