Skip to main content

Morphee Records of Processing Activities (ROPA)

Status: DRAFT | Living document — update when processing activities change.

Prepared pursuant to GDPR Article 30.

Last updated: 2026-02-21

1. Controller Information (Art. 30(1)(a))

FieldValue
Controller name[Legal entity name]
Address[Registered address]
Contact[privacy@morphee.app]
DPOSébastien Mathieu (privacy@morphee.app) — Art. 37 formal appointment pending scale assessment
EU Representative (if applicable)[Art. 27 — required if controller outside EU]

2. Processing Activities

2.1 User Authentication

FieldValue
PurposeAccount creation, login, session management
Lawful basisArt. 6(1)(b) — Contract performance
Data subjectsAll registered users
Data categoriesEmail, name, password hash, authentication tokens, SSO provider metadata
RecipientsSupabase Auth (processor) — [DPA pending]
TransfersUS (if Supabase managed) or none (if self-hosted)
RetentionUntil account deletion
Security measuresBcrypt password hashing, JWT tokens, rate limiting

2.2 Conversational AI Chat

FieldValue
PurposeAI-powered conversational assistance
Lawful basisArt. 6(1)(a) — Consent (llm_data_sharing)
Data subjectsUsers who use the chat feature
Data categoriesChat messages, conversation metadata, user name, group name
RecipientsAnthropic (processor) — [DPA pending]
TransfersUnited States (Anthropic API)
RetentionUntil conversation or account deletion
Security measuresConsent enforcement, group-based isolation, TLS in transit

2.3 AI Memory Extraction

FieldValue
PurposeAutomatic extraction of facts, preferences, and events from conversations to improve AI context
Lawful basisArt. 6(1)(a) — Consent (memory_extraction)
Data subjectsUsers who have not opted out of memory extraction
Data categoriesExtracted facts, preferences, events, embedding vectors, source conversation references
RecipientsAnthropic (for extraction LLM call); stored locally in PostgreSQL + Git
TransfersUnited States (Anthropic API, for extraction call only)
RetentionUntil memory deletion, source conversation deletion, or account deletion
Security measuresUser opt-out, consent mechanism, cascade delete, right to rectification

2.4 Task Management

FieldValue
PurposeCreating, tracking, and managing tasks within groups
Lawful basisArt. 6(1)(b) — Contract performance
Data subjectsGroup members who create or are assigned tasks
Data categoriesTask title, description, status, assignee, due date
RecipientsNone external
TransfersNone
RetentionUntil task deletion or account deletion
Security measuresGroup-based isolation, authentication

2.5 Space Management

FieldValue
PurposeOrganizing conversations, tasks, and memories into contexts
Lawful basisArt. 6(1)(b) — Contract performance
Data subjectsGroup members
Data categoriesSpace name, description, parent-child relationships
RecipientsNone external
TransfersNone
RetentionUntil space deletion or group deletion
Security measuresGroup-based isolation

2.6 Google Calendar Integration

FieldValue
PurposeReading and managing calendar events via AI assistant
Lawful basisArt. 6(1)(a) — Consent (google_calendar)
Data subjectsUsers who connect Google Calendar
Data categoriesOAuth tokens, calendar events (title, time, attendees, description)
RecipientsGoogle (processor) — Google DPA applies
TransfersUnited States (Google APIs)
RetentionTokens until disconnect; event data not persisted (read-through)
Security measuresOAuth2, token stored in VaultProvider (not DB), user-initiated only

2.7 Gmail Integration

FieldValue
PurposeReading and composing emails via AI assistant
Lawful basisArt. 6(1)(a) — Consent (google_gmail)
Data subjectsUsers who connect Gmail
Data categoriesOAuth tokens, email metadata (subject, sender, date), email body
RecipientsGoogle (processor) — Google DPA applies
TransfersUnited States (Google APIs)
RetentionTokens until disconnect; email data not persisted (read-through)
Security measuresOAuth2, VaultProvider, user-initiated only, restricted scopes

2.8 Push Notifications

FieldValue
PurposeDelivering real-time notifications to mobile devices
Lawful basisArt. 6(1)(a) — Consent (push_notifications)
Data subjectsUsers who enable push notifications
Data categoriesDevice token (opaque), notification title and body
RecipientsApple APNs (iOS), Google FCM (Android)
TransfersUnited States (Apple, Google)
RetentionTokens cleaned up after 90 days of inactivity
Security measuresConsent mechanism, stale token cleanup, TLS

2.9 Group & Member Management

FieldValue
PurposeCreating groups, inviting members, managing roles
Lawful basisArt. 6(1)(b) — Contract performance; Art. 6(1)(f) — Legitimate interest (invites)
Data subjectsGroup members and invited persons
Data categoriesGroup name, member roles, invite emails, invite status
RecipientsNone external
TransfersNone
RetentionMember data until removal/deletion; expired invites cleaned up automatically
Security measuresGroup-based isolation, invite expiry (7 days), automated cleanup

2.10 Scheduling (Cron)

FieldValue
PurposeRunning scheduled tasks and reminders
Lawful basisArt. 6(1)(b) — Contract performance
Data subjectsUsers who create schedules
Data categoriesSchedule name, description, cron expression, next run time
RecipientsNone external
TransfersNone
RetentionUntil schedule deletion or account deletion
Security measuresGroup-based isolation

2.11 Notification System

FieldValue
PurposeIn-app notification delivery
Lawful basisArt. 6(1)(b) — Contract performance
Data subjectsAll users
Data categoriesNotification title, body, read status, timestamps
RecipientsNone external (in-app only; push handled separately in 2.8)
TransfersNone
RetentionUntil account deletion [retention policy pending]
Security measuresUser-level filtering, group-based isolation

2.12 Multi-Group Membership (migration 021)

FieldValue
PurposeEnabling users to belong to multiple groups (family + work team, teacher + parent, etc.) with per-group roles and access control
Lawful basisArt. 6(1)(b) — Contract performance
Data subjectsAll registered users
Data categoriesgroup_id (reference), user_id (reference), role (owner/admin/member/child), joined_at (timestamp)
RecipientsNone external
TransfersNone
RetentionUntil user leaves the group (CASCADE on group_members) or deletes account (CASCADE on users)
Security measuresGroup-based isolation, role-checked authorization, cascade deletion

Added 2026-02-20: covers group_members table introduced in migration 021.

2.13 Biometric Face Enrollment (V1.3)

FieldValue
PurposeChild identity verification via face recognition
Lawful basisArt. 9(2)(a) — Explicit consent (biometric_face_enrollment); parent grants consent on behalf of child
Data subjectsChildren in family/classroom groups
Data categories128-dimensional face embedding (MobileFaceNet model), enrollment timestamp, method verification status
RecipientsNone — biometric templates stored exclusively in local device vault (Keychain/OS vault)
TransfersNone — data never leaves the device
RetentionUntil authentication method deleted, child account deleted, or application uninstalled
Security measuresOS-level vault (hardware-backed on iOS), explicit consent enforcement, cascade deletion on child removal, event-driven vault cleanup

Added 2026-02-21: covers face biometric enrollment (V1.3 multimodal identity).

2.14 Biometric Voice Enrollment (V1.3)

FieldValue
PurposeChild identity verification via voice recognition
Lawful basisArt. 9(2)(a) — Explicit consent (biometric_voice_enrollment); parent grants consent on behalf of child
Data subjectsChildren in family/classroom groups
Data categories192-dimensional voice embedding (d-vector CNN model), enrollment timestamp, method verification status
RecipientsNone — biometric templates stored exclusively in local device vault
TransfersNone — data never leaves the device
RetentionUntil authentication method deleted, child account deleted, or application uninstalled
Security measuresOS-level vault, explicit consent enforcement, cascade deletion, event-driven vault cleanup

Added 2026-02-21: covers voice biometric enrollment (V1.3 multimodal identity).

2.15 Visual Analysis (V1.3)

FieldValue
PurposeAI-assisted image analysis, video frame analysis, handwriting transcription, diagram interpretation
Lawful basisArt. 6(1)(a) — Consent (video_analysis)
Data subjectsUsers who share images or video in chat
Data categoriesImage data (base64), video frames (up to 10 per video, extracted at 5s intervals)
RecipientsAnthropic (processor) — [DPA pending]
TransfersUnited States (Anthropic API)
RetentionNot retained — transient processing only, discarded after AI response
Security measuresConsent enforcement (separate from text chat), TLS in transit, group-based isolation

Added 2026-02-21: covers visual analysis integration (V1.3 multimodal interaction).

2.16 Screen Capture (V1.3, Desktop Only)

FieldValue
PurposeAI-assisted analysis of desktop screen content
Lawful basisArt. 6(1)(a) — Consent (screen_capture)
Data subjectsDesktop app users who use screen capture
Data categoriesScreenshot image (base64 PNG)
RecipientsAnthropic (processor) — [DPA pending]
TransfersUnited States (Anthropic API)
RetentionNot retained — transient processing only
Security measuresConsent enforcement, desktop-only (not available on mobile/web), TLS in transit

Added 2026-02-21: covers screen capture feature (V1.3, desktop only).

3. Categories of Data Subjects

CategoryDescriptionSpecial Protections
Adult usersParents, teachers, managers, employees, contractorsStandard GDPR
Children (under 16)Students in classroom groups, children in family groupsArt. 8 — parental consent required
Invited personsEmail addresses of people invited to join a groupArt. 14 — must be informed

4. International Transfers Summary

RecipientCountryMechanismDPA Status
AnthropicUSDPF (self-certified) + SCCs (under review)Under Review
SupabaseUS / EUDPF (self-certified) + SCCs / EU hosting (under review)Under Review
GoogleUSDPF + SCCsIn place (standard)
AppleUSDPFIn place (developer agreement)

See Transfer Impact Assessment for detailed analysis.

5. Technical and Organizational Security Measures (Art. 30(1)(g))

MeasureStatus
Authentication (JWT, bcrypt)Implemented
Group-based data isolationImplemented
VaultProvider for credentialsImplemented
TLS in transitImplemented
Rate limitingImplemented
PII removed from logsImplemented
Consent managementImplemented
Data subject rights (access, erasure, portability, rectification)Implemented
Encryption at restPlanned
Security monitoringPlanned
Breach response planDrafted

6. Retention Schedule

Data CategoryRetention PeriodDeletion Mechanism
User accountsUntil user deletes accountPOST /api/auth/delete-account (cascade)
ConversationsUntil user deletes conversation or accountManual or cascade
AI memoriesUntil memory/conversation/account deletionCascade from conversation or manual forget
Tasks & schedulesUntil deletion or account deletionManual or cascade
Notifications[Policy pending — recommend 90 days][Cleanup job pending]
Push tokens90 days after last useAutomated cleanup
Group invitesDeleted after expiry (7 days)Automated cleanup
OAuth tokensUntil disconnect or account deletionManual disconnect or cascade
Biometric templatesUntil method/child/account deletionManual or cascade + vault cleanup
Visual/screen capture dataNot retained (transient)Discarded after AI processing
Consent audit records6 years (statute of limitations)Anonymized on account deletion

7. Review Log

DateReviewerChanges
2026-02-13Initial draftCreated ROPA covering all 11 processing activities
2026-02-20Sébastien MathieuAdded 2.12: multi-group membership processing (migration 021, group_members table)
2026-02-21Claude CodeAdded 2.13-2.16: biometric face/voice enrollment, visual analysis, screen capture (V1.3 multimodal). Updated retention schedule with biometric templates and consent audit records.

This ROPA was drafted on 2026-02-13 and must be maintained as a living document per Art. 30.