Privacy Policy

Last updated: April 11, 2026

Plain English summary: Morphsage reads your emails and calendar only to do the job you hired it for — drafting replies and booking viewings. We never sell your data, never use it for advertising, and never share it with anyone except the sub-processors listed below who are contractually bound to the same standard.

1. Who We Are

Morphsage is operated by Christopher Ndi, based in Belgium. We are the data processor — you (the agent) are the data controller for your clients' data. This distinction matters under GDPR.

Contact: privacy@morphsage.ai

2. What Data We Collect

Data	Why we collect it	Stored where
Your name, title, brokerage, phone	Personalise AI-drafted replies with your signature and tone	Supabase (EU region)
Your email address	Account login and daily digest delivery	Supabase (EU region)
Gmail OAuth tokens	Read incoming emails and save draft replies to your Gmail	Supabase — encrypted with AES-256-GCM
Incoming email metadata (sender, subject, date, snippet)	Categorise emails and generate contextual replies	Supabase (EU region)
Email body content	Sent to Claude AI to generate a draft reply — not stored in full	Passed to Anthropic API, not persisted by Morphsage
Google Calendar availability	Find a free slot and book a viewing automatically	Not stored — queried and discarded
Calendly URL	Included in draft replies for booking requests	Supabase (EU region)
Subscription and billing data	Process monthly payments	Stripe (not stored by Morphsage beyond a customer ID)

3. What We Do NOT Do

We do not sell your data or your clients' data to any third party.
We do not use your emails for advertising or profiling.
We do not use your data to train AI models. Email content is sent to Anthropic's API under their zero-data-retention policy for API calls.
We do not share data between agents — each account is fully isolated with row-level security.
We do not access your emails manually. All processing is automated.

4. Legal Basis for Processing (GDPR)

We process your data under the following legal bases:

Contract performance (Art. 6(1)(b)) — processing necessary to deliver the service you subscribed to.
Legitimate interest (Art. 6(1)(f)) — security logging and fraud prevention.
Consent (Art. 6(1)(a)) — for optional communications such as the daily digest (you can opt out at any time).

5. Sub-Processors

We share data with the following sub-processors, each bound by a Data Processing Agreement:

Service	Purpose	Location
Supabase	Database, authentication	EU (AWS eu-west-1)
Railway	Application hosting	US (with SCCs in place)
Anthropic	AI email categorisation and draft generation via Claude API	US (API calls, zero data retention for API)
Google	Gmail API and Google Calendar API access	EU / US
Resend	Sending daily digest emails	US (with SCCs in place)
Stripe	Subscription billing	US / EU

SCCs = Standard Contractual Clauses (EU-approved mechanism for transfers outside the EEA).

6. Data Retention

Email history (metadata + draft previews): retained for 12 months, then automatically deleted.
Account data (profile, tokens): retained for the duration of your subscription. Deleted within 30 days of account cancellation.
Billing records: retained for 7 years as required by Belgian tax law.
Email body content: never stored by Morphsage — passed to Anthropic and discarded.

7. Your Rights Under GDPR

As a data subject in the EU, you have the following rights:

Right of access — request a copy of all data we hold about you.
Right to rectification — correct inaccurate data via your profile settings.
Right to erasure — delete your account and all associated data from the Settings page. We process deletion within 30 days.
Right to data portability — request an export of your data in JSON format.
Right to object — opt out of any non-essential processing.
Right to lodge a complaint — with the Belgian Data Protection Authority (GBA/APD) at dataprotectionauthority.be.

To exercise any of these rights, email privacy@morphsage.ai. We will respond within 30 days.

8. Security

Gmail OAuth tokens are encrypted at rest using AES-256-GCM before storage.
All data is transmitted over TLS (HTTPS).
Database access uses row-level security — each agent can only access their own data.
Access to production systems is restricted to authorised personnel only.
We maintain an audit log of sensitive actions (logins, data exports, account deletions).

9. Cookies

Morphsage uses a single session cookie to keep you logged in. We do not use tracking cookies, advertising cookies, or any third-party analytics.

10. Changes to This Policy

If we make material changes, we will notify you by email at least 14 days before the change takes effect. The latest version is always available at app.morphsage.ai/privacy.

11. Contact

For any privacy-related questions or requests:

Email: privacy@morphsage.ai
Controller: Christopher Ndi, Belgium