Privacy Policy

Last updated: June 2026

The short version: Morgana reads your emails to triage them, then discards the content. We never store email bodies. We never sell your data. You can delete everything at any time.

1. Who We Are

Morgana is an AI email assistant that helps individuals and small teams manage their inboxes. When we say "Morgana," "we," "us," or "our," we mean the Morgana service accessible at morgana-public.onrender.com.

2. What Data We Collect

Account data

Your email address (used to identify your account)
OAuth tokens from Google or Microsoft (stored encrypted, used only to access your inbox on your behalf)
Your Slack OAuth token, if you connect Slack (stored to send you notifications)

Email processing data

For each email Morgana processes, we store:

Sender name and email address
Subject line
Our decision (Draft Reply / Worth Reading / Ignore)
A short AI-generated summary
A draft reply (if applicable)
Confidence score and reasoning

We never store the email body or attachments. The full email content is read in memory to make a decision, then immediately discarded.

Behavioral patterns

We track aggregate interaction patterns — which senders you reply to, how often — to improve Morgana's decisions over time. This is stored as summarized metadata, not raw email content.

Usage analytics

We use Google Analytics (GA4) to understand how people use the Morgana website. This collects anonymized page view and interaction data. See Google's Privacy Policy for details.

3. What Data We Do NOT Collect

Email body content (ever)
Email attachments
Your contacts or calendar
Any data beyond what is listed above

4. How We Use Your Data

To operate the service — triaging your inbox, drafting replies, sending notifications
To improve Morgana's decisions for you — learning your preferences from your actions
To send you notifications — via browser push (Firebase Cloud Messaging) or Slack, only if you enable them

We do not use your data to train AI models for other users or sell it to any third party.

5. Third-Party Services

Morgana integrates with the following external services. Each has its own privacy policy:

Google (Gmail + Gemini AI)

We connect to Gmail via Google OAuth with the gmail.modify scope. This allows us to read emails, mark them as read when archiving, and send replies. Replies are only sent when you explicitly approve a draft — Morgana never sends anything automatically.
Email content is processed by Google Gemini AI to generate decisions and draft replies. Google's data handling for Gemini API calls is governed by Google's Privacy Policy and their API Terms of Service.

Microsoft (Outlook)

We connect to Outlook via Microsoft OAuth with Mail.ReadWrite and Mail.Send scopes to read, triage, and send replies on your behalf. Replies are only sent when you explicitly approve a draft.
Governed by Microsoft's Privacy Statement.

Slack

If you connect Slack, we store your Slack OAuth token to send you direct messages when Morgana completes a scan. We only send messages — we do not read your Slack messages.
Governed by Slack's Privacy Policy.

Firebase Cloud Messaging (Google)

If you enable browser push notifications, your browser's push subscription token is stored and used to deliver notifications via Firebase. No email content is included in push notifications.
Governed by Firebase's Privacy Policy.

Render

Morgana is hosted on Render. Your data is stored on Render's infrastructure. See Render's Privacy Policy.

6. Data Retention

We retain your data for as long as your account is active. If you delete your account, all data — including email decisions, memory, OAuth tokens, Slack tokens, and push subscriptions — is permanently deleted immediately. There is no grace period and no backups that retain your data after deletion.

7. Your Rights

Access — You can view all your stored decisions and memory on the dashboard at any time
Correction — You can edit your passive and active memory in Settings
Deletion — Delete your account in Settings → Danger Zone to erase all data immediately
Revoke access — Remove Morgana's access to your Google or Microsoft account at any time from your account's connected apps settings, independently of deleting your Morgana account

8. Security

OAuth tokens are stored server-side and never exposed to the browser. All communication is over HTTPS. We do not store passwords for OAuth-connected accounts. For email/password accounts, passwords are hashed using bcrypt before storage.

9. Children's Privacy

Morgana is not intended for users under 16 years of age. We do not knowingly collect data from children.

10. Changes to This Policy

If we make material changes to this policy, we will update the "Last updated" date at the top of this page. Continued use of Morgana after changes constitutes acceptance of the updated policy.

11. Contact

Questions about this policy? Contact us at hello@morgana.app.