Privacy Policy
Effective date: [DATE]
Template — review with a lawyer before launch. Replace placeholders; confirm it matches what you actually store. Add GDPR/CCPA if you serve the EU/California.
The guiding principle: your code and project data stay on your machine. The cloud only handles account, billing, and AI routing.
What we collect
- Account: email and a hashed password (cloud sign-in only).
- Billing: via Stripe; we store plan, seat count, and Stripe ids — never full card details.
- AI usage metering: per-request token counts, model, cost for cloud-gateway calls (quotas + billing).
- Operational logs: minimal request/error logs; never tokens, secrets, or prompt/code content.
What we do NOT collect
- Your source code, repos, files, or local board data — they never leave your machine.
- Anything if you use Morning locally without signing in (BYO keys = no cloud contact).
AI requests
Cloud AI forwards your prompt to a third-party model provider (e.g. via OpenRouter), returns the response, and meters the call — we do not retain its content. BYO-key requests never touch our servers.
Cookies
The cloud uses one httpOnly session cookie for sign-in. The marketing site sets no tracking cookies.
Third parties
- Stripe — payments.
- AI model provider(s) — inference.
- Hosting/CDN — Cloudflare, [cloud host].
Retention & your rights
We keep account + usage records while active and as required for tax/accounting. Request access or deletion at [contact email]. Deleting your account stops cloud processing; local data is yours.
Contact
[contact email] · [Provider], [Jurisdiction].