Privacy Policy

"Morion," "we," and "us" refer to the makers of the Morion desktop app and this website (morion.ai). This policy covers both.

If you want to reach us about anything in this policy, email privacy@morion.ai.

Morion stores everything you write in a single local file on your disk. We do not operate a server that receives, stores, or processes your notes. We have no ability to read them.

The app does not send analytics events, crash reports, usage statistics, or any other telemetry by default. If we ever add optional telemetry, it will be clearly opt-in and documented here before it ships.

The app uses the network in these situations, each of which is documented below:

• To check for new versions via the auto-updater (§5).
• To activate a paid subscription when you purchase one (§6). After activation, license verification is fully offline — no further round-trips.
• To talk to MCP clients you connect (§3). This traffic is local — MCP clients run on the same machine as Morion, and the communication does not leave your device.
• To run Mo or Auto-code if you enable them and connect an LLM provider (§7).

Morion acts as an MCP server running on your local machine. When you connect an AI client like Claude Desktop, Cursor, Cline, or Zed, the client communicates with Morion locally — the traffic does not pass through our servers because we don't have any.

What your AI provider sees: whatever the client sends them. That typically includes your prompts plus any notes Morion returned in response to the client's search and retrieval tool calls. This is governed by the privacy policy of whichever AI provider you use (Anthropic, OpenAI, Cursor, Google, etc.), not ours. We never receive or log these exchanges.

What Morion sees: the tool calls your local MCP client issues. They stay on your machine and are recorded in Morion's audit log (also local) so you can review which AI client read or wrote which note.

Paid extends this with folder-level permissions — you can hide folders from some clients, make them read-only for others, and keep certain folders (like a journal) completely invisible to MCP. These rules run locally.

The marketing site is hosted on Netlify. Netlify operates the servers that deliver these HTML pages to your browser. As part of normal web hosting, Netlify processes standard request metadata — your IP address, user agent, requested URL, timestamp — to serve pages and protect against abuse. That data is handled under Netlify's privacy policy.

Analytics — consent-gated. We use Google Analytics 4 to measure aggregate page views — which pages help people find Morion, which queries bring them here, and where they bounce. GA4 is loaded by Klaro, an open-source consent manager. On your first visit Klaro shows a notice. If you decline, no analytics script loads and no analytics cookie is set. If you accept, Google Analytics sets one cookie family (_ga, _ga_<container>) and reports your visit with IP anonymisation enabled. Your choice is stored in a first-party klaro cookie that lasts 180 days. You can change it any time via the Privacy link in the footer, which re-opens the Klaro modal.

What GA4 sees, when enabled: pages viewed, time on page, referrer, country (derived from IP, not stored at the IP level), device class, browser. Google's handling is governed by its privacy policy and we have disabled Google Signals and ad-feature data sharing. We do not use GA4 for ad personalisation and have not linked it to any Google Ads account.

Other scripts. Aside from GA4 (consent-gated) and the Klaro consent manager itself (necessary for the consent mechanism — see §4a), we do not embed fonts, tracking pixels, or other third-party scripts on this site — with the single exception of the Stripe Pricing Table widget on /upgrade-pro (see §6) and its own dependencies. No cross-site tracking, no advertising cookies, no fingerprinting.

§4a — The Klaro consent cookie. Klaro itself stores one small first-party cookie called klaro on your device. It contains only your consent choice (which services you allowed) and is essential for the consent mechanism to work — it is what stops us asking again on every page load. Under the GDPR/ePrivacy this falls under the "strictly necessary" exception and does not itself require consent. The cookie holds no personal identifier.

If you submit any form on this site (e.g. a future waitlist for the Linux build, or a contact form), your email address is submitted via Netlify Forms. We receive it for the stated purpose only and will not add it to a mailing list. You can ask us to delete it at any time by emailing privacy@morion.ai.

Marketing emails. We will not send you marketing or promotional emails unless you have explicitly opted in (for example, by ticking a subscribe box that is unchecked by default). Transactional emails — such as a notification that a platform build is ready, your paid receipt, or your license key — are not marketing and will be sent when relevant. Every marketing email, if we ever send one, will include a one-click unsubscribe link.

The Morion macOS app periodically fetches a small manifest file (latest.json) from GitHub Pages to check whether a newer release is available. When a new version is present and you choose to update, the app downloads the signed .dmg from the same GitHub Pages host.

The only data GitHub sees is the standard HTTPS request metadata (IP, user agent, timestamp) for the manifest and DMG URLs. That data is subject to GitHub's privacy policy. We do not receive this data.

You can disable automatic update checks in the app's settings if you prefer to update manually.

Morion's paid tier is an optional subscription. If you upgrade, you'll be redirected to a Stripe-hosted checkout flow. Stripe is a PCI-DSS-compliant payment processor; they collect your billing details (name, email, payment method, country, postal code where required). We never see or store card numbers.

After a successful checkout, Stripe sends the relevant event (via webhook) to a Cloudflare Worker we operate. The Worker does three things, in order:

• Reads your email address + subscription status from the Stripe event.
• Cryptographically signs a license key tied to that email.
• Hands the license key to Resend (see below) for delivery to your inbox.

The Worker is stateless — it keeps no database of its own. Each invocation processes one Stripe event and exits. There is no Morion-side store of "who has an active subscription." Stripe is the single source of truth for subscription status; we ask Stripe every time we need to know. Cloudflare, as the infrastructure provider that runs the Worker, sees the encrypted HTTPS request metadata for each webhook event but not its contents beyond what is necessary to execute the code. Cloudflare's handling of this traffic is governed by Cloudflare's privacy policy.

The license key itself is then delivered to you by email through Resend, an email-delivery service we use (EU data region). Resend sees your email address and the license key text solely for the purpose of delivering that one email. Their handling is governed by Resend's privacy policy.

License verification is fully offline. Once activated, the app re-checks the local HMAC signature and the embedded expires_at timestamp on every launch and at runtime. No subscription-status request is sent after activation. If the license expires (or you don't renew), the app falls back to Free at the next local license check — no network call is needed to make that happen.

Stripe's handling of your payment details is governed by Stripe's privacy policy.

You can manage or cancel your subscription at any time from the subscription panel inside Morion, which opens the Stripe billing portal. Cancelling stops auto-renewal — the existing license stays valid until the period it was issued for ends, then the app falls back to Free at the next launch. To additionally request deletion of your email from Stripe and from Resend's delivery logs, email privacy@morion.ai.

Mo is the paid AI layer that answers questions, drafts from local activity, and turns tickets into work packets for your agents. Auto-code is the build/review workflow harness (currently closed beta) on the same tier. Both call large-language-models to generate responses, and both run on the LLM provider you connect.

How the data flows: you bring your own LLM key — OpenRouter, OpenAI, Anthropic, Groq, or a local Ollama. The Mo or Auto-code prompt goes directly from your machine to whichever provider you chose. We never see the prompt contents — we're not in that path at all. Whatever the provider retains is governed by their privacy policy. If you point Mo / Auto-code at a local Ollama, the prompt never leaves your device.

What's in any Mo prompt: only what Mo needs for the current task — typically your question or rule plus the task-scoped work packet: relevant folder activity, linked notes, related tickets, decisions, risks, questions, and recent changes. Mo never sends your whole notebook. Folders you have hidden from AI are invisible to Mo too.

What's in any Auto-code prompt: each workflow stage gets the ticket, the relevant Mo work packet, and the stage's role-specific instructions. A build stage might use Claude, Codex, or DeepSeek via OpenRouter; a review stage can use a different model. The CLI agent then talks to the LLM provider configured for that stage. Same direct-from-your-machine flow as Mo.

What you control: Mo is opt-in per folder. Auto-code is opt-in per folder and per workflow. You decide which folders are watched, which stay manual, and which stay entirely off-limits. Cancelling your subscription stops both Mo and Auto-code at the end of the billing period.

If neither Mo nor Auto-code is enabled (Free, or paid subscribers who haven't turned them on), no AI-related data leaves your machine through Morion.

For transparency, here is every third party we use and exactly what they see:

We do not use ad networks, social-media trackers, session-replay tools, or customer-data platforms. We do not sell, rent, or share any personal data with third parties for marketing.

Waitlist emails are kept until we've notified you about the relevant platform build or until you ask us to delete them — whichever comes first.

Paid subscription records are kept for as long as your subscription is active plus the minimum period required for tax and accounting compliance in the relevant jurisdiction (typically 7 years for financial records). You can request deletion of the non-required personal data at any time.

Wherever you live, and regardless of whether local law requires it, you can:

• Access — ask us what personal data we hold about you.
• Correct — ask us to update anything that's wrong.
• Delete — ask us to erase your data (except records we must keep for legal or accounting reasons).
• Export — ask for a copy of your data in a portable format.
• Object — tell us to stop processing your data for a given purpose.
• Complain — if you're in the EEA or UK, lodge a complaint with your local data protection authority.

To exercise any of these rights, email privacy@morion.ai. We respond within 30 days.

Because your notes never leave your machine, an "access" or "export" request for your note contents is satisfied by opening Morion and using File → Export. We genuinely can't do that for you — we've never seen them.

Morion is available worldwide. Netlify, Stripe, Cloudflare, GitHub, OpenRouter, Groq, and Google Analytics operate globally and may process data in countries other than your own, including the United States. Resend email delivery runs in the EU data region. Where required, our third parties rely on Standard Contractual Clauses or equivalent safeguards to transfer personal data out of the EEA and UK. Google Analytics is configured with IP anonymisation and operates under Google's EU-US Data Privacy Framework certification for transatlantic transfers.

If you're in the EEA, UK, or Switzerland, you have the rights outlined in §10 under the GDPR. If you're in California, you have the rights outlined under the CCPA/CPRA — the same list, different law.

Morion is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has given us personal data, email privacy@morion.ai and we'll delete it.

The strongest thing we do for your security is store your notes only on your disk — no server-side database to breach, no cloud credential to leak. Your physical device's security is the perimeter.

For the limited data we do hold (waitlist emails and subscription records), we use encrypted transport (HTTPS), well-known hosting providers, and industry-standard access controls. If we ever have a breach affecting user data, we'll notify affected users without undue delay.

If we change this policy, we'll update the "Last updated" date at the top and, for material changes, notify users via the website and — where we have their email — by email. Continued use of Morion after a change means you accept the revised policy.

Questions, rights requests, complaints, or anything else:
privacy@morion.ai