Privacy Policy

Privacy Policy

Last updated: March 1, 2025 · Effective: March 1, 2025

Plain-English summary: We collect the minimum data needed to provide the service. Your business data stays yours. We don't sell it. You can request deletion any time.

1. Data We Collect

1.1 Account Data

When you register, we collect your name, email address, and (optionally) phone number, job title, and company name. OAuth sign-ins provide only the email and display name granted by the provider.

1.2 Usage Data

We collect anonymised logs of API calls, page views, feature usage, and system events to operate and improve the Service. These logs are retained for 90 days.

1.3 Business Data

Data you create inside Murphy System — channels, workflows, agent outputs, documents — is your data. We process it solely to provide the Service and do not use it to train AI models without explicit consent.

1.4 Payment Data

Payments are processed by Stripe. We store only a Stripe customer ID and subscription status; we never store raw card numbers or CVV codes.

2. How We Use Your Data

  • Operate, maintain, and improve the Murphy System platform
  • Authenticate users and enforce access controls
  • Process payments and manage subscriptions
  • Send transactional emails (password resets, invoices, critical alerts)
  • Provide customer support and respond to enquiries
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

We do not use your data for advertising, sell it to third parties, or share it with third parties except as described in Section 3.

3. Data Sharing

We share data only in the following limited circumstances:

  • Service providers: Infrastructure vendors (Hetzner, AWS), payment processor (Stripe), transactional email (e.g. SendGrid) — all under strict data processing agreements
  • Legal requirements: When required by law, court order, or to protect rights and safety
  • Business transfers: In connection with a merger or acquisition, with notice to users
  • With your consent: Any other sharing requires your explicit, opt-in consent

4. Data Retention

We retain your data for as long as your account is active. Upon account deletion:

  • Personal account data is deleted within 30 days
  • Business data (channels, workflows, agent outputs) is deleted within 30 days
  • Anonymised usage logs may be retained for up to 12 months for security analysis
  • Financial records are retained for 7 years as required by law

5. Cookies & Tracking

We use a minimal set of cookies:

  • Session cookies: Required for authentication. Deleted when you close your browser.
  • Preference cookies: Store your theme preference (light/dark). 1-year expiry.
  • Analytics: We use privacy-preserving, self-hosted analytics only. No third-party trackers.

We do not use advertising cookies or third-party tracking pixels.

6. Security

We implement industry-standard security measures including:

  • TLS 1.3 encryption in transit for all data
  • AES-256 encryption at rest for sensitive fields
  • Bcrypt password hashing (never stored in plaintext)
  • SOC 2-aligned security practices and immutable audit logs
  • Regular penetration testing and vulnerability scanning

7. GDPR — Your Rights (EU/EEA Residents)

If you are located in the EU or EEA, you have the following rights under the General Data Protection Regulation:

Access
Request a copy of the personal data we hold about you.
Rectification
Request correction of inaccurate or incomplete data.
Erasure
Request deletion of your personal data ("right to be forgotten").
Portability
Receive your data in a structured, machine-readable format.
Restriction
Request that we restrict processing of your data in certain circumstances.
Objection
Object to processing based on legitimate interests.

To exercise any right, email privacy@murphy.ai. We will respond within 30 days. Our legal basis for processing is primarily contract performance and legitimate interests.

8. CCPA — California Residents

Under the California Consumer Privacy Act (CCPA), California residents have the right to:

  • Know what personal information is collected about you
  • Know whether your personal information is sold or disclosed, and to whom
  • Opt out of the sale of personal information (we do not sell data)
  • Access your personal information
  • Request deletion of your personal information
  • Not be discriminated against for exercising your CCPA rights

To submit a CCPA request, contact privacy@murphy.ai or use the data export / delete options in your account settings.

9. Children's Privacy

Murphy System is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If we become aware that a child has provided personal data, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notification at least 14 days before they take effect. The "Last updated" date at the top of this page will reflect the most recent revision.

11. Contact

For privacy enquiries, data requests, or to contact our Data Protection Officer:
privacy@murphy.ai
Inoni Limited Liability Company · United States

For legal matters see our Terms of Service.