Skip to main content

Privacy Policy

Last Updated: June 2026

Data Controller

ShakTech Labs LLC
Georgia, United States
team@getmorphe.us

ShakTech Labs LLC is the data controller for personal data processed in connection with your use of Morpheus, as defined under GDPR Article 4(7) and the California Consumer Privacy Act.

1. Introduction

This Privacy Policy describes how ShakTech Labs LLC ("we", "us", "our") handles your data in connection with the Morpheus application ("the Software"). Morpheus is a mobile-to-machine AI agent control application.

The short version: Morpheus uses a local-first architecture — most data stays on your devices. However, certain features rely on cloud services (authentication, sync, subscriptions, AI processing, voice, and remote access) that involve data being transmitted to or stored on third-party servers. This policy explains exactly what goes where.

2. Data Stored Locally

Morpheus stores the following data on your devices:

Device and Pairing Information

  • Device names you assign to paired devices
  • ECDH public keys for end-to-end encryption
  • Connection endpoints (local network addresses, relay device identifiers)
  • Temporary pairing codes

Command and Session Data

  • Command history sent from mobile to the Morpheus Agent
  • AI agent responses and outputs
  • Session metadata (timestamps, identifiers, connection status)

User Preferences

  • Application settings (theme, voice mode, layout, Claude model selection)
  • Connection preferences (auto-connect, default mode)
  • Permission profiles and watcher configurations

Long-Term Memory (Desktop Agent)

  • Personal preferences, conversation summaries, goals, and behavioral patterns in a local SQLite database
  • This data is stored locally and never transmitted to any server
  • You can delete it at any time by removing the database from the Morpheus data directory

Local Analytics (Mobile)

  • Command counts, duration, model/token usage for the in-app analytics dashboard
  • Stored only on your device — never sent externally

3. Data Stored in the Cloud

Morpheus uses Supabase (a hosted PostgreSQL service) for server-side features:

  • Anonymous accounts: A unique user ID and session (no email or personal info required)
  • Sync (optional): Settings, recent command history (last 100), and sound preferences
  • Token balance: Usage tracking for the managed Claude API proxy
  • Transaction ledger: Token purchases, usage, and refunds
  • Waitlist / sign-up (if applicable): Email address and IP address for early access notifications

All Supabase data is protected by row-level security — each user can only access their own data. Device pairings, encryption keys, and long-term memory are never synced.

4. What Is NOT Collected

  • No behavioral analytics sent externally (local analytics stay on-device)
  • No advertising data: No ad tracking, fingerprinting, or marketing identifiers
  • No location data: No GPS, IP geolocation, or location tracking
  • No contacts or browsing history

4a. Error Reporting

Sentry captures anonymous crash reports (stack traces only — no personal data, commands, or AI responses).

4b. Telemetry (Desktop, Optional)

The desktop agent can optionally send performance telemetry (traces, metrics, logs) to Grafana Cloud via OpenTelemetry. This does not include command content, AI responses, or personal data. Can be disabled in configuration.

5. Local Storage Locations

  • Agent (macOS): ~/Library/Application Support/Morpheus/
  • Agent (Windows): %APPDATA%/Morpheus/
  • Agent (Linux): ~/.config/Morpheus/
  • Mobile (iOS): Keychain for keys, app container for settings
  • Mobile (Android): Keystore for keys, app storage for settings

Delete local data at any time by uninstalling the application or clearing app data. For server-side data, contact team@getmorphe.us for deletion.

6. Encryption

  • Key Exchange: Elliptic Curve Diffie-Hellman (ECDH)
  • Message Encryption: TweetNaCl (XSalsa20-Poly1305) with unique nonces per message
  • Scope: All command/response payloads, screenshots, and control messages between devices
  • Key Storage: Platform-specific secure storage (Keychain, Keystore, safeStorage)

7. Remote Access (Relay)

When your phone and desktop are on the same network, Morpheus connects directly over your LAN and no traffic leaves your network. When they are on different networks, traffic is routed through a relay server we operate (hosted on Fly.io):

  • The relay forwards data only — all message content stays end-to-end encrypted with the secret established when you paired the devices, so the relay (and we) cannot read it
  • The relay processes connection metadata to route traffic: your stable device identifier, IP addresses, and connection timestamps. Message payloads are never logged
  • The desktop maintains an outbound connection to the relay, so your phone can reach it without exposing your machine to the public internet
  • You can disable the relay and run LAN-only at any time via your desktop configuration

8. Voice Data

Voice mode is opt-in and disabled by default. When enabled:

  • Speech is transcribed on-device using the platform's native speech recognition engine — no audio sent externally
  • Text-to-speech responses are generated via ElevenLabs, proxied through Supabase Edge Functions
  • ElevenLabs receives the text of AI responses for voice synthesis
  • Generated audio is played and auto-deleted — no audio permanently stored
  • See ElevenLabs' Privacy Policy

9. Screenshots (Desktop)

When requested, the desktop agent captures your screen and sends it to your mobile device over the encrypted connection. Screenshots are not sent to external servers unless explicitly included in AI command context.

Note: Because Morpheus can capture your screen, screenshots may incidentally contain personal information, financial data, or other sensitive content visible on your desktop at the time of capture. This content is transmitted only to your paired mobile device over the encrypted connection.

10. Notification Bridge (Android, Optional)

Captures notifications from apps you specify via allowlist/blocklist. Data is forwarded only to your paired desktop over the encrypted connection — never to any cloud service.

11. Watchers (Desktop, Optional)

Optional monitoring features requiring your explicit OAuth consent:

  • Email/Calendar (Google): Read-only access to emails and events
  • Slack: Channel monitoring with your granted scopes
  • File/Process/System: Local monitoring only, no external data sharing

All watcher data goes only to your paired mobile device. OAuth tokens stored in the encrypted credential vault.

Google API Limited Use Disclosure: Morpheus's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

12. Third-Party Services

  • Anthropic (Claude) — AI processing. Instructions and context sent. (Privacy)
  • Supabase — Auth, sync, tokens. Anonymous user data stored. (Privacy)
  • ElevenLabs — Voice TTS (optional). Response text sent. (Privacy)
  • RevenueCat — Subscriptions. Customer ID and purchase events. (Privacy)
  • Fly.io — Hosts the relay for off-LAN remote access. Connection metadata only (device ID, IP, timestamps); message content is end-to-end encrypted and unreadable by the relay. (Privacy)
  • Sentry — Crash reporting. Technical data only. (Privacy)
  • Grafana Cloud — Telemetry (optional, desktop). Performance data only. (Privacy)
  • Google — Email/calendar watchers (optional). Read-only API access. (Privacy)
  • Slack — Slack watcher (optional). Channel monitoring. (Privacy)

Anthropic and Supabase are contacted during normal app operation. All other services only when you enable the feature.

13. Data Retention

  • Local data retained until you delete it; long-term memory persists with confidence decay
  • Cloud data (Supabase) retained while your account exists; contact us for deletion within 30 days
  • Third-party retention governed by each service's own policies

14. Data Controller and GDPR Rights

If you are in the EEA, UK, or Switzerland, the data controller is ShakTech Labs LLC, Georgia, United States, team@getmorphe.us.

Lawful Basis for Processing

  • Legitimate interest (Art. 6(1)(f)): Local device data processing and minimum cloud infrastructure (anonymous authentication, crash reporting) necessary for the app to function securely
  • Consent (Art. 6(1)(a)): Optional features involving third-party data sharing — voice mode (ElevenLabs), cloud sync, and watchers — are opt-in. You may withdraw consent at any time by disabling the feature
  • Contract performance (Art. 6(1)(b)): Subscription and billing management via RevenueCat

Your GDPR Rights

  • Access (Art. 15): Local data is directly on your device. For cloud data, contact team@getmorphe.us
  • Rectification (Art. 16): Modify data within the app at any time
  • Erasure (Art. 17): Uninstall to erase local data; contact us for cloud data deletion within 30 days
  • Restriction (Art. 18): Disable optional features to restrict third-party data sharing
  • Portability (Art. 20): Command history exportable as JSON/Markdown
  • Object (Art. 21): You may stop using optional features at any time
  • Supervisory authority: You may lodge a complaint with your local data protection authority

Data transfers: AI data to Anthropic (US); voice text to ElevenLabs; sync to Supabase; off-LAN relay connection metadata to Fly.io. Transfers to the US occur on the basis of your consent to use those features.

Contact: team@getmorphe.us for GDPR inquiries. We respond within 30 days (acknowledgement within 72 hours).

15. California Users (CCPA / CPRA)

If you are a California resident:

  • Morpheus does not sell or share personal information for cross-context behavioral advertising
  • Categories of personal information collected: identifiers (anonymous user ID), internet activity (session metadata, crash reports if Sentry fires), inferences (local long-term memory, never transmitted)
  • Right to know: Categories and specific pieces are described in Sections 2–3 and this section
  • Right to delete: Uninstall for local data; contact team@getmorphe.us for cloud data
  • Right to correct: Contact us to correct inaccurate information
  • Right to opt-out of sale/sharing: No sale or sharing occurs; no opt-out needed
  • No discrimination: You will not receive different service quality for exercising privacy rights

16. Children's Privacy

Morpheus is not designed for children under 13 (or 16 in the EEA/UK). ShakTech Labs LLC does not knowingly collect personal information from children. If you believe a child has provided information through the Software, contact team@getmorphe.us.

17. Security

  • End-to-end encryption (ECDH + TweetNaCl) for all device-to-device communications
  • Pairing codes for secure device authentication
  • Encrypted credential vault for API keys and OAuth tokens
  • Row-level security on all server-side data in Supabase
  • Risk classification of AI commands with approval prompts for high-risk operations

18. Changes to This Policy

Changes will be indicated by updating the "Last Updated" date. Significant changes will also be noted in release notes. Continued use of the Software after changes constitutes acceptance.

19. Contact

For questions about this Privacy Policy: team@getmorphe.us

ShakTech Labs LLCgetmorphe.us