Privacy Policy

Last Updated: January 2026

1. Introduction

This Privacy Policy describes how Morpheus ("the Software") handles your data. Morpheus is an open-source, mobile-to-desktop AI agent control application.

The short version: Morpheus stores all data locally on your devices. We do not collect, transmit, or store any of your data on external servers. However, optional features (voice mode and remote access) involve third-party services with their own privacy practices.

2. What Data Is Stored

Morpheus stores the following data locally on your devices to function:

Device and Pairing Information

  • Device names you assign to paired devices
  • ECDH public keys for end-to-end encryption
  • Connection URLs (local network addresses or Cloudflare tunnel URLs)
  • Temporary pairing codes

Command and Session Data

  • Command history sent from mobile to desktop
  • AI agent responses and outputs
  • Session metadata (timestamps, identifiers, connection status)

User Preferences

  • Application settings (theme, voice mode, layout)
  • Connection preferences (auto-connect, default mode)

3. What Is NOT Collected

  • No telemetry: No usage statistics, crash reports, or behavioral analytics
  • No analytics: No third-party analytics SDKs
  • No cloud storage: No data stored on any server operated by Morpheus
  • No advertising data: No ad tracking, fingerprinting, or marketing identifiers
  • No account data: No user accounts, emails, or registration required
  • No location data: No GPS, IP geolocation, or location tracking

4. Local Storage

All data generated by Morpheus remains on your devices:

  • Desktop (macOS): ~/Library/Application Support/Morpheus/
  • Desktop (Windows): %APPDATA%/Morpheus/
  • Desktop (Linux): ~/.config/Morpheus/
  • Mobile (iOS): Keychain for keys, app container for settings
  • Mobile (Android): Keystore for keys, app storage for settings

Delete all data at any time by uninstalling the application or clearing app data through your device's settings.

5. Encryption

  • Key Exchange: Elliptic Curve Diffie-Hellman (ECDH)
  • Message Encryption: TweetNaCl (compact, auditable crypto library)
  • Scope: All command and response payloads between devices
  • Key Storage: Platform-specific secure storage (Keychain, Keystore, safeStorage)

6. Remote Access (Cloudflare Tunnels)

When remote access is active:

  • Encrypted WebSocket traffic passes through Cloudflare's infrastructure
  • Cloudflare can see connection metadata (IPs, timestamps) but not encrypted content
  • Tunnels are temporary and on-demand — no persistent infrastructure
  • See Cloudflare's Privacy Policy

7. Voice Data

Voice mode is opt-in and disabled by default. When enabled:

  • Audio is sent to the OpenAI Realtime API for processing
  • OpenAI returns text transcriptions and voice responses
  • No audio is stored locally by Morpheus beyond the active session
  • See OpenAI's Privacy Policy

8. Third-Party Services

  • OpenAI — Voice mode only. Audio data shared when enabled.
  • Cloudflare — Remote access only. Encrypted traffic routed through their network.

Neither service is contacted unless you explicitly enable the corresponding feature.

9. Data Retention

  • Local data is retained until you delete it
  • You have full control over data retention
  • Third-party retention: see OpenAI and Cloudflare policies

10. International Users (GDPR)

If you are in the EEA, UK, or Switzerland:

  • Lawful basis: Legitimate interest (local data) and consent (opt-in third-party features)
  • Your rights: Access, rectification, erasure, restriction, portability, objection — all exercisable directly on your device
  • Data transfers: Voice data to OpenAI (US); connection metadata via Cloudflare's global network

11. California Users (CCPA)

  • Morpheus does not sell personal information
  • Delete all data by uninstalling the app
  • No discrimination for exercising privacy rights

12. Children's Privacy

Morpheus is not designed for children under 13. We do not knowingly collect data from children.

13. Security

  • End-to-end encryption (ECDH + TweetNaCl)
  • Pairing codes for secure device authentication
  • Encrypted local storage for sensitive credentials
  • No remote data storage eliminates server-side breach risk
  • Open-source code allows public security auditing

14. Changes to This Policy

Changes will be indicated by updating the "Last Updated" date. Significant changes will also be noted in release notes.

15. Contact

For questions about this Privacy Policy: hi@shak-tech.com

Repository: github.com/shaktech786/morpheus