Privacy Policy

This Privacy Policy explains how Morso ("we", "us") collects, uses, and protects your information when you use morso.dev and the Morso API ("Service").

1. Information We Collect

Account information: When you sign in via GitHub OAuth, we receive your GitHub username, email address, and profile ID. We store your email and a unique identifier to manage your account.

API usage data: We log each API request with: endpoint called, credit cost, timestamp, and your customer ID. This is used for billing, rate limiting, and usage analytics visible in your dashboard.

API keys: We store a SHA-256 hash of your API keys. We do not store your full API key after initial creation.

IP addresses: IP addresses are used for rate limiting on free (unauthenticated) endpoints. They are not stored persistently.

Request content: Data you send to API endpoints is processed in memory only. We do not log, store, or inspect request or response payloads. Binary outputs (images, documents) are stored temporarily in object storage and deleted automatically after 24 hours.

2. How We Use Your Information

• Account management: Authenticating you, managing your API keys.
• Billing: Tracking credit usage, reporting metered usage to Polar for billing.
• Rate limiting: Enforcing per-key and per-IP rate limits.
• Dashboard: Showing your usage history and credit consumption.

3. Third-Party Services

• GitHub: OAuth authentication. Subject to GitHub's Privacy Statement.
• Polar: Payment processing and subscription management. Subject to Polar's Privacy Policy.

We do not sell your data to third parties. We do not use advertising trackers or analytics services.

4. Cookies

We use a single session cookie for authentication (set by Better Auth). It expires after 7 days of inactivity. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

5. Data Storage and Security

Account and usage data is stored in a SQLite/Turso database. API keys are hashed with SHA-256 before storage. All traffic is encrypted in transit via TLS.

6. Data Retention

• Account data: Retained until you request deletion.
• Usage events: Retained for billing and analytics purposes.
• Temporary files: Binary outputs are deleted after 24 hours.
• Request content: Not retained — processed in memory only.

7. Your Rights

You have the right to:

• Access: View your data via the dashboard (usage, API keys, account info).
• Deletion: Request account and data deletion by emailing [email protected].
• Portability: Request an export of your usage data.
• Correction: Update your information by re-authenticating via GitHub.

If you are in the EU/EEA, these rights are provided under the General Data Protection Regulation (GDPR). We will respond to requests within 30 days.

8. Changes

We may update this Privacy Policy at any time. Changes will be posted on this page with an updated date.

9. Contact

Questions about your privacy? Email [email protected].