Privacy Policy

When you connect your Google account, here is exactly what we access and how we use it:

• •Login scopes: We request openid, email, and profile for Google sign-in. This gives us your name, email address, and profile picture.
• •Gmail scope: If you enable the email automation feature, we request gmail.readonly access. This means we can read your incoming emails but we can never modify, delete, or send emails on your behalf.
• •Calendar scope: If you connect Google Calendar, we request calendar access (read and write). This allows Mursa to read your events for daily planning and to create, update, or delete calendar events on your behalf — for example, scheduling meetings or blocking focus time directly from your task list.
• •Real-time processing: Email content is processed in memory only. The original email body is not stored in our database. We save only the AI-extracted task (title, description, priority) and email metadata (sender, subject, date) so you can trace tasks back to the original email.
• •Smart filtering: Routine emails like bank notifications, newsletters, marketing, and automated alerts are automatically filtered out without being sent to any AI service.
• •Push notifications: We use Google Cloud Pub/Sub to receive real-time notifications when new emails arrive. Only your email address and a history identifier are transmitted — no email content is included in these notifications.
• •OAuth tokens: Your Google OAuth tokens are encrypted at rest using AES-256-GCM and stored server-side only. They are never exposed to your browser, third parties, or logged in plain text.

If you connect Slack or WhatsApp, Mursa uses them for one purpose only: creating tasks from your messages. Here is exactly what that means:

• •Task extraction only: We read messages solely to identify actionable items and create tasks. We do not monitor, analyze, or store your conversations.
• •No message storage: Message content is processed in real time and immediately discarded. We save only the AI-extracted task and basic metadata (sender, date, channel).
• •Read-only access: We can never send, modify, or delete messages in your Slack workspace or WhatsApp account.
• •No conversation analysis: We do not build profiles, analyze sentiment, track topics, or perform any analysis on your messaging data beyond task extraction.
• •OAuth tokens: Your Slack and WhatsApp OAuth tokens are encrypted at rest using AES-256-GCM and stored server-side only.
• •Disconnect anytime: You can revoke Slack or WhatsApp access at any time from your Settings. This immediately removes all access.

We use third-party AI services to power two features: email triage and the AI planner. Here is what that means for your data:

• •Email triage (OpenAI): When a new email passes our pre-filters, the email subject, sender, and body text (truncated to 4,000 characters) are sent to OpenAI's API (GPT-4o-mini) to determine if it contains an actionable task. We do not send attachments, images, or account credentials.
• •AI planner (Google Gemini): When you use the AI planner chat feature, your prompts are sent to Google's Gemini API. Your email content is never sent to Gemini — only your planner conversation messages.
• •No AI training: Data sent through the OpenAI and Google Gemini APIs is not used for training their models, as per their respective API data usage policies. We do not opt in to any training programs.
• •No permanent storage by AI providers: As per OpenAI's API data retention policy, data sent via their API is retained for up to 30 days for abuse monitoring, then deleted. Google Gemini API data is processed transiently and not stored for model improvement.
• •Mursa does not train AI: We do not use any of your data (email content, summaries, tasks, or any other personal information) to train, fine-tune, or improve any AI or machine learning model.