MursaBack to home
Your privacy matters

Privacy Policy

Plain English, no legal jargon. Here is exactly how we handle your data.

Last updated: March 2026

The Short Version

Mursa connects to your Gmail (read-only) and optionally your Google Calendar to generate AI-powered action items and help you plan your day. We never store your email content — it is processed in real time and immediately discarded. We save only the AI-extracted task and email metadata (sender, subject, date). We never use your data for AI training. We never sell or share your data with third parties. You can revoke access at any time. That is it.

Our Privacy Principles

No Email Storage

We never store your email content. Emails are processed in real time and immediately discarded after generating your summary and to-dos. Only the AI-extracted task and email metadata (sender, subject, date) are saved.

No AI Training

Your data is never used to train AI models. Not ours, not anyone else's. Your emails stay yours.

Gmail is Read-Only

We can never modify, delete, or send emails on your behalf. Gmail access is strictly read-only. Google Calendar access includes read and write so Mursa can schedule and update meetings for you.

No Selling Data

We do not sell, share, or transfer your personal data or email content to any third parties. Period.

What We Collect & Why

Account Information

  • Email address (for login via Google OAuth)
  • Name (for personalization)
  • Profile picture (from your Google account)

Purpose: To identify you and personalize your experience

Gmail Data (Processed in Real Time)

  • Incoming email content (read-only, never stored — processed in memory only)
  • Email metadata (sender, subject, date) saved alongside extracted tasks
  • AI-generated task title, description, priority, and suggested replies are saved
  • Routine emails (bank notifications, newsletters, marketing) are filtered out automatically without AI processing

Purpose: To generate AI-powered action items from your emails

Google Calendar Data

  • Calendar events and schedule (used for daily planning and scheduling)
  • Event metadata such as title, time, and attendees
  • Mursa can create, update, and delete calendar events on your behalf (e.g., scheduling meetings)

Purpose: To integrate your calendar with daily planning and allow you to schedule and manage meetings from Mursa

Task & Productivity Data

  • Tasks you create or that are extracted from emails
  • Goals, notes, habits, and completion history
  • Focus session data (duration, quality scores)
  • Daily ritual and energy tracking data

Purpose: To power your productivity dashboard

Integration Data (Optional)

  • Slack workspace messages and channels (if connected)
  • Jira, Todoist, or TickTick tasks (if connected)
  • OAuth tokens for connected services (encrypted at rest)

Purpose: To sync tasks and messages from your other tools

Usage Analytics

  • Feature usage patterns
  • Session duration
  • Error logs

Purpose: To improve Mursa and fix bugs

Gmail Integration & Google Data

When you connect your Google account, here is exactly what we access and how we use it:

  • Login scopes: We request openid, email, and profile for Google sign-in. This gives us your name, email address, and profile picture.
  • Gmail scope: If you enable the email automation feature, we request gmail.readonly access. This means we can read your incoming emails but we can never modify, delete, or send emails on your behalf.
  • Calendar scope: If you connect Google Calendar, we request calendar access (read and write). This allows Mursa to read your events for daily planning and to create, update, or delete calendar events on your behalf — for example, scheduling meetings or blocking focus time directly from your task list.
  • Real-time processing: Email content is processed in memory only. The original email body is not stored in our database. We save only the AI-extracted task (title, description, priority) and email metadata (sender, subject, date) so you can trace tasks back to the original email.
  • Smart filtering: Routine emails like bank notifications, newsletters, marketing, and automated alerts are automatically filtered out without being sent to any AI service.
  • Push notifications: We use Google Cloud Pub/Sub to receive real-time notifications when new emails arrive. Only your email address and a history identifier are transmitted — no email content is included in these notifications.
  • OAuth tokens: Your Google OAuth tokens are encrypted at rest using AES-256-GCM and stored server-side only. They are never exposed to your browser, third parties, or logged in plain text.

Google API Services Compliance

Mursa's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only use Google user data for the purposes described in this privacy policy and do not use it for serving advertisements or any other unrelated purpose.

AI Processing

We use third-party AI services to power two features: email triage and the AI planner. Here is what that means for your data:

  • Email triage (OpenAI): When a new email passes our pre-filters, the email subject, sender, and body text (truncated to 4,000 characters) are sent to OpenAI's API (GPT-4o-mini) to determine if it contains an actionable task. We do not send attachments, images, or account credentials.
  • AI planner (Google Gemini): When you use the AI planner chat feature, your prompts are sent to Google's Gemini API. Your email content is never sent to Gemini — only your planner conversation messages.
  • No AI training: Data sent through the OpenAI and Google Gemini APIs is not used for training their models, as per their respective API data usage policies. We do not opt in to any training programs.
  • No permanent storage by AI providers: As per OpenAI's API data retention policy, data sent via their API is retained for up to 30 days for abuse monitoring, then deleted. Google Gemini API data is processed transiently and not stored for model improvement.
  • Mursa does not train AI: We do not use any of your data (email content, summaries, tasks, or any other personal information) to train, fine-tune, or improve any AI or machine learning model.

Third-Party Services We Use

Mursa relies on the following third-party services to operate. We only share the minimum data required for each service to function:

Supabase

Database hosting, authentication, and edge functions. All your account and task data is stored here.

OpenAI

Email triage — receives email subject, sender, and body text to extract actionable tasks.

Google Gemini

AI planner chat — receives your planner conversation messages only. No email content.

Google Cloud Pub/Sub

Real-time Gmail push notifications. Only your email address and a history ID are transmitted.

Resend

Transactional emails (welcome, receipts, notifications). Receives your email address and name.

Dodo Payments

Subscription billing. Receives payment and billing information for Pro subscriptions.

If you connect optional integrations (Slack, Jira, Todoist, TickTick, Google Calendar), your OAuth tokens for those services are encrypted and stored server-side. We only access the data needed to sync tasks and messages.

Your Rights & Control

Revoke Gmail Access

Disconnect your Gmail at any time from your Google Account settings (Security → Third-party apps). This immediately removes all access.

Delete Your Data

Request deletion of all your data, including summaries and tasks. We will erase everything within 30 days.

Access Your Data

Request a copy of all the data we have associated with your account at any time.

Disconnect Anytime

You can disconnect your Google account from Mursa at any time through Settings. Disconnecting removes all access immediately.

How We Protect Your Data

HTTPS Everywhere

All data transmitted between your browser, our servers, and third-party APIs is encrypted over HTTPS (TLS).

Secure Token Storage

OAuth tokens for Gmail, Calendar, and other integrations are encrypted at rest using AES-256-GCM, stored server-side only, and never exposed to your browser, logs, or third parties.

No Permanent Email Storage

Email content is processed in memory and immediately discarded. We do not write email content to any database or file system.

Access Control

Strict role-based access controls ensure your data is only accessible to you. No Mursa employee can read your email content.

Policy Updates

We may update this policy occasionally. When we do, we will notify you by email and update the date at the top. Continued use after changes means you accept the new terms.

Questions about your privacy?

We are happy to help. Reach out anytime.

Contact Us