Privacy Policy

Account data: name, email, password (hashed with bcrypt), plan, organisation.

Usage data: pages viewed, inspections performed, IP address, browser type.

Content you upload: inspection templates, responses, photos, issue reports.

Payment data: handled entirely by Creem.io as Merchant of Record; we never see or store your card number, only a reference identifier and the high-level subscription state.

To provide and improve the Service; to authenticate you and prevent fraud; to send transactional emails (verification, password reset, receipts, plan changes); and to comply with legal obligations. We do not sell your personal data to third parties.

We share the minimum necessary data with the following processors, each under their own privacy commitments:

• Creem.io — payments and merchant-of-record services (privacy policy)
• Resend — transactional email delivery (privacy policy)
• Cloud hosting provider — application servers and database hosting

We use a small number of cookies and localStorage entries: a session token to keep you logged in, a language preference, a theme preference, and a cookie-consent flag. We do not use third-party advertising or behavioural-tracking cookies.

Depending on your jurisdiction, you may have the right to access, correct, delete, port, or restrict the personal data we hold about you, and to object to certain processing. Submit a request through the contact form — we will respond within 30 days.

Account data is kept while your account is active and for up to 90 days after deletion (for backup rotation). Inspection data is retained per your plan's data-retention setting; archived items are auto-deleted six months after archival.

We hash passwords with bcrypt, transmit data over HTTPS, rate-limit authentication endpoints to protect against brute-force attacks, and restrict access to production data on a need-to-know basis. No system is perfectly secure, but we work hard to protect your data and will notify affected users promptly in the event of a breach involving their personal information.

Your data may be processed in jurisdictions outside the one where you reside. Where required by law (e.g. under GDPR Article 46 or PIPL Article 38), appropriate safeguards such as Standard Contractual Clauses are in place with our processors.

Morn is not directed at children under 16. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it.

If we make material changes, we will notify registered users by email and update the "Last updated" date above.

Privacy questions or rights requests? Reach us through the contact form.