Privacy Policy
Last updated: January 2, 2026
1. Data Controller
The data controller responsible for your personal data is:
Piotr CiechowiczSchmohlstr. 2
13086 Berlin, Germany
Email: privacy@murmurd.com
2. Data Protection Officer
You can reach our Data Protection Officer at:
- Email: dpo@murmurd.com
3. Data We Collect
3.1 Account Data
When you register, we collect:
- Name and email address
- Password (encrypted)
- Profile picture (optional, stored on Cloudflare R2)
- Timezone preference
- Slack user ID (if connected)
- Google account data (if using Google OAuth login)
- Email notification preferences
3.2 Enterprise SSO Data
For organizations using Single Sign-On:
- Okta SSO identifiers (if using Okta integration)
- SCIM provisioning data (external user IDs, sync status)
3.3 Organization Data
For organization accounts:
- Organization name and logo
- Division and team structures
- Member roles and relationships
- Billing information (via Stripe)
3.4 Usage Data
When you use Murmurd:
- Check-in responses
- Escalation reports
- Priority records
- Interaction timestamps
- Vacation/pause status
3.5 Technical Data
Automatically collected:
- IP address
- Browser type and version
- Device information
- Access logs
- Failed login attempts (for security)
3.6 Audit Data
For compliance and security:
- Action logs (create, update, delete operations)
- Actor identification
- IP addresses and user agents for audited actions
4. Legal Basis for Processing
We process your data under the following legal bases (Article 6 GDPR):
| Data Type | Legal Basis |
|---|---|
| Account data | Contract performance (Art. 6(1)(b)) |
| Usage data | Contract performance (Art. 6(1)(b)) |
| AI processing | Legitimate interest (Art. 6(1)(f)) |
| Marketing | Consent (Art. 6(1)(a)) |
| Analytics | Legitimate interest (Art. 6(1)(f)) |
| Audit logging | Legitimate interest (Art. 6(1)(f)) |
| Security measures | Legal obligation (Art. 6(1)(c)) |
5. How We Use Your Data
We use your data to:
- Provide and maintain the Service
- Send check-in prompts and reminders
- Generate AI-powered summaries
- Route escalations to appropriate team members
- Process payments
- Send transactional communications
- Improve our Service
- Comply with legal obligations
- Detect and prevent fraud and abuse
6. AI Processing
6.1 AI Summaries
Your check-in responses may be processed by AI to generate weekly summaries. This processing:
- Uses only data within your organization
- Excludes items marked as confidential
- Is performed by third-party AI providers
- Does not train AI models on your data
6.2 AI Provider Options
We support the following AI providers:
- OpenAI (US-based)
- Anthropic (US-based)
- Google AI (US-based)
- Mistral AI (EU-based, France)
- Your own API key (Bring Your Own Key)
Organizations can configure their preferred AI provider in settings.
7. Data Sharing
7.1 Within Your Organization
Your data is visible to:
- Team members (for team-visible items)
- Managers (for escalations and summaries)
- Organization admins (for all organization data)
7.2 Platform Administrators
Authorized Murmurd staff may access your data for:
- Customer support and troubleshooting
- Security investigations and incident response
- Compliance and audit requirements
- System maintenance and reliability
All platform administrator access is:
- Logged in our audit system
- Limited to personnel with a legitimate need
- Subject to confidentiality obligations
7.3 Service Providers
We share data with the following service providers. For a complete list with DPA links, see our Subprocessor List.
| Provider | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | US/EU |
| Slack | Messaging integration | US |
| Mailgun | Email delivery | EU |
| Railway | Hosting infrastructure | EU |
| Cloudflare | CDN, avatar storage (R2) | Global |
| Upstash | Rate limiting (Redis) | EU |
| OAuth authentication, AI | US | |
| Okta | SSO/SCIM (enterprise) | US |
| AI Providers | Summary generation | US/EU |
7.4 Legal Requirements
We may disclose data when required by law or to protect our rights.
8. International Transfers
Some of our service providers are located outside the EU (primarily in the US). We ensure appropriate safeguards through:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions where applicable
- Additional technical measures (encryption, pseudonymization)
For EU-based processing, we offer Mistral AI (France) as an AI provider option.
9. Data Retention
We retain your data for:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 30 days |
| Check-ins | 2 years |
| Escalations | 2 years |
| Priorities | 2 years |
| AI Summaries | 1 year |
| Audit logs | 3 years |
Soft Deletion: When you delete data, it is initially “soft deleted” (marked as deleted but retained for 30 days to allow recovery). After 30 days, data is permanently purged from our systems.
After account termination, your data is deleted within 30 days unless legally required to retain it.
10. Your Rights
Under GDPR, you have the right to:
10.1 Access (Art. 15)
Request a copy of your personal data. You can use the Export My Data feature in Account Settings to download your data in JSON format.
10.2 Rectification (Art. 16)
Correct inaccurate or incomplete data via your profile settings or by contacting us.
10.3 Erasure (Art. 17)
Request deletion of your data (“right to be forgotten”). You can use the Delete My Account feature in Account Settings for self-service deletion.
10.4 Restriction (Art. 18)
Request limitation of processing in certain circumstances.
10.5 Portability (Art. 20)
Receive your data in a structured, machine-readable format. The Export feature provides JSON format including profile, check-ins, priorities, escalations, and team memberships.
10.6 Object (Art. 21)
Object to processing based on legitimate interest.
10.7 Withdraw Consent (Art. 7(3))
Withdraw consent at any time where processing is based on consent.
To exercise these rights, contact privacy@murmurd.com or use the self-service features in your Account Settings.
11. Email Communications
11.1 Transactional Emails
We send the following service-related emails:
- Check-in reminders
- Priority reminders
- Escalation notifications
- Weekly summary digests
- Account security notifications
11.2 Marketing Emails
Marketing emails are only sent with your explicit consent. You can manage your marketing preferences in Account Settings.
11.3 Unsubscribe Options
You can manage your email preferences in several ways:
- In-App Settings: Toggle individual email types on/off in Account Settings
- One-Click Unsubscribe: Each email includes a signed unsubscribe link
- Master Switch: Disable all non-essential emails with a single toggle
We process unsubscribe requests immediately.
12. Cookies and Tracking
For detailed information about our use of cookies, please see our Cookie Policy.
12.1 Summary
- Essential cookies (always enabled): Authentication, session management, security
- Analytics cookies (opt-in): Google Analytics 4, loaded only with consent
- Third-party cookies: May be set by integrations (Slack, Stripe)
You can manage cookie preferences via the cookie banner or by clearing your browser’s local storage.
13. Data Security
We protect your data through:
- AES-256-GCM encryption at rest (including Slack tokens, SSO secrets)
- TLS 1.3 encryption in transit
- Regular security audits
- Access controls and comprehensive logging
- Rate limiting to prevent abuse
- Account lockout after failed login attempts
- Employee security training
14. Children’s Privacy
Murmurd is not intended for users under 18. We do not knowingly collect data from children.
15. Changes to This Policy
We may update this policy periodically. We will notify you of material changes via email or in-app notice at least 30 days before they take effect.
16. Complaints
If you believe we have violated your privacy rights, you may file a complaint with:
- Our Data Protection Officer: dpo@murmurd.com
- Your local data protection authority
In Germany:
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)Graurheindorfer Str. 153
53117 Bonn
Phone: +49 (0)228 997799-0
Email: poststelle@bfdi.bund.de
Berlin Data Protection Authority:
Berliner Beauftragte für Datenschutz und InformationsfreiheitFriedrichstr. 219
10969 Berlin
Phone: +49 (0)30 13889-0
Email: mailbox@datenschutz-berlin.de
17. Contact
For privacy-related questions:
- Email: privacy@murmurd.com
- Legal inquiries: legal@murmurd.com
- Data Protection Officer: dpo@murmurd.com
- Address: See our Impressum