Privacy Policy

Last updated: April 2, 2026

1. Data Controller

Murabi OÜ (registry code 17470796), registered in Estonia, with its registered address at Tornimäe tn 5, 10145 Tallinn, Estonia, is the data controller for your personal data. Contact: [email protected].

2. Data We Collect

We collect the following data:

(a)Account data: email address and authentication provider (Google, Facebook, or email/password) via Firebase Authentication
(b)Profile data: your preferred language and subscription tier
(c)Usage data: question counts, conversation history, and messages you send to the Service
(d)Payment data: processed by Lemon Squeezy; we store your subscription status and tier but not your payment card details
(e)MAKroom data: session information and optional guest display names stored in Firebase Firestore
(f)Analytics data: anonymous usage statistics via Google Analytics (GA4), subject to your cookie consent
(g)Intervision data: case descriptions and messages you submit during Intervision sessions, which are designed to be anonymized and should not contain personally identifiable information about your clients

3. How We Use Your Data

We use your data to:

(a)provide and operate the Service
(b)process your questions through our AI pipeline and return source-backed answers
(c)manage your subscription and billing
(d)enforce per-tier usage limits
(e)improve the Service through anonymized, aggregated analytics
(f)communicate with you about your account, changes to the Service, or legal matters
(g)facilitate AI-assisted structured case consultation in Intervision mode

4. Legal Basis (GDPR)

We process your data on the following legal bases:

(a)Contract: processing necessary to provide the Service you have subscribed to
(b)Consent: analytics cookies (you may withdraw consent at any time via the cookie settings)
(c)Legitimate interest: improving the Service, preventing fraud, and ensuring security

5. Third-Party Processors

We share data with the following processors:

(a)Google (Firebase Authentication, Firestore, Google Analytics, Gemini): authentication, real-time data storage, analytics, and AI processing
(b)Lemon Squeezy: payment processing
(c)Neon: PostgreSQL database hosting
(d)OpenAI: AI language model processing
(e)Cohere: text embedding generation. All processors are bound by data processing agreements. Your query text is sent to LLM providers for processing (see Section 6)

6. AI/LLM Processing

When you use the Service, the text of your query (along with relevant source excerpts) is sent to third-party AI providers (OpenAI, Google Gemini) for response generation. In Intervision mode, your case descriptions are also sent to these providers. No personally identifiable information beyond the text you submit is included; we do not send your email, name, or account ID to AI providers. You are required to anonymize all case descriptions before submitting them (see Terms & Conditions, Section 10). AI providers may process your submissions in accordance with their own privacy policies.

7. Intervision & Client Data

Intervision is designed for anonymized case consultation. We do not intentionally collect or process special category data (such as health data) as defined by GDPR Article 9. You are contractually required to anonymize all case descriptions before submitting them to the Service (see Terms & Conditions, Section 10). If identifiable information about a third party is inadvertently included, it is subject to the same retention, security, and deletion policies as all conversation data. You may request deletion of any conversation at any time via the Service interface or by contacting [email protected]. We do not use Intervision content to train AI models or share it with third parties beyond the AI providers listed in Section 5.

8. Cookies

We use the following cookies:

(a)Essential cookies: locale preference and authentication session (always active)
(b)Analytics cookies: Google Analytics (GA4) for understanding usage patterns (requires your consent). You can manage your cookie preferences at any time through the 'Manage cookies' option in the user menu. If you decline analytics cookies, GA4 operates in consent-denied mode with modeled, aggregate data only

9. Data Retention

Conversation history is retained based on your subscription tier: Free (7 days), Starter (90 days), Pro (unlimited). Account data is retained for the duration of your account. You may request account deletion by emailing [email protected]. Upon deletion, we will remove your personal data within 30 days, except where retention is required by law.

10. International Transfers

Some of our processors are located outside the European Economic Area (EEA), including in the United States. These transfers are protected by EU Standard Contractual Clauses (SCCs) and, where applicable, additional safeguards as required by GDPR.

11. Your Rights

Under the GDPR, you have the right to:

(a)access your personal data
(b)rectify inaccurate data
(c)erase your data ("right to be forgotten")
(d)restrict processing
(e)data portability
(f)object to processing
(g)withdraw consent at any time. To exercise any of these rights, contact us at [email protected]. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local supervisory authority

12. Children

The Service is not intended for users under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 14 days before the changes take effect. The 'Last updated' date at the top of this page will be revised accordingly.

14. Contact

For questions about this Privacy Policy or to exercise your data rights, contact us at [email protected] or [email protected].