Policies & Terms

1. Introduction & Scope

These Terms of Service ("Terms") constitute a legally binding agreement between you ("User", "you", or "your") and the operator of the Morgan platform ("Morgan", "we", "us", or "our"), accessible at askmorgan.co and its sub-domains (collectively, the "Service"). These Terms apply to all users of the Service, including browsers, registered users, and subscribers. Access to or use of the Service in any way constitutes full acceptance of these Terms in their entirety.

If you are accepting these Terms on behalf of a company or other legal entity, you represent that you have the authority to bind that entity to these Terms. If you do not have such authority, you must not accept these Terms or use the Service.

2. Definitions

"Account" means the unique account created for you to access the Service. "Company Data" means all financial records, transaction data, invoices, and related business information you upload to or connect with the Service. "Subscription" means a paid plan granting access to specified features of the Service for a recurring billing period. "Free Plan" means any no-cost tier made available at our discretion. "Output" means any analysis, chart, projection, AI-generated response, or other result produced by the Service based on your Company Data. "Integration" means any third-party accounting, banking, or productivity application connected to the Service via OAuth or API token.

3. Account Registration & Eligibility

To use the Service you must (a) be at least 18 years of age; (b) be a legal entity or individual acting in a commercial or professional capacity; (c) provide accurate, current, and complete registration information; and (d) maintain and promptly update your registration information to keep it accurate and current.

You are solely responsible for maintaining the confidentiality of your login credentials and for all activities that occur under your Account. You must notify us immediately at hello@askmorgan.co upon becoming aware of any unauthorised use of your Account or any other breach of security. We will not be liable for any loss arising from unauthorised use of your Account where you have failed to notify us promptly.

One person or legal entity may not maintain more than one free Account. You may not use the Service if you are a direct competitor of Morgan without prior written consent.

4. Permitted Use & Acceptable Use Policy

The Service is provided exclusively for lawful commercial and business financial management purposes. You agree to use the Service only in accordance with these Terms and all applicable local, national, and international laws and regulations.

You must not:

• Use the Service for any unlawful purpose or in any illegal manner;
• Upload, transmit, or store any data that infringes the intellectual property rights or privacy of any third party;
• Attempt to probe, scan, or test the vulnerability of the Service or any associated system or network;
• Attempt to reverse-engineer, decompile, disassemble, or derive source code from any part of the Service;
• Use automated scripts, bots, crawlers, or scraping tools to access the Service without prior written consent;
• Introduce viruses, malware, ransomware, or any other harmful code;
• Circumvent or disable any security, authentication, or access-control features of the Service;
• Resell, sublicense, or offer the Service to third parties without an explicit written reseller agreement;
• Use the Service to transmit unsolicited communications (spam) or engage in phishing;
• Impersonate any person or entity or falsely state or misrepresent your affiliation with any person or entity.

Violation of this policy may result in immediate suspension or termination of your Account without refund. We reserve the right to investigate suspected violations and to cooperate with law enforcement authorities.

5. Subscriptions, Billing & Payment

Certain features of the Service are available only through a paid Subscription. By selecting a paid plan, you agree to pay the applicable fees as described at the time of purchase. All fees are stated in Euros (EUR) and are exclusive of applicable taxes unless stated otherwise. You are responsible for all taxes, levies, or duties imposed by taxing authorities.

Subscriptions are billed in advance on a monthly or annual basis depending on the plan selected. Payment is processed through our third-party payment processor (Stripe). By providing payment information you authorise us (via Stripe) to charge the applicable fees to your nominated payment method at the start of each billing period.

If a payment fails, we will notify you and attempt to re-process the charge. If payment remains outstanding after a grace period of 7 days, we reserve the right to suspend or downgrade your Account to a Free Plan until the outstanding balance is settled. Continued failure to pay may result in termination of your Account.

We reserve the right to modify our pricing at any time. Changes to fees for existing Subscribers will be communicated with at least 30 days' prior written notice via email or in-app notification. Your continued use of the Service following the effective date of any price change constitutes your acceptance of the new fee.

6. Free Trials

We may, at our sole discretion, offer a free trial of one or more paid plans for a limited period. At the end of the trial, unless you cancel, your Account will automatically convert to the applicable paid Subscription and your payment method will be charged. We reserve the right to modify or terminate free trials at any time without notice.

7. Cancellation & Refunds

You may cancel your Subscription at any time from within your account settings or by contacting us at hello@askmorgan.co. Upon cancellation, your Subscription will remain active until the end of the current billing period, after which your Account will revert to the Free Plan (if available) or be deactivated.

Fees paid are generally non-refundable except where required by applicable consumer protection law or at our sole discretion in exceptional circumstances. If you believe you have been charged in error, please contact us within 30 days of the charge.

8. Intellectual Property Rights

The Service, including all software, algorithms, user interfaces, graphics, text, and documentation, is owned by or licensed to Morgan and is protected by copyright, trademark, patent, and other intellectual property laws. These Terms do not grant you any ownership rights in the Service. Any goodwill generated by your use of our trademarks inures solely to our benefit.

You retain all ownership rights in your Company Data. By uploading or connecting Company Data to the Service, you grant us a limited, non-exclusive, royalty-free, worldwide licence to access, process, and store your Company Data solely for the purpose of providing the Service to you. This licence terminates when your Account is closed and all data is deleted in accordance with our Data Handling Policy.

9. Outputs & AI-Generated Content

Outputs generated by the Service are provided for informational purposes only. You may use Outputs for your internal business purposes, but you acknowledge that Outputs are generated by artificial intelligence models which may produce errors or inaccuracies. You assume full responsibility for any decisions made in reliance on Outputs. See the Legal Disclaimer (Section 03) for further detail.

10. Third-Party Integrations

The Service may integrate with third-party platforms including but not limited to Xero, QuickBooks, Google Gmail, and Microsoft Outlook. Your use of such integrations is subject to the terms and privacy policies of those third parties. We do not control and are not responsible for the availability, accuracy, or policies of third-party services. You are responsible for ensuring you are authorised to connect your third-party accounts and to share the data therein with the Service.

11. Service Availability

We aim to provide a highly available Service but do not guarantee uninterrupted or error-free operation. Scheduled maintenance will be communicated in advance where possible. Unscheduled outages may occur. We will use commercially reasonable efforts to restore service promptly following any interruption. No credit or compensation is provided for downtime except where separately agreed in a Service Level Agreement.

12. Modifications to the Service

We reserve the right to modify, suspend, or discontinue any feature of the Service at any time, with or without notice. We will endeavour to provide reasonable notice of material changes that significantly affect core functionality.

13. Indemnification

You agree to indemnify, defend, and hold harmless Morganand its officers, directors, employees, agents, licensors, and service providers from and against any and all claims, liabilities, damages, judgements, awards, losses, costs, and expenses (including reasonable legal fees) arising out of or relating to (a) your violation of these Terms; (b) your use of the Service; (c) your Company Data; (d) your violation of any third-party rights; or (e) your violation of any applicable laws.

14. Disclaimer of Warranties

THE SERVICE IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR COURSE OF PERFORMANCE. MORGAN DOES NOT WARRANT THAT THE SERVICE WILL MEET YOUR REQUIREMENTS, BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE, OR THAT ANY OUTPUTS WILL BE ACCURATE OR RELIABLE.

15. Limitation of Liability

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MORGAN, ITS DIRECTORS, EMPLOYEES, PARTNERS, AGENTS, SUPPLIERS, OR AFFILIATES BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING WITHOUT LIMITATION LOSS OF PROFITS, DATA, GOODWILL, USE, OR OTHER INTANGIBLE LOSSES, ARISING OUT OF OR IN CONNECTION WITH YOUR USE OF OR INABILITY TO USE THE SERVICE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IN NO EVENT SHALL OUR AGGREGATE LIABILITY TO YOU FOR ALL CLAIMS ARISING OUT OF OR RELATING TO THE SERVICE EXCEED THE GREATER OF (A) THE TOTAL AMOUNT PAID BY YOU TO US IN THE 12 MONTHS IMMEDIATELY PRECEDING THE CLAIM, OR (B) €100.

16. Force Majeure

We shall not be liable for any delay or failure to perform our obligations under these Terms where such delay or failure results from any cause beyond our reasonable control, including but not limited to acts of God, natural disasters, pandemics, war, civil unrest, cyber attacks, third-party infrastructure failures, or governmental actions.

17. Dispute Resolution

In the event of a dispute arising under or relating to these Terms, the parties agree to first attempt to resolve the dispute informally by contacting us at hello@askmorgan.co. If the dispute cannot be resolved informally within 30 days, either party may pursue formal legal remedies.

Consumers residing in the EU have the right to use the European Commission's Online Dispute Resolution platform at ec.europa.eu/consumers/odr.

18. Governing Law & Jurisdiction

These Terms shall be governed by and construed in accordance with the laws of the European Union and the laws of the jurisdiction in which Morgan's operator is incorporated, without regard to conflict of law principles. You irrevocably submit to the exclusive jurisdiction of the courts of that jurisdiction for the resolution of any dispute.

19. Changes to These Terms

We reserve the right to update or modify these Terms at any time. Material changes will be communicated via email or a prominent in-app notice at least 14 days before taking effect. Your continued use of the Service after the effective date constitutes acceptance of the revised Terms. If you do not agree to the revised Terms, you must cease using the Service.

20. Severability & Entire Agreement

If any provision of these Terms is found to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary, and the remaining provisions shall continue in full force and effect. These Terms, together with our Privacy Policy and Data Handling Policy, constitute the entire agreement between you and Morgan regarding the Service and supersede all prior agreements, representations, and understandings.

21. Contact

For any enquiries relating to these Terms, please contact us at hello@askmorgan.co.

This Privacy Policy explains how Morgan collects, uses, stores, and shares personal data in connection with the Service. It applies to all users and is intended to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection legislation.

1. Data Controller

Morgan is the data controller for personal data collected through the Service. For questions about this policy or your personal data, contact our Data Protection lead at privacy@askmorgan.co.

2. Categories of Personal Data Collected

We collect the following categories of personal data:

• Identity Data: Full name, job title, company name.
• Contact Data: Email address, phone number (if provided).
• Account Data: Username, hashed password, account preferences and settings.
• Financial Data: Transaction records, invoice data, category labels, account balances, and other business financial information you connect or upload. Note: we do not store raw bank account numbers or payment card details.
• Usage Data: Pages visited, features used, session duration, click events, error logs, and other telemetry data collected automatically when you use the Service.
• Technical Data: IP address, browser type and version, operating system, device type, time zone, and cookie identifiers.
• Communications Data: Records of correspondence if you contact us via email or support channels.
• Integration Data: OAuth tokens and metadata from connected third-party services (e.g. Xero, QuickBooks, Gmail, Outlook). We never store your third-party login credentials.

3. Legal Bases for Processing

We process your personal data on the following legal bases under GDPR Article 6:

• Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Service you have signed up for, including account management, billing, and support.
• Legitimate interests (Art. 6(1)(f)): Analytics to improve the Service, fraud prevention, security monitoring, and direct marketing to existing customers (with opt-out provided).
• Legal obligation (Art. 6(1)(c)): Compliance with applicable laws, including tax, accounting, and regulatory requirements.
• Consent (Art. 6(1)(a)): For optional communications, non-essential cookies, or any processing not covered by the above. You may withdraw consent at any time without affecting prior processing.

4. How We Use Your Personal Data

We use your personal data to:

• Create and manage your Account;
• Process payments and manage your Subscription;
• Provide, maintain, and improve the Service;
• Generate AI-powered financial Outputs in response to your queries;
• Send transactional communications (e.g. invoices, security alerts, service updates);
• Respond to your support requests and enquiries;
• Conduct product analytics and improve user experience;
• Detect and prevent fraud, abuse, and security incidents;
• Comply with legal obligations;
• Send marketing communications where you have consented or where permitted under the soft opt-in rule for existing customers.

5. Data Retention

We retain personal data for as long as your Account is active or as necessary to provide the Service. Specific retention periods:

• Account and identity data: Duration of account plus 30 days post-deletion.
• Financial data: Duration of account plus 30 days post-deletion.
• Billing records: 7 years from the date of transaction, as required by financial regulations.
• Usage and technical logs: 90 days.
• Support communications: 3 years.

Upon Account deletion, all personal and financial data is permanently and irreversibly deleted from our systems and backups within 30 days, except where retention is required by law.

6. Data Sharing & Disclosure

We do not sell your personal data. We may share your data with:

• Service providers and sub-processors who assist in operating the Service (e.g. cloud infrastructure, payment processing, email delivery). All sub-processors are bound by written data processing agreements and may only process your data on our documented instructions.
• Professional advisers including lawyers, auditors, and insurers under obligations of confidentiality.
• Regulatory and law enforcement authorities where required to do so by law, court order, or governmental regulation.
• Business transferees in the event of a merger, acquisition, or sale of all or substantially all of our assets, provided the acquirer agrees to treat your data in accordance with this Privacy Policy.

7. International Transfers

Our primary data storage and processing infrastructure is located within the European Union (see Data Handling Policy, Section 04). Where we engage sub-processors that transfer data outside the EEA, we ensure that appropriate safeguards are in place in accordance with GDPR Chapter V, such as Standard Contractual Clauses (SCCs) approved by the European Commission or an adequacy decision.

8. Cookies & Tracking Technologies

We use the following categories of cookies:

• Strictly necessary cookies: Required for the Service to function (authentication sessions, CSRF tokens). These cannot be disabled.
• Analytics cookies: We use cookieless analytics (Datafast) to understand aggregate usage patterns. No personal data is stored in analytics cookies and no data is shared with advertising networks.

You may disable non-essential cookies in your browser settings. Doing so may affect certain features of the Service.

9. Your Rights Under GDPR

As a data subject, you have the following rights. To exercise any of them, contact us at privacy@askmorgan.co:

• Right of access (Art. 15): Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to restriction (Art. 18): Request that we restrict processing in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
• Rights related to automated decision-making (Art. 22): We do not make solely automated decisions that produce legal or similarly significant effects on you.

We will respond to all verifiable requests within 30 days. We may extend this period by a further two months for complex or numerous requests, with notification. We reserve the right to verify your identity before fulfilling any request.

10. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with your local data protection supervisory authority. In the EU, this is the supervisory authority in your country of residence or place of work.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child under 18 has provided us with personal data, we will take steps to delete it promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice within the Service at least 14 days before they take effect.

1. No Financial, Investment, or Tax Advice

Morgan is a software tool that uses artificial intelligence to analyse your business financial data and generate informational outputs. Nothing within the Service, its Outputs, or any associated communications constitutes financial advice, investment advice, tax advice, legal advice, accounting advice, or any other form of professional regulated advice, whether express or implied.

The Outputs generated by Morgan are for informational and analytical purposes only. They are not a substitute for professional financial, legal, or accounting counsel. You should consult a qualified and regulated financial adviser, chartered accountant, tax adviser, or solicitor before making any financial, investment, or business decisions.

2. No Accountant-Client or Adviser-Client Relationship

Use of the Service does not create any accountant-client, financial adviser-client, solicitor-client, or any other professional-client relationship between you and Morgan. No communication through the Service should be understood as establishing such a relationship.

3. Accuracy & Reliability of AI Outputs

The Service uses large language models (LLMs) to process natural language queries and generate analytical responses. AI models are probabilistic systems that can produce errors, omissions, inconsistencies, or misleading information, a phenomenon commonly known as "hallucination." Morgan cannot and does not guarantee the accuracy, completeness, timeliness, or suitability of any Output for any particular purpose.

You should always independently verify critical financial figures, projections, and insights against your own records, your accountant's advice, and authoritative regulatory sources.Morgan accepts no liability for any error in any Output.

4. Forward-Looking Statements

The Service may produce forecasts, projections, runway calculations, and other forward-looking statements. These are based solely on the data you provide and standard modelling assumptions. They are not guarantees of future performance. Actual results may differ materially from projections due to market conditions, economic factors, changes in your business, and many other factors beyond our control or knowledge.

5. Reliance on Third-Party Data

The Service may incorporate or reflect data from third-party sources including connected accounting software, bank feeds, and user-uploaded documents. We make no representation as to the accuracy or completeness of third-party data. You are responsible for ensuring the accuracy of all data connected to or uploaded into the Service.

6. Regulatory Compliance

Morgan does not verify whether your use of its Outputs complies with applicable laws, regulations, or accounting standards in your jurisdiction. Tax laws, financial regulations, and reporting requirements vary by country and change frequently. It is your sole responsibility to ensure compliance with all applicable regulations.

7. Limitation of Liability

To the maximum extent permitted by applicable law, Morganand its operators, directors, employees, and agents shall not be liable for any loss, damage, cost, or expense — whether direct, indirect, incidental, consequential, or punitive — arising from: (a) your reliance on any Output; (b) errors or inaccuracies in any Output; (c) decisions made using the Service; (d) third-party data inaccuracies; or (e) any failure of the AI models to produce accurate results. This limitation applies even if we have been advised of the possibility of such losses.

8. Jurisdictional Limitations

The Service and its Outputs are designed as general-purpose business tools and are not tailored to the laws of any specific jurisdiction. Users accessing the Service from jurisdictions where such services are restricted or regulated must ensure they are compliant with local laws. We make no representation that the Service is appropriate or available for use in all locations.

9. Professional Consultation Recommended

We strongly recommend that all users maintain a relationship with a qualified accountant or financial adviser who can provide personalised, regulated, and jurisdiction-specific guidance for their business. Morgan is intended to complement professional advice, not replace it.

This Data Handling Policy describes in technical detail how Morgan stores, processes, and protects your data. We are committed to maintaining the highest standards of data security and privacy.

1. Infrastructure & Hosting

All primary application data is stored on Supabase's managed PostgreSQL infrastructure, hosted on AWS in the eu-west-1 (Ireland) region. All data therefore remains within the European Union at rest. Document and file storage (invoices, CSV uploads) is hosted on Hetzner Object Storage, located in Helsinki, Finland (EU). No primary data is stored outside the European Union.

2. Encryption

All data is protected by encryption at every layer:

• Encryption at rest: AES-256 encryption applied to all database volumes and object storage buckets.
• Encryption in transit: All data transmitted between your browser and our servers, and between our servers and sub-processors, is protected using TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS.
• Password storage: Passwords are never stored in plaintext. Authentication is managed by Supabase Auth, which uses bcrypt hashing with a per-user salt.

3. Tenant Isolation & Row-Level Security

Every record in the Morgan database is tagged with a company_id field. We enforce PostgreSQL Row-Level Security (RLS) policies at the database level, meaning that even if there were a bug in the application layer, the database engine itself would refuse to return rows belonging to a different tenant. This provides a strong, multi-layered isolation guarantee that goes beyond application-level filtering.

All read queries generated by AI features are executed through a dedicated, strictly read-only database user with no INSERT, UPDATE, DELETE, or DDL privileges. This ensures that AI-generated SQL cannot modify or destroy your data.

4. AI Processing & the OpenAI API

When you submit a natural language query to Morgan, the Service constructs a prompt containing aggregated financial context derived from your data (e.g. summarised transaction totals, category breakdowns, date ranges) and sends it to the OpenAI API to generate a response.

We apply the following safeguards to AI data processing:

• No raw personal data: We do not send personally identifiable information (names, contact details) or raw transaction-level records to OpenAI unless explicitly required by the query and you have been informed.
• No model training on your data: Under OpenAI's API usage policies, data submitted via the API is not used to train or improve OpenAI's models. Your data is processed solely to generate the immediate response.
• Zero data retention by default: OpenAI's API data handling policy stipulates a maximum 30-day retention period for abuse monitoring purposes, after which data is deleted. We do not opt into any extended data retention.
• Data Processing Agreement: Our use of the OpenAI API is governed by OpenAI's Data Processing Addendum (DPA), which provides GDPR-compliant protections for personal data processed on behalf of API customers.
• Prompt construction: Prompts are constructed server-side and are never exposed to the client browser. SQL generated by the AI is validated before execution.

5. Sub-Processors

We rely on the following sub-processors to deliver the Service:

• Supabase Inc. — Database, authentication, and realtime (EU — AWS eu-west-1)
• Hetzner Online GmbH — Object/file storage (EU — Helsinki, Finland)
• OpenAI Inc. — AI language model inference (US, governed by DPA with SCCs)
• Stripe Inc. — Payment processing (EU/US, governed by DPA with SCCs)
• Vercel Inc. — Application hosting / CDN (EU edge nodes available)
• Datafast — Cookieless analytics (EU)

All sub-processors are bound by written data processing agreements and are selected for their compliance with GDPR and industry security standards.

6. Data Retention & Deletion

Our data retention schedule is as follows:

• Account & financial data: Retained for the duration of your Account plus 30 days after deletion.
• Uploaded documents (invoices, CSVs): Retained for the duration of your Account plus 30 days.
• Application logs: 90 days, then automatically purged.
• Billing & payment records: 7 years, as required by financial regulation.
• Database backups: 30-day rolling retention, then automatically deleted.

Upon Account deletion, we initiate an automated deletion job that permanently removes all personal and financial data from live databases within 30 days. Deleted data is also removed from backups within the same 30-day rolling backup window. Anonymised aggregate data not attributable to any individual or company may be retained for statistical purposes.

7. Backups & Disaster Recovery

The database is backed up automatically on a daily basis with point-in-time recovery (PITR) available. Backups are:

• Encrypted using AES-256 with the same standards as primary data;
• Stored in a geographically separate EU region from the primary database;
• Retained for a rolling 30-day window;
• Tested periodically to verify integrity and restorability.

8. Access Controls & Authentication

Access to production systems is strictly controlled:

• Principle of least privilege: All team members are granted only the minimum database and system access required for their role.
• Multi-factor authentication (MFA): Required for all personnel with access to production systems.
• Audit logging: All access to production data and administrative actions is logged with timestamps and user identity.
• Periodic access reviews: Access rights are reviewed quarterly and revoked promptly when no longer required.
• Service role key protection: The Supabase service role key is never exposed to the client browser. All sensitive keys are server-side environment variables only.

9. Network & Application Security

• SQL injection prevention: All user-supplied inputs and AI-generated SQL are parameterised and validated through a SQL validator before execution.
• CSRF protection: Session tokens use HTTP-only, Secure, SameSite cookies to mitigate cross-site request forgery.
• Rate limiting: API endpoints are rate-limited to protect against brute-force attacks.
• Dependency management: Application dependencies are regularly audited for known vulnerabilities.
• HTTPS enforcement: All traffic is served exclusively over HTTPS with HSTS headers.

10. Vulnerability Management

We maintain a vulnerability management programme that includes regular review of application dependencies, periodic security assessments, and monitoring of relevant security advisories. Critical vulnerabilities are patched on an expedited basis. We maintain a responsible disclosure policy — if you discover a security vulnerability in the Service, please report it confidentially to privacy@askmorgan.co before any public disclosure.

11. Incident Response

We maintain a documented incident response plan that covers detection, containment, eradication, recovery, and post-incident review. In the event of a personal data breach:

• We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by GDPR Article 33;
• We will notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34;
• Notification will include the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address it.

12. GDPR Compliance Summary

Morgan is designed with data protection by default and by design (GDPR Article 25). Key compliance measures include:

• All data stored in the EU;
• Data minimisation — we collect only what is necessary;
• Purpose limitation — data is used only for the stated purposes;
• Storage limitation — automated deletion schedules enforced;
• Integrity and confidentiality — encryption at rest and in transit;
• Data subject rights fulfilled within statutory timeframes;
• Sub-processor agreements with SCCs where applicable;
• Breach notification procedures in place.

13. Contact & Data Subject Requests

To submit a data subject access request, request deletion, or raise any data protection concern, contact our Data Protection lead at privacy@askmorgan.co. We will acknowledge your request within 5 business days and respond fully within 30 days.