Murmur is an open-source, local-first application for keeping personal messages and notes. It is designed around a simple principle: your content is encrypted on your device and stored in a Google Sheet you own. There is no central Murmur server that receives, stores, or can read your notes.
Because Murmur can be self-hosted, the person or organization who deploys a given instance (the “operator”) is the data controller for that deployment. If you are using a hosted instance, the operator’s contact details should be made available to you; for the official open-source project, questions can be raised via the GitHub repository.
1. What data exists, and where
Murmur stores data in three distinct locations, all under your control:
- Your device (browser storage). Your notes are cached as date-wise JSON in IndexedDB for instant, offline access. Your decrypted session (display name and the connection to your Sheet) is kept in
localStorageso you stay signed in. Signing out clears it. - The master sheet (authentication).To let you sign in across devices, the operator runs a “master” Google Sheet that stores, per account: your email address, a random salt, a password verifier (a hash that cannot decrypt anything), and an encrypted blob containing the connection to your private Sheet. It never receives your password or any readable note content.
- Your private Google Sheet (your content). The actual messages you write are stored in a Google Sheet that you create and own, inside your own Google account. Murmur communicates with it directly from your browser.
2. What we do not do
- We do not run analytics, advertising, or third-party trackers.
- We do not use cookies for tracking. Browser storage is used only to run the app.
- We do not sell, rent, or share your personal data. There is no data to sell.
- We do not have the ability to read your notes. Encryption keys are derived from your password and never leave your device.
3. Encryption
When you sign in, Murmur derives a 256-bit key from your password using PBKDF2 (SHA-256, 310,000 iterations) and a per-account salt. That key is used with AES-GCM to encrypt the connection to your Sheet before it is ever transmitted or stored. A separate, independent segment of the derivation is hashed into a verifier used only to authenticate you. The verifier cannot be used to recover your key or decrypt your data.
4. Google as a sub-processor
Murmur relies on Google Apps Script and Google Sheets, which run under your own Google account(and, for authentication, the operator’s). Your use of those services is subject to Google’s Privacy Policy. We recommend keeping your private Sheet’s Web App URL and secret token confidential, as together they grant access to that Sheet.
5. Data retention & deletion
You control retention directly:
- Local data:clear your browser storage for the site, or use “Sign out” to remove the active session.
- Your content: delete rows in, or delete entirely, your private Google Sheet.
- Authentication record: the master sheet holds only your email, salt, verifier, and ciphertext. Contact the operator to have your account row removed. Even before removal, it contains nothing readable.
6. Shared channels
If you share a channel, its connection is stored encrypted with a per-channel key, and an access list of member email addresses is kept so the owner can manage membership. Anyone holding a channel’s invite code can read and post to it; revoke access by “stopping sharing” and re-sharing to rotate the key. Email addresses in an access list are visible to that channel’s members.
7. Children
Murmur is not directed to children under 13 (or the minimum age in your jurisdiction) and does not knowingly collect their data.
8. Changes to this policy
We may update this policy as the software evolves. Material changes will be reflected by the “Last updated” date above and, where applicable, in the repository’s release notes.
9. Contact
For privacy questions about the open-source project, open a discussion or issue on GitHub. For a specific hosted deployment, contact its operator.
This document is provided as a template for operators of Murmur deployments and does not constitute legal advice. Operators should adapt it to their jurisdiction and add their own contact details.