Privacy Policy — Merlin (Personal Teams Assistant)

Last updated: 2026-05-03

This Privacy Policy describes how the Merlin personal assistant (“Merlin”) handles information. Merlin is a single-user Microsoft Teams app operated by Hamza (hsaphar@gmail.com) for his own use only. There are no other end users.

Who runs Merlin

Merlin is built and operated by Hamza personally. It is not a commercial product and is not offered to anyone else.

What Merlin processes

When you (Hamza) use Merlin in Microsoft Teams, the following data is handled:

  • Conversation content you send to Merlin in a Teams direct message, and the responses Merlin sends back to you.
  • Microsoft 365 data accessed on your behalf via the Microsoft Graph API, using delegated scopes you have explicitly admin-consented to: User.Read, Mail.Read, MailboxSettings.Read, Calendars.Read, Files.Read, Sites.Read.All, Chat.Read, Tasks.ReadWrite. Merlin reads this data only to answer the question you asked or perform the action you requested.
  • A local read-only archive of a prior Microsoft 365 tenant of yours, hosted privately on your own infrastructure.

Merlin does not collect identifiers about anyone other than you. It does not record metrics, analytics, or telemetry to any third party.

Where data is stored

  • Conversation history, reminders, scheduled digests, and an audit log are stored in a local SQLite database on Hamza’s own Linux server (hlinzer1), reachable only via a Cloudflare Tunnel.
  • Microsoft 365 tokens are managed by the Microsoft Teams SDK runtime and the Azure Bot Service. They are not stored in plaintext on the server.

Third-party services Merlin sends data to

To generate responses, Merlin sends conversation content to a Large Language Model (LLM) provider. The provider in use is configurable; it is currently Anthropic Claude. Use of the provider is governed by the provider’s own privacy policy. Microsoft Teams, Microsoft Graph, and Cloudflare are also involved in delivering messages and securing the network path; their privacy policies apply to data they process.

Retention

Data stored locally on Hamza’s server is retained until Hamza deletes it. There is no automatic deletion schedule. Hamza can purge the database at any time.

Sharing

Merlin does not share your data with any party other than the LLM provider above (for the sole purpose of generating a response to you), Microsoft (through normal use of Teams and Microsoft Graph), and Cloudflare (as the network ingress).

Contact

Questions about this policy: hsaphar@gmail.com.