Learn more
Mekusheret

Privacy Policy

What data Mekusheret reads, what it sends to Morning, what it never collects, and how deletion works.

Last updated: July 9, 2026

1. Who we are

Mekusheret ("the app", "we", "us", or "our") is a monday.com marketplace app that issues tax documents in Morning (Green Invoice) directly from your monday.com board items. It is built and run by a solo developer based in Israel.

This Privacy Policy explains, in plain terms, what the app reads from monday.com, what it sends to Morning, what it does not collect, how it stores data, and how deletion works today. If you have any question, email support@mekusheret.app.

2. What data we collect

The app only handles the data needed to issue an invoice. From your monday.com account, it reads:

  • Account ID — to bind the OAuth token to the right monday.com account.
  • Item and board details — the item ID, item name, and board ID of the item you issue a document for.
  • Column values on that item, according to the column mapping your admin configured.
  • Board columns — so the settings screen can show the mapping dropdowns.
  • The issuing user's display name — to record who issued a document.
  • Customer and line-item fields defined by your mapping: name, price, email, phone, description, quantity, and an optional tax ID.

When you issue a document, the app sends the following to Morning (Green Invoice) to create it:

  • Document type (305, 320, or 400), language, currency, VAT type, and date.
  • Client details: name, and optionally email, phone, and tax ID.
  • Income lines: description, price, quantity, VAT, and currency.
  • Free text is sanitized (emoji and control characters removed) before it is sent.

After a document is issued, the app writes back to your monday.com item: a comment with the invoice/receipt number and a link to the PDF, a bell notification to you (the issuing user), and — only if you mapped those columns — the invoice number, open balance, and a payment-status label.

3. What we do not collect

What we do not do is just as important:

  • We do not store your customers' personal details (names, emails, phone numbers) on our own servers. They pass through only to create the document in Morning and are not retained by us.
  • The invoice ledger — the record of documents you have issued — is stored inside your own monday.com account (in monday.storage), not on any external server or database of ours.
  • We run no analytics, advertising, or tracking of any kind.
  • We do not sell, rent, or share your data with anyone other than the two services required to do the job: monday.com and Morning.

4. How we use your data

We use the data described above for a single purpose: to let you issue tax documents in Morning from your monday.com board, and to record the result back on the board. We do not use it for profiling, advertising, or training any model.

5. Data storage

Two kinds of data are stored, and both live inside monday's platform:

  • Morning API credentials (your Key ID and secret) are stored server-side only, encrypted in monday's SecureStorage (which is Vault-backed), namespaced per account as gi_creds:<accountId>. The secret never travels to the browser — the app's own screens only ever receive a boolean ("are credentials configured?") and a masked Key ID showing the last 4 digits. The Morning bearer token the app derives from these credentials is cached in server memory until it expires; it is never persisted and never sent to the browser. Only the server process reads the credentials at runtime, scoped to each account.
  • The invoice ledger is stored in monday.storage, inside your own monday.com account. It contains, per document: invoice ID, invoice number, currency, total, paid, balance, status, issued date, due date, and receipts. Because it lives in your monday account, this data stays under your control.

6. Third-party services

The app talks to exactly two external services, and no others:

There are no other third parties — no analytics providers, no advertising networks, and no external logging services.

7. Data retention and deletion

We keep your data only while you use the app. You should know exactly how deletion works today:

  • Morning credentials. Your Morning API credentials are stored in monday's SecureStorage under gi_creds:<accountId>. At present the app does not have an automatic uninstall cleanup, so these credentials are not deleted automatically when you uninstall the app. If you want them removed, email support@mekusheret.app and we will delete them. We plan to add automatic deletion on uninstall.
  • Invoice ledger. The ledger lives in monday.storage inside your own monday.com account, so its lifecycle is governed by monday's own data handling.

We disclose this gap deliberately, so you know precisely what happens to your data until an uninstall handler is in place.

8. Logs

The app writes logs only to the monday Code console — there is no external logging service.

Logs record operational identifiers and outcomes: account IDs, item IDs, invoice IDs and numbers, amounts, currencies, payment status, and error messages.

Logs deliberately do not contain customer names, emails, or phone numbers, and never contain secrets or raw tokens.

9. Cookies

The app does not use cookies at all. It sets no cookies and reads none (there is no Set-Cookie and no document.cookie anywhere). Your session is carried by monday's session token (a JWT) sent in the Authorization: Bearer header, and the OAuth flow uses a signed, short-lived state token (JWT) to protect against CSRF.

10. Your rights

Depending on where you live — including under the EU General Data Protection Regulation (GDPR) and Israel's Protection of Privacy Law, 5741-1981 (חוק הגנת הפרטיות) — you may have the right to access, correct, delete, or export your personal data, and to withdraw consent.

Because your board data and ledger live in your own monday.com account, and your documents live in Morning, you can exercise most of these rights directly in those services. For anything held by the app itself (your Morning credentials), email support@mekusheret.app.

11. Children's privacy

The app is a business tool and is not directed at anyone under the age of 16. We do not knowingly collect data from children.

12. Contact

For any privacy question or request, contact support@mekusheret.app. We aim to respond within 30 days.