MorphMorph

Privacy Policy

Last Updated: November 15, 2025

Effective Date: July 17, 2025 | Version 3.0

1. Introduction and Scope

At Morph, we take your privacy seriously. This Privacy Policy ("Policy") explains how AutoInfra, Inc. ("Morph," "we," "our," or "us") collects, uses, and protects your information when you use our website, services, APIs, and related applications (collectively, the "Services").

We've designed our Services with privacy in mind. We don't use your code or content to train our models, except when you request customer support or when we're debugging issues to improve service quality. We implement strong security measures to protect your data and provide transparency about our practices so you can make informed decisions about using Morph.

By accessing or using our Services, you agree to this Privacy Policy and our Terms of Service. This Policy applies to all users, including free tier, paid tier, and enterprise customers.

2. Information We Collect

We collect different types of information depending on how you interact with our Services and which tier of service you use. We collect this information in accordance with applicable laws and regulations, including but not limited to the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA"), and the Brazilian General Data Protection Law ("LGPD").

2.1 Categories of Personal Information

We may collect the following categories of personal information:

  • Identifiers: Name, email address, postal address, phone number, unique personal identifier, online identifier, IP address, account username, or other similar identifiers.
  • Customer Records: Name, signature, address, telephone number, education, employment, employment history, financial information, or medical information.
  • Commercial Information: Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  • Internet Activity: Browsing history, search history, information on your interaction with our website, application, or advertisement.
  • Geolocation Data: Physical location or movements.
  • Professional Information: Current or past job history or performance evaluations.
  • Inferences: Inferences drawn from any of the information identified above to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

2.2 Sources of Information

We collect personal information from the following sources:

  • Direct Collection: Information you provide directly to us when you register for an account, use our Services, contact our customer support, or otherwise interact with us.
  • Automated Collection: Information collected automatically through your use of our Services, such as through cookies, web beacons, and similar technologies.
  • Third-Party Sources: Information we receive from third-party sources, such as business partners, data providers, social media platforms, and advertising networks, where they have the right to share your information with us.

2.3 How We Handle Your Code and Content

Your code and content ("Inputs") and the outputs we generate ("Outputs") are important to you and to us. We do not use your data to train our models, except when necessary to resolve customer support cases, debug issues, or improve service quality in response to specific problems you've encountered. Here's how we handle your data by service tier:

2.3.1 Free Tier (Pay As You Go)

Our free tier provides access to Morph's powerful code editing capabilities:

  • No training by default: We do not use your Inputs and Outputs to train our models as a standard practice.
  • Customer support exception: When you report an issue, request support, or encounter errors, we may use your data to investigate the problem, improve our Services, and prevent similar issues for all users.
  • Retention: We retain your data for up to 90 days to enable support, debugging, and to provide you access to your history.
  • Security measures: Encryption and access controls protect your data during storage and processing.
  • After 90 days: Data is deleted or anonymized in a way that cannot be traced back to you.
  • Human review: Our team may review data for safety, abuse prevention, and when providing customer support.

Free tier users should not submit highly confidential or sensitive information. Upgrade to a paid plan for enhanced privacy protections.

2.3.2 Paid Tier

Our paid tier provides enhanced privacy protections and priority support:

  • No training by default: We do not use your Inputs and Outputs to train our models as a standard practice.
  • Customer support exception: When you report an issue, request support, or encounter errors, we may use your data (with confidentiality protections and enhanced anonymization) to investigate problems, improve service quality, and resolve technical issues.
  • Retention: We retain your data for up to 30 days to enable debugging, support, and service continuity.
  • Enhanced security: Dedicated access controls, audit logging, encryption at rest and in transit, and segregated storage environments.
  • Limited human review: Access only when necessary for debugging, support requests, abuse prevention, or legal compliance.
  • Confidentiality: Your data is treated as confidential information under our terms.
  • After 30 days: Data is permanently deleted using secure deletion methods, unless legally required to retain.

2.3.3 Enterprise Tier (Zero Data Retention)

Enterprise customers receive our highest level of privacy protection with true zero data retention:

  • Zero training: We do not use your Inputs or Outputs to train or improve our models. Period.
  • Zero retention: Your data is processed exclusively in memory and is never written to persistent storage (disk, SSD, databases, logs, or backups).
  • Immediate deletion: All data is purged from memory immediately after processing completes. Nothing is cached or retained.
  • No logs: We do not log your code content, Inputs, or Outputs. Only minimal metadata (timestamps, API usage) is retained for billing.
  • Limited access: Our team cannot and does not access your data except when you explicitly grant temporary access for time-limited support sessions.
  • Technical safeguards: Memory isolation, secure memory allocation, and automated sanitization prevent inadvertent data persistence.
  • Regular audits: Third-party security audits verify our zero-retention implementation.

Contact sales@morphllm.com to discuss enterprise options and custom data handling requirements.

2.3.4 Self-Hosted Deployments

Self-hosted deployments give you complete control:

  • Your infrastructure, your rules: All data processing occurs within your environment under your control.
  • No data transmission: Nothing is sent to Morph servers unless you explicitly enable telemetry or request support.
  • Optional telemetry: If enabled, we collect only anonymized usage statistics (API call counts, error rates) with no code content.
  • Support access: We only access your deployment when you explicitly grant time-limited access for troubleshooting.

2.4 Why We May Access Your Data

We may access or use your data only when necessary for the following legitimate purposes:

  • Service Operation: To process your requests and return results to you
  • Customer Support and Debugging: When you report an issue, request help, or encounter an error, we may access and use your data to troubleshoot the problem, investigate the root cause, and improve our Services to prevent similar issues
  • Safety and Abuse Prevention: To detect and prevent misuse, security threats, harmful content, or violations of our Terms of Service
  • Service Quality: To understand and resolve performance issues, error patterns, and service degradation affecting users
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes, or to respond to valid legal requests

Enterprise customers: We do not access your data for any purpose beyond processing your immediate requests, except when you explicitly grant us time-limited access for support.

3. Data Retention

We retain different types of data for different periods based on your service tier and the nature of the information:

3.1 Content Retention by Tier

  • Free Tier: Up to 90 days. After this period, we may delete your data or anonymize it so it can no longer be linked to you. Anonymized insights may be retained indefinitely to improve our Services.
  • Paid Tier: Up to 30 days. After this period, your data is securely deleted. We may use anonymized patterns during the retention period to improve our Services.
  • Enterprise Tier: Zero retention. Your data is processed in memory only and purged immediately after your request completes. We never store, log, or retain your code content.
  • Self-Hosted: You control retention entirely through your own policies and infrastructure.

3.2 Account and Billing Information

We retain your account information (email, name, billing details) for as long as your account is active, plus a reasonable period afterward (typically 7 years) to comply with legal obligations, resolve disputes, and maintain accurate business records.

3.3 Legal Holds

If we receive a valid legal request (subpoena, court order, etc.) or if data is relevant to potential litigation, we may retain data longer than stated above as required by law. We will notify you when legally permitted.

3.4 Early Deletion Requests

You can request early deletion of your data by contacting privacy@morphllm.com. Please note that early deletion may limit our ability to provide support or debug issues, and some features may not work properly after deletion.

4. Data Processing Relationships and Legal Basis

4.1 Processing Roles

Depending on how you use our Services, Morph may act as either a Data Controller or Data Processor under applicable data protection laws:

  • Data Controller: When collecting and processing your account information, billing data, and usage analytics for our own business purposes.
  • Data Processor: When processing code and content you submit through our Services according to your instructions and for the sole purpose of providing the requested Services.
  • Joint Controller: In certain circumstances where we jointly determine the purposes and means of processing with you, we will establish appropriate arrangements to define our respective responsibilities.

4.2 Subprocessor Management

When acting as a Data Processor, we may engage subprocessors to assist in providing Services. We maintain strict controls over subprocessor relationships:

  • Prior Authorization: For Paid Tier and enterprise customers, we provide advance notice of new subprocessors and allow objection rights.
  • Contractual Safeguards: All subprocessors are bound by written agreements requiring equivalent data protection standards.
  • Ongoing Oversight: We regularly audit subprocessor compliance with our data protection requirements.
  • Current Subprocessors: A list of current subprocessors is available upon request for enterprise customers.

4.3 Legal Basis for Processing

Our legal basis for processing personal information depends on the specific context:

  • Contract Performance: Processing necessary to provide Services you have requested.
  • Legitimate Interests: Processing for service improvement, security, and business operations, balanced against your privacy rights.
  • Legal Compliance: Processing required to comply with applicable laws and regulations.
  • Consent: Where required by law, we obtain explicit consent for specific processing activities.

5. How We Use Your Information

We use the information we collect to provide, protect, and when necessary, improve our Services. We do not use your code or content to train our models, except when addressing customer support cases or debugging service issues. Specifically, we may use your information to:

  • Operate the Services: Process your requests, return results, and maintain service functionality
  • Customer Support and Improvement: When you report an issue, request support, or encounter errors, we may use your data to troubleshoot problems, train our models to prevent similar issues, and improve service quality
  • Provide support: Respond to your questions and provide technical assistance
  • Ensure security: Detect and prevent abuse, fraud, security threats, and violations of our Terms
  • Process payments: Handle billing, subscriptions, and financial transactions
  • Send communications: Deliver service updates, security alerts, marketing messages (with your consent), and administrative notices
  • Analyze usage patterns: Understand aggregate usage trends (not individual code content) to identify areas for improvement
  • Comply with law: Meet our legal obligations and respond to valid legal requests
  • Protect rights: Enforce our Terms, protect our intellectual property, and defend against legal claims

Important: Enterprise customers receive zero data retention. We do not use enterprise customer data for training, improvement, or any purpose beyond processing immediate requests, except when you explicitly grant us temporary support access.

6. Information Sharing and Disclosure

We respect your privacy and limit data sharing. We may share your information in these situations:

6.1 Service Providers and Partners

We work with trusted third-party companies to help us operate our Services. These include cloud infrastructure providers (AWS, Google Cloud), payment processors (Stripe), analytics services, customer support tools, and security monitoring services. These partners are contractually required to protect your data and can only use it to provide services to us.

6.2 Business Transfers

If Morph is acquired by or merged with another company, undergoes restructuring, or sells assets, your information may be transferred as part of that transaction. We'll notify you of any such change and how it affects your data.

6.3 Legal Requirements and Safety

We may disclose your information when we believe it's necessary to:

  • Comply with laws, regulations, subpoenas, court orders, or valid legal requests from authorities
  • Enforce our Terms of Service and other agreements
  • Detect, prevent, or address fraud, security issues, or technical problems
  • Protect against harm to the rights, property, or safety of Morph, our users, or the public as required or permitted by law

6.4 Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot identify you with partners, researchers, or the public. For example, we might share statistics about API usage patterns or performance benchmarks.

6.5 With Your Consent

We may share your information for other purposes when you give us your permission.

Note for Enterprise Customers: Your code and content are never shared with third parties and are subject to our zero-retention policy. Only anonymized billing metadata may be processed by payment providers.

7. Data Security and Incident Response

We implement comprehensive security measures to protect your information from unauthorized access, disclosure, alteration, and destruction. Our security program is designed to meet or exceed industry standards and regulatory requirements.

7.1 Technical and Organizational Measures

  • Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
  • Access Controls: Role-based access controls with multi-factor authentication
  • Network Security: Firewalls, intrusion detection systems, and network segmentation
  • Regular Assessments: Quarterly security audits and annual penetration testing
  • Employee Training: Mandatory security awareness training for all personnel
  • Compliance Certifications: SOC 2 Type II, ISO 27001 compliance maintained

7.2 Security Incident Response

We maintain a comprehensive incident response program:

  • Detection and Assessment: 24/7 security monitoring and automated threat detection
  • Notification Timeline: We will notify affected customers within 72 hours of discovering a security incident that affects personal data
  • Customer Communication: Detailed incident reports provided including nature of incident, data involved, and remediation steps
  • Regulatory Reporting: We assist customers with regulatory breach notification requirements
  • Remediation: Immediate containment measures and long-term security improvements
  • Documentation: Comprehensive incident records maintained for compliance and audit purposes

7.3 Tier-Specific Security Measures

  • Pay As You Go Tier: Standard encryption and security protocols with automated monitoring
  • Paid Tier: Enhanced encryption, dedicated access controls, priority security monitoring, and dedicated incident response
  • Enterprise and Self-Hosted: Highest level of security with zero-retention processing, end-to-end encryption, private deployment environments, and custom security controls

7.4 Security Limitations

While we implement industry-leading security measures, no method of transmission over the Internet or electronic storage is 100% secure. We continuously improve our security posture and respond to emerging threats, but cannot guarantee absolute security.

8. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information. We are committed to facilitating the exercise of these rights and provide support to our customers in meeting their obligations.

8.1 Individual Rights

  • Access: You may request access to the personal information we hold about you, including details about processing activities.
  • Rectification: You may request that we correct inaccurate or incomplete personal information.
  • Erasure (Right to be Forgotten): You may request deletion of your personal information in certain circumstances.
  • Restriction of Processing: You may request that we restrict the processing of your personal information.
  • Data Portability: You may request a copy of your personal information in a structured, commonly used, and machine-readable format.
  • Objection: You may object to our processing of your personal information based on legitimate interests.
  • Withdrawal of Consent: Where processing is based on consent, you may withdraw consent at any time.
  • Automated Decision-Making: You have rights regarding automated decision-making and profiling.

8.2 Customer Support for Data Subject Requests

When we act as a Data Processor, we provide comprehensive support to help you fulfill data subject requests:

  • Request Identification: We help identify relevant data and processing activities
  • Data Retrieval: We provide tools and assistance to retrieve requested personal data
  • Deletion Support: We execute deletion requests promptly and provide confirmation
  • Automated Tools: Self-service tools available for common requests (Paid Tier and above)
  • Response Timeline: We respond to customer requests within 30 days or as required by applicable law
  • Documentation: We provide documentation to support your regulatory compliance

8.3 How to Exercise Your Rights

To exercise any of these rights:

  • Direct Requests: Contact us at privacy@morphllm.com
  • Customer Portal: Use self-service options in your account dashboard (where available)
  • Identity Verification: We may require verification of your identity before processing requests
  • Response Time: We respond within 30 days (or 1 month under GDPR) and may extend by 60 days for complex requests
  • No Fee: We do not charge fees for exercising your rights unless requests are manifestly unfounded or excessive

8.4 Supervisory Authority Rights

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable data protection laws. For EU residents, you can find your relevant supervisory authority at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

9. International Data Transfers

We may transfer, store, and process your information in countries other than your own. Our primary data processing occurs in the United States, with additional processing in select countries where our service providers operate.

9.1 Transfer Safeguards

For transfers from the EEA, UK, or Switzerland to countries not deemed adequate by relevant authorities, we implement appropriate safeguards:

  • Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses for data transfers
  • UK International Data Transfer Agreement (IDTA): For transfers from the UK
  • Adequacy Decisions: We prioritize transfers to countries with adequacy decisions where possible
  • Binding Corporate Rules: For enterprise customers, we can implement binding corporate rules upon request
  • Additional Safeguards: Technical measures including encryption and access controls for international transfers

9.2 Data Localization Options

For customers with data residency requirements:

  • Regional Data Centers: Available for Paid Tier and enterprise customers
  • Self-Hosted Deployments: Complete data control within your chosen jurisdiction
  • Data Processing Agreements: Custom DPAs available for enterprise customers with specific transfer restrictions

9.3 Transfer Impact Assessments

We regularly conduct Transfer Impact Assessments (TIAs) to evaluate the effectiveness of our transfer safeguards and make adjustments as needed to ensure continued protection of personal data.

10. Compliance, Audit, and Records

10.1 Compliance Framework

We maintain comprehensive compliance programs to meet applicable data protection requirements:

  • Regulatory Compliance: GDPR, CCPA, LGPD, and other applicable data protection laws
  • Industry Standards: ISO 27001, SOC 2 Type II, and industry best practices
  • Regular Reviews: Quarterly compliance assessments and annual policy updates
  • Training Programs: Ongoing privacy and security training for all personnel

10.2 Records and Documentation

We maintain detailed records to demonstrate compliance:

  • Processing Records: Comprehensive records of processing activities maintained for 3 years minimum
  • Consent Records: Documentation of consent where applicable, including withdrawal records
  • Breach Records: Complete documentation of security incidents and response actions
  • Training Records: Documentation of privacy and security training completion
  • Audit Trails: System logs and access records for compliance verification

10.3 Audit Rights and Cooperation

For Paid Tier and enterprise customers, we provide audit support:

  • Audit Summaries: Annual compliance reports and audit summaries available upon request
  • Due Diligence: Response to reasonable security and privacy due diligence questionnaires
  • Third-Party Audits: We undergo regular independent audits and can share relevant findings
  • Customer Audits: Reasonable audit rights for enterprise customers with advance notice
  • Compliance Assistance: Support for customer compliance initiatives and regulatory inquiries

10.4 Continuous Improvement

We continuously enhance our privacy and security practices through:

  • Regular Assessments: Privacy Impact Assessments (PIAs) for new processing activities
  • Technology Updates: Implementation of privacy-enhancing technologies
  • Stakeholder Feedback: Regular review of customer and user feedback
  • Legal Monitoring: Ongoing monitoring of regulatory developments and requirements

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top of this Policy. You are advised to review this Privacy Policy periodically for any changes.

Your continued use of our Services after such modifications will constitute your acknowledgment of the modified Policy and your agreement to abide and be bound by the modified Policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

Privacy Inquiries: privacy@morphllm.com
Enterprise & Custom Solutions: sales@morphllm.com

Address:
AutoInfra, Inc.
San Francisco, CA 94109
United States

For more information about our terms of service, please visit our Terms of Service page.