MorphMorph

Privacy Policy

Last Updated: July 30, 2025

Effective Date: July 17, 2025 | Version 3.0

1. Introduction and Scope

This Privacy Policy ("Policy") describes how AutoInfra, Inc. ("Morph," "we," "our," or "us") collects, uses, stores, and protects your information when you use our website, services, APIs, and related applications (collectively, the "Services"). This Policy applies to all users of our Services, including those who use our pay-as-you-go tier, paid tier, zero data retention options, and self-hosted deployments.

This Policy is a legally binding agreement between you and Morph. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this Policy, you must not access or use our Services.

This Policy is incorporated into and subject to our Terms of Service. Any capitalized terms not defined in this Policy shall have the meaning set forth in our Terms of Service.

2. Information We Collect

We collect different types of information depending on how you interact with our Services and which tier of service you use. We collect this information in accordance with applicable laws and regulations, including but not limited to the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA"), and the Brazilian General Data Protection Law ("LGPD").

2.1 Categories of Personal Information

We may collect the following categories of personal information:

  • Identifiers: Name, email address, postal address, phone number, unique personal identifier, online identifier, IP address, account username, or other similar identifiers.
  • Customer Records: Name, signature, address, telephone number, education, employment, employment history, financial information, or medical information.
  • Commercial Information: Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  • Internet Activity: Browsing history, search history, information on your interaction with our website, application, or advertisement.
  • Geolocation Data: Physical location or movements.
  • Professional Information: Current or past job history or performance evaluations.
  • Inferences: Inferences drawn from any of the information identified above to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

2.2 Sources of Information

We collect personal information from the following sources:

  • Direct Collection: Information you provide directly to us when you register for an account, use our Services, contact our customer support, or otherwise interact with us.
  • Automated Collection: Information collected automatically through your use of our Services, such as through cookies, web beacons, and similar technologies.
  • Third-Party Sources: Information we receive from third-party sources, such as business partners, data providers, social media platforms, and advertising networks, where they have the right to share your information with us.

2.3 Service Data

We process code and related content that you submit to our Services. The collection, processing, and retention of this data varies depending on your service tier:

2.3.1 Pay As You Go Tier Data Processing

When you use our Pay As You Go Tier Services:

  • We collect and store code submitted for processing, including original code, update snippets, intermediate operations, and final code.
  • We maintain detailed logs of all operations performed on your code, including timestamps, error messages, and performance metrics.
  • This data may be used for service improvement, debugging, model training, quality assurance, and product development.
  • We may derive and extract patterns, techniques, algorithms, or other information from your code for incorporation into our machine learning models.
  • We may process your code with various versions of our models for comparative analysis and performance optimization.

2.3.2 Paid Tier Data Processing

When you use our Paid Tier Services:

  • We collect and store code submitted for processing, including original code, update snippets, and final code.
  • We implement enhanced security measures for data handling, including access controls, encryption, and segregated storage.
  • This data may be used for service improvement, debugging, and model training, subject to the confidentiality provisions in your service agreement.
  • Derived data patterns are anonymized through technical measures designed to prevent reconstruction of the original code.
  • We maintain audit logs of all access to your data by our personnel.

2.3.3 Zero Data Retention Options

For customers requiring zero data retention, contact sales@morphllm.com to discuss custom solutions:

  • We implement a true zero-retention policy for all code data submitted through our API or services.
  • Code data is processed exclusively in volatile memory (RAM) and is never persisted to non-volatile storage (disk, SSD, etc.).
  • We employ technical safeguards to prevent inadvertent persistence, including memory sanitization, secure memory allocation, and memory isolation techniques.
  • All intermediate representations and computational artifacts are destroyed immediately upon completion of the requested operation.
  • No code data is retained after the completion of the requested operation in any form, including logs, caches, or backup systems.
  • We do not use your code data to train our models, improve our Services, or for any purpose other than processing your immediate request.
  • Our systems are designed to prevent data exfiltration through side-channel attacks or other security vulnerabilities.
  • We undergo regular third-party security audits to verify our zero-retention claims and practices.

2.3.4 Self-Hosted Deployment Data Processing

When you use our Self-Hosted deployment option:

  • All data processing occurs within your infrastructure, under your control and supervision.
  • No data is transmitted to Morph's servers unless explicitly configured by your administrators for specific support or telemetry purposes.
  • Our software is designed to respect your data locality requirements and internal security policies.
  • Data retention is governed entirely by your internal policies and configurations.
  • We may collect anonymized usage statistics if enabled in your configuration, but these statistics do not include code content or personally identifiable information.
  • Support diagnostics may be collected with your explicit approval when troubleshooting issues.

3. Data Retention Policies

3.1 General Principles

Our data retention policies are guided by the following principles:

  • Purpose Limitation: We retain data only for as long as necessary to fulfill the purposes for which it was collected.
  • Data Minimization: We limit the collection and retention of data to what is directly relevant and necessary for the specified purpose.
  • Storage Limitation: We implement and enforce retention periods that ensure data is not kept longer than necessary.
  • Tiered Access: Different categories of data may have different retention periods based on their sensitivity and the purpose of processing.
  • Secure Deletion: When data is deleted, we use secure deletion methods to ensure it cannot be recovered.

3.2 Tier-Specific Retention Policies

3.2.1 Pay As You Go Tier Data Retention

For users of our Pay As You Go Tier:

  • Code Data Retention Period: Code data submitted to our Services is retained for up to ninety (90) days from the date of submission.
  • Retention Purpose: This retention period allows us to:
    • Provide you with access to your historical submissions
    • Debug and troubleshoot issues with our Services
    • Improve our machine learning models
    • Develop new features and capabilities
    • Analyze usage patterns and optimize performance
  • Data Anonymization: After the 90-day retention period, identifiable code data is either:
    • Permanently deleted using secure deletion methods, or
    • Anonymized through technical processes that remove all identifying elements and prevent reconstruction of the original code
  • Derived Data: Information derived from your code for model training purposes may be retained indefinitely but is transformed to prevent reconstruction of the original code.
  • Usage Data: Anonymized and aggregated usage data may be retained indefinitely for analytical purposes.
  • Account Information: Your account information is retained for as long as your account remains active and as needed to provide you with the Services, plus a reasonable period after account closure to address any legal or technical issues that may arise.
  • Early Deletion: You may request early deletion of your data by contacting privacy@morphllm.com, but this may affect your ability to use certain features of our Services.

3.2.2 Paid Tier Data Retention

For users of our Paid Tier:

  • Code Data Retention Period: Code data submitted to our Services is retained for up to thirty (30) days from the date of submission.
  • Retention Purpose: This retention period allows us to:
    • Provide you with access to your recent submissions
    • Debug and troubleshoot issues with our Services
    • Maintain service quality and continuity
    • Provide enhanced support and problem resolution
  • Enhanced Security Measures: During the retention period, your data is protected with:
    • End-to-end encryption for data at rest and in transit
    • Role-based access controls limiting internal access
    • Audit logging of all access to your data
    • Secure, isolated storage environments
    • Automated enforcement of retention periods
  • Data Deletion: After the 30-day retention period, your code data is permanently deleted using secure deletion methods that comply with industry standards (e.g., NIST SP 800-88).
  • Model Training: We may use submitted code data to improve our models and Services, subject to the confidentiality provisions in your service agreement. This use is subject to:
    • Robust anonymization techniques
    • Removal of sensitive information
    • Contractual restrictions on use and disclosure
    • Technical safeguards against reconstruction
  • Usage Data: Anonymized and aggregated usage data may be retained indefinitely for analytical purposes, but is maintained separately from identifiable code data.
  • Account Information: Your account information is retained for as long as your account remains active and as needed to provide you with the Services, plus a reasonable period after account closure to address any legal or technical issues that may arise.
  • Custom Retention: You may request modified retention periods by contacting your account representative, subject to technical limitations and additional fees.

3.2.3 Zero Data Retention Options

For customers requiring zero data retention, contact sales@morphllm.com to discuss custom solutions:

  • Zero-Retention Policy: We implement a true zero-retention policy for all code data submitted through our API or services. This means:
    • No code data is stored on non-volatile media at any point
    • All processing occurs exclusively in volatile memory (RAM)
    • Memory is immediately sanitized after processing completes
    • No data persistence beyond the immediate processing context
    • No logs containing code content or derivatives
    • No caching of results beyond the immediate response
    • No backup or replication of code data
  • Technical Implementation: Our zero-retention policy is enforced through:
    • Memory allocation techniques that prevent swapping to disk
    • Memory sanitization routines that overwrite memory after use
    • Process isolation to prevent data leakage
    • Ephemeral compute environments that leave no trace
    • Continuous monitoring for compliance
    • Regular security audits by third parties
  • Metadata Handling: Basic usage metrics (such as API call volume, error rates, and performance metrics) may be collected without any association to the actual content processed. This metadata:
    • Contains no code contents or derivatives
    • Is used solely for billing and service quality purposes
    • Is retained only as long as necessary for these purposes
    • Is subject to the same security controls as other enterprise data
  • No Model Training: We do not use your code data to train our models or improve our Services. Your data is used solely for the purpose of processing your immediate request.
  • Account Information: Your account information is retained for as long as your account remains active and as needed to provide you with the Services, plus a reasonable period after account closure to address any legal or technical issues that may arise. This information is stored separately from code processing systems.
  • Compliance Documentation: We maintain documentation certifying our compliance with this zero-retention policy, including:
    • Third-party audit reports
    • Technical design documentation
    • Security control descriptions
    • Attestations of compliance
  • Data Subject Requests: Because no code data is retained, data subject access requests related to submitted code cannot be fulfilled, as there is no data to provide.

3.2.4 Self-Hosted Deployments

For customers using our self-hosted deployment options:

  • Customer-Controlled Retention: All data retention is governed by your internal policies and configurations. Morph does not control or dictate retention periods for self-hosted deployments.
  • Data Locality: All data remains within your infrastructure and control unless explicitly configured otherwise.
  • Configuration Options: Our software provides configurable options for:
    • Setting custom retention periods
    • Enabling or disabling logging
    • Managing caching behavior
    • Implementing secure deletion procedures
    • Enforcing data minimization practices
  • Telemetry: We may collect anonymized usage statistics if enabled in your configuration. This telemetry:
    • Never includes code content
    • Contains no personally identifiable information
    • Is limited to operational metrics (e.g., request counts, error rates)
    • Can be disabled entirely in your configuration
    • Is transmitted securely when enabled
  • Support Access: We do not have access to your code or data unless explicitly granted for support purposes. When granted, such access:
    • Is time-limited
    • Is logged and auditable
    • Is restricted to the specific issue being addressed
    • Terminates automatically after the support session
    • Does not result in data transfer outside your environment
  • Deployment Guidance: We provide best practice guidance for configuring retention periods in accordance with relevant regulations and industry standards, but the ultimate responsibility for compliance rests with you.

4. Data Processing Relationships and Legal Basis

4.1 Processing Roles

Depending on how you use our Services, Morph may act as either a Data Controller or Data Processor under applicable data protection laws:

  • Data Controller: When collecting and processing your account information, billing data, and usage analytics for our own business purposes.
  • Data Processor: When processing code and content you submit through our Services according to your instructions and for the sole purpose of providing the requested Services.
  • Joint Controller: In certain circumstances where we jointly determine the purposes and means of processing with you, we will establish appropriate arrangements to define our respective responsibilities.

4.2 Subprocessor Management

When acting as a Data Processor, we may engage subprocessors to assist in providing Services. We maintain strict controls over subprocessor relationships:

  • Prior Authorization: For Paid Tier and enterprise customers, we provide advance notice of new subprocessors and allow objection rights.
  • Contractual Safeguards: All subprocessors are bound by written agreements requiring equivalent data protection standards.
  • Ongoing Oversight: We regularly audit subprocessor compliance with our data protection requirements.
  • Current Subprocessors: A list of current subprocessors is available upon request for enterprise customers.

4.3 Legal Basis for Processing

Our legal basis for processing personal information depends on the specific context:

  • Contract Performance: Processing necessary to provide Services you have requested.
  • Legitimate Interests: Processing for service improvement, security, and business operations, balanced against your privacy rights.
  • Legal Compliance: Processing required to comply with applicable laws and regulations.
  • Consent: Where required by law, we obtain explicit consent for specific processing activities.

5. How We Use Your Information

We use the information we collect for various purposes, including:

  • Providing, maintaining, and improving our Services
  • Processing and completing transactions
  • Sending administrative information, such as updates, security alerts, and support messages
  • Responding to your comments, questions, and requests
  • Developing new products and services
  • Monitoring and analyzing trends, usage, and activities in connection with our Services
  • Detecting, preventing, and addressing technical issues, security breaches, and fraudulent activities
  • Complying with legal obligations

4.1 Use of Service Data

Depending on your subscription tier:

  • Pay As You Go Tier: We may use your submitted code data to train our models, improve our Services, and develop new features.
  • Paid Tier: We may use your submitted code data to train our models, improve our Services, and develop new features, subject to the confidentiality provisions in your service agreement.
  • Zero Data Retention and Self-Hosted: We do not use your submitted code data for any purpose other than processing your immediate request. Your code data is never used for model training or service improvement.

12. Information Sharing and Disclosure

We may share your information in the following circumstances:

12.1 With Service Providers

We may share your information with third-party vendors, consultants, and other service providers who need access to such information to carry out work on our behalf. These third parties have access to your information only to perform specific tasks on our behalf and are obligated not to disclose or use your information for any other purpose.

12.2 For Business Transfers

If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be transferred as part of such a transaction as permitted by law and/or contract.

12.3 For Legal Reasons

We may disclose your information if we believe in good faith that such disclosure is necessary to:

  • Comply with relevant laws, regulations, legal processes, or governmental requests
  • Enforce our agreements, policies, and terms of service
  • Protect the security or integrity of our Services
  • Protect Morph, our customers, or the public from harm or illegal activities

12.4 With Your Consent

We may share your information with third parties when you have given us your consent to do so.

6. Data Security and Incident Response

We implement comprehensive security measures to protect your information from unauthorized access, disclosure, alteration, and destruction. Our security program is designed to meet or exceed industry standards and regulatory requirements.

6.1 Technical and Organizational Measures

  • Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
  • Access Controls: Role-based access controls with multi-factor authentication
  • Network Security: Firewalls, intrusion detection systems, and network segmentation
  • Regular Assessments: Quarterly security audits and annual penetration testing
  • Employee Training: Mandatory security awareness training for all personnel
  • Compliance Certifications: SOC 2 Type II, ISO 27001 compliance maintained

6.2 Security Incident Response

We maintain a comprehensive incident response program:

  • Detection and Assessment: 24/7 security monitoring and automated threat detection
  • Notification Timeline: We will notify affected customers within 72 hours of discovering a security incident that affects personal data
  • Customer Communication: Detailed incident reports provided including nature of incident, data involved, and remediation steps
  • Regulatory Reporting: We assist customers with regulatory breach notification requirements
  • Remediation: Immediate containment measures and long-term security improvements
  • Documentation: Comprehensive incident records maintained for compliance and audit purposes

6.3 Tier-Specific Security Measures

  • Pay As You Go Tier: Standard encryption and security protocols with automated monitoring
  • Paid Tier: Enhanced encryption, dedicated access controls, priority security monitoring, and dedicated incident response
  • Zero Data Retention and Self-Hosted: Highest level of security with zero-retention processing, end-to-end encryption, private deployment environments, and custom security controls

6.4 Security Limitations

While we implement industry-leading security measures, no method of transmission over the Internet or electronic storage is 100% secure. We continuously improve our security posture and respond to emerging threats, but cannot guarantee absolute security.

7. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information. We are committed to facilitating the exercise of these rights and provide support to our customers in meeting their obligations.

7.1 Individual Rights

  • Access: You may request access to the personal information we hold about you, including details about processing activities.
  • Rectification: You may request that we correct inaccurate or incomplete personal information.
  • Erasure (Right to be Forgotten): You may request deletion of your personal information in certain circumstances.
  • Restriction of Processing: You may request that we restrict the processing of your personal information.
  • Data Portability: You may request a copy of your personal information in a structured, commonly used, and machine-readable format.
  • Objection: You may object to our processing of your personal information based on legitimate interests.
  • Withdrawal of Consent: Where processing is based on consent, you may withdraw consent at any time.
  • Automated Decision-Making: You have rights regarding automated decision-making and profiling.

7.2 Customer Support for Data Subject Requests

When we act as a Data Processor, we provide comprehensive support to help you fulfill data subject requests:

  • Request Identification: We help identify relevant data and processing activities
  • Data Retrieval: We provide tools and assistance to retrieve requested personal data
  • Deletion Support: We execute deletion requests promptly and provide confirmation
  • Automated Tools: Self-service tools available for common requests (Paid Tier and above)
  • Response Timeline: We respond to customer requests within 30 days or as required by applicable law
  • Documentation: We provide documentation to support your regulatory compliance

7.3 How to Exercise Your Rights

To exercise any of these rights:

  • Direct Requests: Contact us at privacy@morphllm.com
  • Customer Portal: Use self-service options in your account dashboard (where available)
  • Identity Verification: We may require verification of your identity before processing requests
  • Response Time: We respond within 30 days (or 1 month under GDPR) and may extend by 60 days for complex requests
  • No Fee: We do not charge fees for exercising your rights unless requests are manifestly unfounded or excessive

7.4 Supervisory Authority Rights

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable data protection laws. For EU residents, you can find your relevant supervisory authority at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

8. International Data Transfers

We may transfer, store, and process your information in countries other than your own. Our primary data processing occurs in the United States, with additional processing in select countries where our service providers operate.

8.1 Transfer Safeguards

For transfers from the EEA, UK, or Switzerland to countries not deemed adequate by relevant authorities, we implement appropriate safeguards:

  • Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses for data transfers
  • UK International Data Transfer Agreement (IDTA): For transfers from the UK
  • Adequacy Decisions: We prioritize transfers to countries with adequacy decisions where possible
  • Binding Corporate Rules: For enterprise customers, we can implement binding corporate rules upon request
  • Additional Safeguards: Technical measures including encryption and access controls for international transfers

8.2 Data Localization Options

For customers with data residency requirements:

  • Regional Data Centers: Available for Paid Tier and enterprise customers
  • Self-Hosted Deployments: Complete data control within your chosen jurisdiction
  • Data Processing Agreements: Custom DPAs available for enterprise customers with specific transfer restrictions

8.3 Transfer Impact Assessments

We regularly conduct Transfer Impact Assessments (TIAs) to evaluate the effectiveness of our transfer safeguards and make adjustments as needed to ensure continued protection of personal data.

9. Compliance, Audit, and Records

9.1 Compliance Framework

We maintain comprehensive compliance programs to meet applicable data protection requirements:

  • Regulatory Compliance: GDPR, CCPA, LGPD, and other applicable data protection laws
  • Industry Standards: ISO 27001, SOC 2 Type II, and industry best practices
  • Regular Reviews: Quarterly compliance assessments and annual policy updates
  • Training Programs: Ongoing privacy and security training for all personnel

9.2 Records and Documentation

We maintain detailed records to demonstrate compliance:

  • Processing Records: Comprehensive records of processing activities maintained for 3 years minimum
  • Consent Records: Documentation of consent where applicable, including withdrawal records
  • Breach Records: Complete documentation of security incidents and response actions
  • Training Records: Documentation of privacy and security training completion
  • Audit Trails: System logs and access records for compliance verification

9.3 Audit Rights and Cooperation

For Paid Tier and enterprise customers, we provide audit support:

  • Audit Summaries: Annual compliance reports and audit summaries available upon request
  • Due Diligence: Response to reasonable security and privacy due diligence questionnaires
  • Third-Party Audits: We undergo regular independent audits and can share relevant findings
  • Customer Audits: Reasonable audit rights for enterprise customers with advance notice
  • Compliance Assistance: Support for customer compliance initiatives and regulatory inquiries

9.4 Continuous Improvement

We continuously enhance our privacy and security practices through:

  • Regular Assessments: Privacy Impact Assessments (PIAs) for new processing activities
  • Technology Updates: Implementation of privacy-enhancing technologies
  • Stakeholder Feedback: Regular review of customer and user feedback
  • Legal Monitoring: Ongoing monitoring of regulatory developments and requirements

10. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top of this Policy. You are advised to review this Privacy Policy periodically for any changes.

Your continued use of our Services after such modifications will constitute your acknowledgment of the modified Policy and your agreement to abide and be bound by the modified Policy.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

Privacy Inquiries: privacy@morphllm.com
Zero Data Retention & Self-Hosting: sales@morphllm.com

Address:
AutoInfra, Inc.
123 AI Avenue
San Francisco, CA 94107
United States

For more information about our terms of service, please visit our Terms of Service page.