Privacy Policy

1. Introduction and Scope

This Privacy Policy ("Policy") describes how AutoInfra, Inc. ("Morph," "we," "our," or "us") collects, uses, stores, and protects your information when you use our website, services, APIs, and related applications (collectively, the "Services"). This Policy applies to all users of our Services, including those who use our pay-as-you-go tier, paid tier, zero data retention options, and self-hosted deployments.

This Policy is a legally binding agreement between you and Morph. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this Policy, you must not access or use our Services.

This Policy is incorporated into and subject to our Terms of Service. Any capitalized terms not defined in this Policy shall have the meaning set forth in our Terms of Service.

2. Information We Collect

We collect different types of information depending on how you interact with our Services and which tier of service you use. We collect this information in accordance with applicable laws and regulations, including but not limited to the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA"), and the Brazilian General Data Protection Law ("LGPD").

2.1 Categories of Personal Information

We may collect the following categories of personal information:

• Identifiers: Name, email address, postal address, phone number, unique personal identifier, online identifier, IP address, account username, or other similar identifiers.
• Customer Records: Name, signature, address, telephone number, education, employment, employment history, financial information, or medical information.
• Commercial Information: Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
• Internet Activity: Browsing history, search history, information on your interaction with our website, application, or advertisement.
• Geolocation Data: Physical location or movements.
• Professional Information: Current or past job history or performance evaluations.
• Inferences: Inferences drawn from any of the information identified above to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

2.2 Sources of Information

We collect personal information from the following sources:

• Direct Collection: Information you provide directly to us when you register for an account, use our Services, contact our customer support, or otherwise interact with us.
• Automated Collection: Information collected automatically through your use of our Services, such as through cookies, web beacons, and similar technologies.
• Third-Party Sources: Information we receive from third-party sources, such as business partners, data providers, social media platforms, and advertising networks, where they have the right to share your information with us.

2.3 Service Data

We process code and related content that you submit to our Services. The collection, processing, and retention of this data varies depending on your service tier:

3. Data Retention Policies

3.1 General Principles

Our data retention policies are guided by the following principles:

• Purpose Limitation: We retain data only for as long as necessary to fulfill the purposes for which it was collected.
• Data Minimization: We limit the collection and retention of data to what is directly relevant and necessary for the specified purpose.
• Storage Limitation: We implement and enforce retention periods that ensure data is not kept longer than necessary.
• Tiered Access: Different categories of data may have different retention periods based on their sensitivity and the purpose of processing.
• Secure Deletion: When data is deleted, we use secure deletion methods to ensure it cannot be recovered.

3.2 Tier-Specific Retention Policies

4. Data Processing Relationships and Legal Basis

4.1 Processing Roles

Depending on how you use our Services, Morph may act as either a Data Controller or Data Processor under applicable data protection laws:

• Data Controller: When collecting and processing your account information, billing data, and usage analytics for our own business purposes.
• Data Processor: When processing code and content you submit through our Services according to your instructions and for the sole purpose of providing the requested Services.
• Joint Controller: In certain circumstances where we jointly determine the purposes and means of processing with you, we will establish appropriate arrangements to define our respective responsibilities.

4.2 Subprocessor Management

When acting as a Data Processor, we may engage subprocessors to assist in providing Services. We maintain strict controls over subprocessor relationships:

• Prior Authorization: For Paid Tier and enterprise customers, we provide advance notice of new subprocessors and allow objection rights.
• Contractual Safeguards: All subprocessors are bound by written agreements requiring equivalent data protection standards.
• Ongoing Oversight: We regularly audit subprocessor compliance with our data protection requirements.
• Current Subprocessors: A list of current subprocessors is available upon request for enterprise customers.

4.3 Legal Basis for Processing

Our legal basis for processing personal information depends on the specific context:

• Contract Performance: Processing necessary to provide Services you have requested.
• Legitimate Interests: Processing for service improvement, security, and business operations, balanced against your privacy rights.
• Legal Compliance: Processing required to comply with applicable laws and regulations.
• Consent: Where required by law, we obtain explicit consent for specific processing activities.

5. How We Use Your Information

We use the information we collect for various purposes, including:

• Providing, maintaining, and improving our Services
• Processing and completing transactions
• Sending administrative information, such as updates, security alerts, and support messages
• Responding to your comments, questions, and requests
• Developing new products and services
• Monitoring and analyzing trends, usage, and activities in connection with our Services
• Detecting, preventing, and addressing technical issues, security breaches, and fraudulent activities
• Complying with legal obligations

4.1 Use of Service Data

Depending on your subscription tier:

• Pay As You Go Tier: We may use your submitted code data to train our models, improve our Services, and develop new features.
• Paid Tier: We may use your submitted code data to train our models, improve our Services, and develop new features, subject to the confidentiality provisions in your service agreement.
• Zero Data Retention and Self-Hosted: We do not use your submitted code data for any purpose other than processing your immediate request. Your code data is never used for model training or service improvement.

12. Information Sharing and Disclosure

We may share your information in the following circumstances:

12.1 With Service Providers

We may share your information with third-party vendors, consultants, and other service providers who need access to such information to carry out work on our behalf. These third parties have access to your information only to perform specific tasks on our behalf and are obligated not to disclose or use your information for any other purpose.

12.2 For Business Transfers

If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be transferred as part of such a transaction as permitted by law and/or contract.

12.3 For Legal Reasons

We may disclose your information if we believe in good faith that such disclosure is necessary to:

• Comply with relevant laws, regulations, legal processes, or governmental requests
• Enforce our agreements, policies, and terms of service
• Protect the security or integrity of our Services
• Protect Morph, our customers, or the public from harm or illegal activities

12.4 With Your Consent

We may share your information with third parties when you have given us your consent to do so.

6. Data Security and Incident Response

We implement comprehensive security measures to protect your information from unauthorized access, disclosure, alteration, and destruction. Our security program is designed to meet or exceed industry standards and regulatory requirements.

6.1 Technical and Organizational Measures

• Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
• Access Controls: Role-based access controls with multi-factor authentication
• Network Security: Firewalls, intrusion detection systems, and network segmentation
• Regular Assessments: Quarterly security audits and annual penetration testing
• Employee Training: Mandatory security awareness training for all personnel
• Compliance Certifications: SOC 2 Type II, ISO 27001 compliance maintained

6.2 Security Incident Response

We maintain a comprehensive incident response program:

• Detection and Assessment: 24/7 security monitoring and automated threat detection
• Notification Timeline: We will notify affected customers within 72 hours of discovering a security incident that affects personal data
• Customer Communication: Detailed incident reports provided including nature of incident, data involved, and remediation steps
• Regulatory Reporting: We assist customers with regulatory breach notification requirements
• Remediation: Immediate containment measures and long-term security improvements
• Documentation: Comprehensive incident records maintained for compliance and audit purposes

6.3 Tier-Specific Security Measures

• Pay As You Go Tier: Standard encryption and security protocols with automated monitoring
• Paid Tier: Enhanced encryption, dedicated access controls, priority security monitoring, and dedicated incident response
• Zero Data Retention and Self-Hosted: Highest level of security with zero-retention processing, end-to-end encryption, private deployment environments, and custom security controls

6.4 Security Limitations

While we implement industry-leading security measures, no method of transmission over the Internet or electronic storage is 100% secure. We continuously improve our security posture and respond to emerging threats, but cannot guarantee absolute security.

7. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information. We are committed to facilitating the exercise of these rights and provide support to our customers in meeting their obligations.

7.1 Individual Rights

• Access: You may request access to the personal information we hold about you, including details about processing activities.
• Rectification: You may request that we correct inaccurate or incomplete personal information.
• Erasure (Right to be Forgotten): You may request deletion of your personal information in certain circumstances.
• Restriction of Processing: You may request that we restrict the processing of your personal information.
• Data Portability: You may request a copy of your personal information in a structured, commonly used, and machine-readable format.
• Objection: You may object to our processing of your personal information based on legitimate interests.
• Withdrawal of Consent: Where processing is based on consent, you may withdraw consent at any time.
• Automated Decision-Making: You have rights regarding automated decision-making and profiling.

7.2 Customer Support for Data Subject Requests

When we act as a Data Processor, we provide comprehensive support to help you fulfill data subject requests:

• Request Identification: We help identify relevant data and processing activities
• Data Retrieval: We provide tools and assistance to retrieve requested personal data
• Deletion Support: We execute deletion requests promptly and provide confirmation
• Automated Tools: Self-service tools available for common requests (Paid Tier and above)
• Response Timeline: We respond to customer requests within 30 days or as required by applicable law
• Documentation: We provide documentation to support your regulatory compliance

7.3 How to Exercise Your Rights

To exercise any of these rights:

• Direct Requests: Contact us at privacy@morphllm.com
• Customer Portal: Use self-service options in your account dashboard (where available)
• Identity Verification: We may require verification of your identity before processing requests
• Response Time: We respond within 30 days (or 1 month under GDPR) and may extend by 60 days for complex requests
• No Fee: We do not charge fees for exercising your rights unless requests are manifestly unfounded or excessive

7.4 Supervisory Authority Rights

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable data protection laws. For EU residents, you can find your relevant supervisory authority at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

8. International Data Transfers

We may transfer, store, and process your information in countries other than your own. Our primary data processing occurs in the United States, with additional processing in select countries where our service providers operate.

8.1 Transfer Safeguards

For transfers from the EEA, UK, or Switzerland to countries not deemed adequate by relevant authorities, we implement appropriate safeguards:

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses for data transfers
• UK International Data Transfer Agreement (IDTA): For transfers from the UK
• Adequacy Decisions: We prioritize transfers to countries with adequacy decisions where possible
• Binding Corporate Rules: For enterprise customers, we can implement binding corporate rules upon request
• Additional Safeguards: Technical measures including encryption and access controls for international transfers

8.2 Data Localization Options

For customers with data residency requirements:

• Regional Data Centers: Available for Paid Tier and enterprise customers
• Self-Hosted Deployments: Complete data control within your chosen jurisdiction
• Data Processing Agreements: Custom DPAs available for enterprise customers with specific transfer restrictions

8.3 Transfer Impact Assessments

We regularly conduct Transfer Impact Assessments (TIAs) to evaluate the effectiveness of our transfer safeguards and make adjustments as needed to ensure continued protection of personal data.

9. Compliance, Audit, and Records

9.1 Compliance Framework

We maintain comprehensive compliance programs to meet applicable data protection requirements:

• Regulatory Compliance: GDPR, CCPA, LGPD, and other applicable data protection laws
• Industry Standards: ISO 27001, SOC 2 Type II, and industry best practices
• Regular Reviews: Quarterly compliance assessments and annual policy updates
• Training Programs: Ongoing privacy and security training for all personnel

9.2 Records and Documentation

We maintain detailed records to demonstrate compliance:

• Processing Records: Comprehensive records of processing activities maintained for 3 years minimum
• Consent Records: Documentation of consent where applicable, including withdrawal records
• Breach Records: Complete documentation of security incidents and response actions
• Training Records: Documentation of privacy and security training completion
• Audit Trails: System logs and access records for compliance verification

9.3 Audit Rights and Cooperation

For Paid Tier and enterprise customers, we provide audit support:

• Audit Summaries: Annual compliance reports and audit summaries available upon request
• Due Diligence: Response to reasonable security and privacy due diligence questionnaires
• Third-Party Audits: We undergo regular independent audits and can share relevant findings
• Customer Audits: Reasonable audit rights for enterprise customers with advance notice
• Compliance Assistance: Support for customer compliance initiatives and regulatory inquiries

9.4 Continuous Improvement

We continuously enhance our privacy and security practices through:

• Regular Assessments: Privacy Impact Assessments (PIAs) for new processing activities
• Technology Updates: Implementation of privacy-enhancing technologies
• Stakeholder Feedback: Regular review of customer and user feedback
• Legal Monitoring: Ongoing monitoring of regulatory developments and requirements

10. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top of this Policy. You are advised to review this Privacy Policy periodically for any changes.

Your continued use of our Services after such modifications will constitute your acknowledgment of the modified Policy and your agreement to abide and be bound by the modified Policy.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

Privacy Inquiries: privacy@morphllm.com
Zero Data Retention & Self-Hosting: sales@morphllm.com

Address:
AutoInfra, Inc.
123 AI Avenue
San Francisco, CA 94107
United States