Morph Logo
DocumentationBlogContactBook a Time

Privacy Policy

Last Updated: June 14, 2025

Effective Date: May 5, 2025 | Version 2.1

1. Introduction and Scope

This Privacy Policy ("Policy") describes how Morph LLM, Inc. ("Morph," "we," "our," or "us") collects, uses, stores, and protects your information when you use our website, services, APIs, and related applications (collectively, the "Services"). This Policy applies to all users of our Services, including those who use our free tier, engineer tier, enterprise tier, and self-hosted deployments.

This Policy is a legally binding agreement between you and Morph. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this Policy, you must not access or use our Services.

This Policy is incorporated into and subject to our Terms of Service. Any capitalized terms not defined in this Policy shall have the meaning set forth in our Terms of Service.

2. Information We Collect

We collect different types of information depending on how you interact with our Services and which tier of service you use. We collect this information in accordance with applicable laws and regulations, including but not limited to the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA"), and the Brazilian General Data Protection Law ("LGPD").

2.1 Categories of Personal Information

We may collect the following categories of personal information:

  • Identifiers: Name, email address, postal address, phone number, unique personal identifier, online identifier, IP address, account username, or other similar identifiers.
  • Customer Records: Name, signature, address, telephone number, education, employment, employment history, financial information, or medical information.
  • Commercial Information: Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  • Internet Activity: Browsing history, search history, information on your interaction with our website, application, or advertisement.
  • Geolocation Data: Physical location or movements.
  • Professional Information: Current or past job history or performance evaluations.
  • Inferences: Inferences drawn from any of the information identified above to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

2.2 Sources of Information

We collect personal information from the following sources:

  • Direct Collection: Information you provide directly to us when you register for an account, use our Services, contact our customer support, or otherwise interact with us.
  • Automated Collection: Information collected automatically through your use of our Services, such as through cookies, web beacons, and similar technologies.
  • Third-Party Sources: Information we receive from third-party sources, such as business partners, data providers, social media platforms, and advertising networks, where they have the right to share your information with us.

2.3 Service Data

We process code and related content that you submit to our Services. The collection, processing, and retention of this data varies depending on your service tier:

2.3.1 Free Tier Data Processing

When you use our Free Tier Services:

  • We collect and store code submitted for processing, including original code, update snippets, intermediate operations, and final code.
  • We maintain detailed logs of all operations performed on your code, including timestamps, error messages, and performance metrics.
  • This data may be used for service improvement, debugging, model training, quality assurance, and product development.
  • We may derive and extract patterns, techniques, algorithms, or other information from your code for incorporation into our machine learning models.
  • We may process your code with various versions of our models for comparative analysis and performance optimization.

2.3.2 Engineer Tier Data Processing

When you use our Engineer Tier Services:

  • We collect and store code submitted for processing, including original code, update snippets, and final code.
  • We implement enhanced security measures for data handling, including access controls, encryption, and segregated storage.
  • This data may be used for service improvement, debugging, and model training, subject to the confidentiality provisions in your service agreement.
  • Derived data patterns are anonymized through technical measures designed to prevent reconstruction of the original code.
  • We maintain audit logs of all access to your data by our personnel.

2.3.3 Enterprise Tier Data Processing

When you use our Enterprise Tier Services:

  • We implement a true zero-retention policy for all code data submitted through our API or services.
  • Code data is processed exclusively in volatile memory (RAM) and is never persisted to non-volatile storage (disk, SSD, etc.).
  • We employ technical safeguards to prevent inadvertent persistence, including memory sanitization, secure memory allocation, and memory isolation techniques.
  • All intermediate representations and computational artifacts are destroyed immediately upon completion of the requested operation.
  • No code data is retained after the completion of the requested operation in any form, including logs, caches, or backup systems.
  • We do not use your code data to train our models, improve our Services, or for any purpose other than processing your immediate request.
  • Our systems are designed to prevent data exfiltration through side-channel attacks or other security vulnerabilities.
  • We undergo regular third-party security audits to verify our zero-retention claims and practices.

2.3.4 Self-Hosted Deployment Data Processing

When you use our Self-Hosted deployment option:

  • All data processing occurs within your infrastructure, under your control and supervision.
  • No data is transmitted to Morph's servers unless explicitly configured by your administrators for specific support or telemetry purposes.
  • Our software is designed to respect your data locality requirements and internal security policies.
  • Data retention is governed entirely by your internal policies and configurations.
  • We may collect anonymized usage statistics if enabled in your configuration, but these statistics do not include code content or personally identifiable information.
  • Support diagnostics may be collected with your explicit approval when troubleshooting issues.

3. Data Retention Policies

3.1 General Principles

Our data retention policies are guided by the following principles:

  • Purpose Limitation: We retain data only for as long as necessary to fulfill the purposes for which it was collected.
  • Data Minimization: We limit the collection and retention of data to what is directly relevant and necessary for the specified purpose.
  • Storage Limitation: We implement and enforce retention periods that ensure data is not kept longer than necessary.
  • Tiered Access: Different categories of data may have different retention periods based on their sensitivity and the purpose of processing.
  • Secure Deletion: When data is deleted, we use secure deletion methods to ensure it cannot be recovered.

3.2 Tier-Specific Retention Policies

3.2.1 Free Tier Data Retention

For users of our Free Tier:

  • Code Data Retention Period: Code data submitted to our Services is retained for up to ninety (90) days from the date of submission.
  • Retention Purpose: This retention period allows us to:
    • Provide you with access to your historical submissions
    • Debug and troubleshoot issues with our Services
    • Improve our machine learning models
    • Develop new features and capabilities
    • Analyze usage patterns and optimize performance
  • Data Anonymization: After the 90-day retention period, identifiable code data is either:
    • Permanently deleted using secure deletion methods, or
    • Anonymized through technical processes that remove all identifying elements and prevent reconstruction of the original code
  • Derived Data: Information derived from your code for model training purposes may be retained indefinitely but is transformed to prevent reconstruction of the original code.
  • Usage Data: Anonymized and aggregated usage data may be retained indefinitely for analytical purposes.
  • Account Information: Your account information is retained for as long as your account remains active and as needed to provide you with the Services, plus a reasonable period after account closure to address any legal or technical issues that may arise.
  • Early Deletion: You may request early deletion of your data by contacting privacy@morphllm.com, but this may affect your ability to use certain features of our Services.

3.2.2 Engineer Tier Data Retention

For users of our Engineer Tier:

  • Code Data Retention Period: Code data submitted to our Services is retained for up to thirty (30) days from the date of submission.
  • Retention Purpose: This retention period allows us to:
    • Provide you with access to your recent submissions
    • Debug and troubleshoot issues with our Services
    • Maintain service quality and continuity
    • Provide enhanced support and problem resolution
  • Enhanced Security Measures: During the retention period, your data is protected with:
    • End-to-end encryption for data at rest and in transit
    • Role-based access controls limiting internal access
    • Audit logging of all access to your data
    • Secure, isolated storage environments
    • Automated enforcement of retention periods
  • Data Deletion: After the 30-day retention period, your code data is permanently deleted using secure deletion methods that comply with industry standards (e.g., NIST SP 800-88).
  • Model Training: We may use submitted code data to improve our models and Services, subject to the confidentiality provisions in your service agreement. This use is subject to:
    • Robust anonymization techniques
    • Removal of sensitive information
    • Contractual restrictions on use and disclosure
    • Technical safeguards against reconstruction
  • Usage Data: Anonymized and aggregated usage data may be retained indefinitely for analytical purposes, but is maintained separately from identifiable code data.
  • Account Information: Your account information is retained for as long as your account remains active and as needed to provide you with the Services, plus a reasonable period after account closure to address any legal or technical issues that may arise.
  • Custom Retention: You may request modified retention periods by contacting your account representative, subject to technical limitations and additional fees.

3.2.3 Enterprise Tier Data Retention

For users of our Enterprise Tier:

  • Zero-Retention Policy: We implement a true zero-retention policy for all code data submitted through our API or services. This means:
    • No code data is stored on non-volatile media at any point
    • All processing occurs exclusively in volatile memory (RAM)
    • Memory is immediately sanitized after processing completes
    • No data persistence beyond the immediate processing context
    • No logs containing code content or derivatives
    • No caching of results beyond the immediate response
    • No backup or replication of code data
  • Technical Implementation: Our zero-retention policy is enforced through:
    • Memory allocation techniques that prevent swapping to disk
    • Memory sanitization routines that overwrite memory after use
    • Process isolation to prevent data leakage
    • Ephemeral compute environments that leave no trace
    • Continuous monitoring for compliance
    • Regular security audits by third parties
  • Metadata Handling: Basic usage metrics (such as API call volume, error rates, and performance metrics) may be collected without any association to the actual content processed. This metadata:
    • Contains no code contents or derivatives
    • Is used solely for billing and service quality purposes
    • Is retained only as long as necessary for these purposes
    • Is subject to the same security controls as other enterprise data
  • No Model Training: We do not use your code data to train our models or improve our Services. Your data is used solely for the purpose of processing your immediate request.
  • Account Information: Your account information is retained for as long as your account remains active and as needed to provide you with the Services, plus a reasonable period after account closure to address any legal or technical issues that may arise. This information is stored separately from code processing systems.
  • Compliance Documentation: We maintain documentation certifying our compliance with this zero-retention policy, including:
    • Third-party audit reports
    • Technical design documentation
    • Security control descriptions
    • Attestations of compliance
  • Data Subject Requests: Because no code data is retained, data subject access requests related to submitted code cannot be fulfilled, as there is no data to provide.

3.2.4 Self-Hosted Deployments

For customers using our self-hosted deployment options:

  • Customer-Controlled Retention: All data retention is governed by your internal policies and configurations. Morph does not control or dictate retention periods for self-hosted deployments.
  • Data Locality: All data remains within your infrastructure and control unless explicitly configured otherwise.
  • Configuration Options: Our software provides configurable options for:
    • Setting custom retention periods
    • Enabling or disabling logging
    • Managing caching behavior
    • Implementing secure deletion procedures
    • Enforcing data minimization practices
  • Telemetry: We may collect anonymized usage statistics if enabled in your configuration. This telemetry:
    • Never includes code content
    • Contains no personally identifiable information
    • Is limited to operational metrics (e.g., request counts, error rates)
    • Can be disabled entirely in your configuration
    • Is transmitted securely when enabled
  • Support Access: We do not have access to your code or data unless explicitly granted for support purposes. When granted, such access:
    • Is time-limited
    • Is logged and auditable
    • Is restricted to the specific issue being addressed
    • Terminates automatically after the support session
    • Does not result in data transfer outside your environment
  • Deployment Guidance: We provide best practice guidance for configuring retention periods in accordance with relevant regulations and industry standards, but the ultimate responsibility for compliance rests with you.

4. How We Use Your Information

We use the information we collect for various purposes, including:

  • Providing, maintaining, and improving our Services
  • Processing and completing transactions
  • Sending administrative information, such as updates, security alerts, and support messages
  • Responding to your comments, questions, and requests
  • Developing new products and services
  • Monitoring and analyzing trends, usage, and activities in connection with our Services
  • Detecting, preventing, and addressing technical issues, security breaches, and fraudulent activities
  • Complying with legal obligations

4.1 Use of Service Data

Depending on your subscription tier:

  • Free Tier: We may use your submitted code data to train our models, improve our Services, and develop new features.
  • Engineer Tier: We may use your submitted code data to train our models, improve our Services, and develop new features, subject to the confidentiality provisions in your service agreement.
  • Enterprise Tier: We do not use your submitted code data for any purpose other than processing your immediate request. Your code data is never used for model training or service improvement.

5. Information Sharing and Disclosure

We may share your information in the following circumstances:

5.1 With Service Providers

We may share your information with third-party vendors, consultants, and other service providers who need access to such information to carry out work on our behalf. These third parties have access to your information only to perform specific tasks on our behalf and are obligated not to disclose or use your information for any other purpose.

5.2 For Business Transfers

If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be transferred as part of such a transaction as permitted by law and/or contract.

5.3 For Legal Reasons

We may disclose your information if we believe in good faith that such disclosure is necessary to:

  • Comply with relevant laws, regulations, legal processes, or governmental requests
  • Enforce our agreements, policies, and terms of service
  • Protect the security or integrity of our Services
  • Protect Morph, our customers, or the public from harm or illegal activities

5.4 With Your Consent

We may share your information with third parties when you have given us your consent to do so.

6. Data Security

We implement reasonable and appropriate security measures to protect your information from unauthorized access, disclosure, alteration, and destruction. These measures include encryption, firewalls, access controls, and regular security assessments.

However, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, while we strive to protect your information, we cannot guarantee its absolute security.

6.1 Tier-Specific Security Measures

  • Free Tier: Standard encryption and security protocols.
  • Engineer Tier: Enhanced encryption, access controls, and security monitoring.
  • Enterprise Tier: Highest level of security with zero-retention processing, end-to-end encryption, and optional private deployment environments.

7. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information, including:

  • Access: You may request access to the personal information we hold about you.
  • Correction: You may request that we correct inaccurate or incomplete personal information.
  • Deletion: You may request that we delete your personal information in certain circumstances.
  • Restriction: You may request that we restrict the processing of your personal information.
  • Data Portability: You may request a copy of your personal information in a structured, commonly used, and machine-readable format.
  • Objection: You may object to our processing of your personal information in certain circumstances.

To exercise any of these rights, please contact us at privacy@morphllm.com.

8. Data Transfers

We may transfer, store, and process your information in countries other than your own. Our servers are primarily located in the United States. If you are accessing our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers are located.

For transfers from the EEA, UK, or Switzerland to countries not deemed adequate by the European Commission, we rely on appropriate safeguards, such as standard contractual clauses, to ensure the protection of your personal information.

9. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top of this Policy. You are advised to review this Privacy Policy periodically for any changes.

Your continued use of our Services after such modifications will constitute your acknowledgment of the modified Policy and your agreement to abide and be bound by the modified Policy.

10. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

Email: privacy@morphllm.com

Address:
Morph LLM, Inc.
123 AI Avenue
San Francisco, CA 94107
United States

For more information about our terms of service, please visit our Terms of Service page.