LEGAL · PRIVACY

How we handle your data.

A clear, structured account of what we collect, why we collect it, where it lives, and what you can do about it. No dark patterns. No "legitimate interest" stretches.

Effective May 1, 2026
Version 2.4
Data controller Morphra Inc.

No training

We never use your prompts, uploads, or outputs to train models — ours or anyone else's.

Short retention

Uploaded images deleted within 30 days. Outputs kept in your history until you remove them.

Minimal collection

We ask for the least we need to make the product work. No ad SDKs. No data brokers.

Real controls

Export everything, delete everything, or opt out of analytics — from your account, in one click.

01 · Collection

What we collect

We collect only what we need to run the Service.

CategoryExamplesWhy
AccountEmail, hashed password, display nameSign-in, billing receipts
ContentPrompts, uploaded images, generated outputsTo run the generation; saved to your history
BillingLast 4 digits of card, billing address, invoice historyPayment processing (full card data handled by Stripe)
TechnicalIP address, browser, device type, request timestampsSecurity, rate limiting, abuse prevention
UsagePages viewed, features used, errors encounteredProduct improvement (opt-out available)

We do not collect: precise location, contact lists, browsing history outside our domain, or anything from device sensors.

02 · Use

How we use it

  • To run the Service: processing your prompts, returning generated images, saving your history.
  • To bill you: charging for credits and subscriptions through Stripe.
  • To keep things safe: detecting and blocking abuse, CSAM, and security threats.
  • To support you: answering tickets, troubleshooting issues you report.
  • To improve the product: aggregated, de-identified usage metrics. You can opt out.
  • To meet legal obligations: tax records, responses to lawful requests, CSAM reporting.
03 · AI training

AI model training

We do not use your content to train AI models. Not ours. Not third parties'.

Your prompts and uploaded images are sent to our AI inference providers (currently Replicate and fal.ai) solely to produce your output. These providers operate under data processing agreements that prohibit training on customer inputs.

If we ever introduce an opt-in program where users could volunteer content for model training (e.g., in exchange for credits), it will be opt-in only and clearly disclosed. There is no such program today.

04 · Sharing

Who we share with

We share data only with service providers acting on our behalf, and only what they need:

ProviderPurposeData
StripePaymentsBilling details
Replicate / fal.aiAI inferencePrompt, uploaded image
Cloudflare R2Image storageUploaded & generated images
PostmarkTransactional emailEmail address, message content
PlausiblePrivacy-friendly analyticsAggregated, no cookies

We do not sell personal data. We do not share data with advertisers or data brokers. We respond to lawful government requests but require a valid subpoena, warrant, or equivalent process.

05 · Cookies

Cookies & analytics

We use a small number of first-party cookies for session management (keeping you logged in) and CSRF protection. We do not use advertising or cross-site tracking cookies.

Our analytics provider (Plausible) is cookie-free and processes only aggregated page-view data. You can opt out from Settings → Privacy.

06 · Security

Storage & security

Data in transit is encrypted via TLS 1.3. Data at rest is encrypted with AES-256. Passwords are stored using Argon2id with per-user salts. We follow the principle of least privilege internally; production database access is logged and reviewed.

No system is perfectly secure. If we discover a breach affecting your data, we will notify you within 72 hours of discovery, as required by GDPR Article 33.

07 · Retention

Retention

  • Uploaded source images: deleted automatically 30 days after upload.
  • Generated images: stored in your history until you delete them or close your account.
  • Account data: kept while your account is active. Deleted within 30 days of account closure.
  • Billing records: retained for 7 years (tax obligation).
  • Security logs: 90 days, then purged.
08 · Your rights

Your rights

Depending on where you live, you have the right to:

  • Access the personal data we hold about you.
  • Correct data that is inaccurate or incomplete.
  • Delete your account and personal data ("right to be forgotten").
  • Export a copy of your data in a portable format (JSON + image archive).
  • Object to certain processing, including analytics.
  • Lodge a complaint with your local data protection authority.

All of these are exercisable from Settings → Privacy, or by writing to privacy@morphra.com. We respond within 30 days.

California residents have additional rights under the CCPA, including the right to know what categories of personal information we collect and to opt out of "sale" (we do not sell).

09 · Transfers

International transfers

Morphra is operated from the United States. If you access the Service from the EU, UK, or other jurisdictions, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for these transfers.

10 · Children

Children's privacy

The Service is not directed at children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child has provided us personal data, contact privacy@morphra.com and we will delete it.

11 · Changes

Changes

We'll post material changes here and email you at least 30 days before they take effect. Past versions of this policy are available on request.

12 · Contact

Contact

Privacy questions: privacy@morphra.com
Data Protection Officer: dpo@morphra.com
Or use our contact form.

Your data, your call.

Export it, delete it, or just take a look — anytime, from your account.

Manage privacy