Global Policy and Product Supplemental Notices
Effective Date: 2026-06-22
PART I: GLOBAL PRIVACY POLICY
1. Introduction
Technologies MorphCast Inc. (“MorphCast“, “we“, “us“, “our“)
is a corporation headquartered at 203-1553 rue du Centre, Montréal, Québec, H3K1H5, Canada.
We develop Emotion AI software, developer tools, and interactive-media platforms delivered through our websites, mobile/desktop apps, APIs, and other online services (collectively, the “Services”).
This Policy explains how we collect, use, disclose, and protect personal information when you interact with our Services and outlines the choices and rights available to you under the California Consumer Privacy Act (CCPA/CPRA), other applicable U.S. state or federal privacy laws, the General Data Protection Regulation (GDPR) where applicable, and the privacy regulations of any non-U.S. jurisdictions in which we actively make the Services available.
This Policy is provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in accordance with Article 12 of the GDPR and the PIPEDA Openness Principle. It is publicly available at https://www.morphcast.com/morphcast-inc-privacy-policy/ at all times.
2. Supplemental Policies
Each product or feature listed below has its own supplemental privacy notice (and, where required, data-processing addendum — DPA). Those documents are set forth in Part II of this Policy and prevail over Part I in case of conflict for the specific product or feature:
• MorphCast Portal (User Dashboard) — Section 12
• Website, Contact Form, and Feedback/Abuse Report Form — Section 13
• Emotion AI HTML5 SDK (JS Engine) — Section 14
• MorphCast for Zoom and Emotion AI Video Conference — Section 15
• Ready-to-Use Web Apps (Keeping Data Locally) and MyMoodScan — Section 16
• AI Interactive Media Platform (Studio) and Emotion AI Media Player — Section 17
3. Scope and Applicability
This Policy applies to all personal information processed by MorphCast in connection with the Services unless a Supplemental Policy in Part II states otherwise. Where a Supplemental Policy covers a specific product or feature, it supersedes this Part I for that product or feature.
Excluded from this Policy: This Policy does not apply to personal information of MorphCast employees, contractors, or job applicants, which is governed by separate internal policies. This Policy also does not apply to data collected in connection with MorphCast-sponsored research studies, which are governed by separate research consent forms and protocols.
The Company may restrict the availability of the Services in specific jurisdictions from time to time as set forth at https://www.morphcast.com/legal-territorial-exclusion/. It is the responsibility of Business customers to identify and comply with all applicable local privacy obligations in the jurisdictions where they deploy the Services.
Protected Regions for Emotion AI analytics: For purposes of Emotion AI analytics, “Protected Regions” means the European Economic Area (EEA, including EU Member States plus Iceland, Liechtenstein and Norway) and additional jurisdictions where MorphCast configures local-only Emotion AI processing and disables inbound Emotion AI analytics, currently including the United Kingdom, Switzerland and China.
4. Roles: Controller/Processor Status
Business / Controller: MorphCast acts as a Business (CCPA/CPRA) or Controller (GDPR) for personal information related to our website, CRM, user accounts, billing, and direct customer communications.
Service Provider / Processor: For products, SDKs, and integrations where our customers decide the means and purposes of processing, MorphCast acts as a Service Provider (CCPA/CPRA) or Processor (GDPR) and processes data solely under the customer’s instructions and DPA.
On-Device Processing and Protected Regions (No Role for Emotion AI Outputs): For products where Emotion AI processing occurs on the End User’s device and no Emotion AI outputs or personal information derived from that processing are transmitted to MorphCast, MorphCast does not act as a Business/Controller or Service Provider/Processor for that End User data. In Protected Regions, MorphCast does not receive Emotion AI outputs in any form, including individual, pseudonymized, de-identified, anonymized, aggregated or statistical form. Outside Protected Regions, except where a Supplemental Policy expressly describes host/deployer-enabled guest-level metrics (e.g., Zoom/Video Conference), MorphCast may receive anonymous-by-design aggregate statistical counters only; these counters are generated without identifiers and stored only as aggregate time-window counters.
No Joint Controllership: MorphCast does not act as a joint controller (within the meaning of GDPR Article 26) with any deployer or customer. Where MorphCast processes personal data on behalf of a customer, MorphCast acts solely as a Processor/Service Provider under the customer’s instructions and DPA. If any deployment scenario were to give rise to joint controller obligations, MorphCast will enter into an appropriate joint controller arrangement with the relevant customer.
A Data Processing Addendum (DPA) is incorporated into our Business Terms of Service and available at https://www.morphcast.com/dpa/. Business customers may request a countersigned copy if needed.
Deployer Notice and Lawful Basis Obligations: Deployers are responsible for providing appropriate notice to End Users and obtaining consent or another lawful basis where required by applicable law before activating Emotion AI processing through the Services. MorphCast’s architecture enables notice and consent by design — the camera and AI engine do not activate without the End User’s affirmative action — but deployers must ensure their implementation respects this principle and satisfies any applicable legal requirements, including GDPR Articles 6 and 7 and, where special-category processing is conducted by the deployer, Article 9(2).
Data Protection Impact Assessments: Deployers subject to GDPR should assess whether their specific use of the Services triggers a Data Protection Impact Assessment under Article 35 GDPR, particularly where emotion recognition is used on a large scale or in sensitive contexts. MorphCast will provide reasonable cooperation in connection with any DPIA conducted by a deployer.
EU Representative and Data Protection Officer: MorphCast is currently assessing whether its processing activities require the appointment of an EU Representative under Article 27 GDPR and/or a Data Protection Officer under Article 37 GDPR. Pending the outcome of this assessment, privacy inquiries from EU/EEA data subjects may be directed to privacy@morphcast.com. This section will be updated upon completion of the assessment.
5. Categories of Personal Information We Collect
| Category | Examples | Source | Role | Retention |
| Identity & Contact | Name, email, role, company | Registration, contact, feedback forms | Business | Account life + 6 months |
| Usage / Device Data | IP, browser type, pages viewed, API calls, event logs | Cookies, SDKs, server logs | Business | Raw: 30 days; aggregated: 12 months |
| Content Data | Images, video, audio, text processed by Emotion AI | Supplied by you or your end users | Varies | On-device by default; if uploaded: per settings or deletion |
| Support Data | Messages, attachments, screenshots | Support tickets | Business | 24 months |
| Blocked Service Logs | Timestamp, IP, country | AWS CloudFront | Business | 30 days |
Retention note: The periods above are default maximums. Product-specific Supplemental Policies may set different retention (e.g., Studio/Media Player viewer analytics retained up to 36 months). Where a Supplemental Policy specifies a different period, it controls for that product.
We do not intentionally collect sensitive personal information (as defined by CPRA). If you or your end users include such data within Content Data, it is processed on-device and, when we act as Service Provider/Processor, strictly under your instructions.
Classification of Emotion Data: Emotion-related outputs generated by the Services on-device (such as valence, arousal, and facial expression labels) may be classified as “sensitive personal information,” “special category data,” or “biometric data” under certain laws and jurisdictions depending on the deployer’s implementation and local law. In Protected Regions, these outputs are processed locally and are not transmitted to MorphCast servers in any form. Outside Protected Regions, except where a Supplemental Policy expressly describes host/deployer-enabled guest-level metrics (e.g., Zoom/Video Conference), MorphCast may receive only anonymous-by-design aggregate statistical counters that do not include images, biometric templates, identifiers, individual emotion records, or logs associable with an individual event or person. Deployers remain responsible for assessing the classification of emotion data under their applicable laws and implementing appropriate safeguards, including, where GDPR applies, identifying a lawful basis under Article 9(2) for any special-category processing they conduct.
Important: Our products are designed for edge/on-device processing. MorphCast does not receive or store face images, audio streams, or biometric identifiers from product use, unless you deliberately upload content to your account or enable a cloud feature described in a Supplemental Policy.
Emotion AI analytics follow a regional privacy-by-design model: in Protected Regions, no Emotion AI outputs or related aggregate metrics are transmitted to MorphCast; outside Protected Regions, except where a Supplemental Policy expressly describes host/deployer-enabled guest-level metrics (e.g., Zoom/Video Conference), only anonymous-by-design aggregate statistical counters are transmitted and stored.
No Training on User Data: MorphCast does not use End User data, camera frames, or emotion metrics derived from the Services to train or improve its AI models. MorphCast’s AI models are developed using separate, ethically sourced training datasets that are subject to independent ethics review. No data from deployed customer instances feeds back into model training. If MorphCast ever changes this practice, it will update this Policy and obtain any required consent before using customer or End User data for model improvement purposes.
6. Purposes for Processing
| Purpose | CPRA Business Purpose | GDPR Lawful Basis (Art. 6) | Examples |
| Provide, operate & maintain the Services | Perform services | Contract performance (Art. 6(1)(b)) | User authentication, billing, delivering apps & APIs |
| Improve & develop new features | Debug, R&D | Legitimate interest (Art. 6(1)(f)) | Usage analytics with anonymous-by-design aggregate data, quality monitoring |
| Customer support & communications | Provide support | Contract performance / Legitimate interest | Tickets, bug reports, abuse complaints |
| Security & fraud prevention | Detect security incidents | Legitimate interest (Art. 6(1)(f)) | Log analysis, rate limiting, anti-spam |
| Legal compliance | Comply with law | Legal obligation (Art. 6(1)(c)) | Tax, accounting, export controls, AI/privacy regulations |
| Marketing (opt-in only) | Advertising (with consent) | Consent (Art. 6(1)(a)) | Newsletters, product updates (website/CRM data only; not product content) |
Legitimate interest balancing: Where we rely on legitimate interest as a lawful basis, we have conducted a balancing assessment and concluded that our interests in operating, securing, and improving the Services do not override the rights and freedoms of data subjects, particularly given the privacy-preserving, on-device architecture of our core products and the limited scope of personal information we process. You may request a copy of our balancing assessment by contacting privacy@morphcast.com.
MorphCast does not “sell” or “share” personal information as those terms are defined by the CCPA/CPRA.
7. Cookies and Similar Technologies
We use strictly necessary cookies and local storage items where needed to ensure the proper functioning and security of our core Services. No advertising cookies are used by our core products. Website-level cookies, consent management, and any analytics cookies are governed by the Website Supplemental Policy (Section 13). Third-party cookies may appear only when you explicitly activate optional features (e.g., translation, SSO). Our security providers may place temporary cookies for bot management.
8. Security Measures and Data Protection by Design
Data Protection by Design and by Default (GDPR Article 25): MorphCast implements data protection by design and by default. The core Emotion AI engine processes camera frames on the End User’s device, ensuring that facial images, video streams, and biometric templates are not transmitted to MorphCast servers. In Protected Regions, Emotion AI outputs and related aggregate metrics are not transmitted to MorphCast at all. Outside Protected Regions, except where a Supplemental Policy expressly describes host/deployer-enabled guest-level metrics (e.g., Zoom/Video Conference), MorphCast may receive only anonymous-by-design aggregate statistical counters, stored by time window and without IP addresses, single-observation timestamps, session IDs, device IDs, customer user IDs, browser fingerprints, biometric templates, images, video frames, or request logs that allow association with an individual event or person.
MorphCast maintains industry-standard technical and organizational measures to protect personal information, including: TLS encryption in transit; AES-256 encryption at rest for stored account/CRM data and backups; segmented production network with least-privilege access controls; regular penetration testing and vulnerability scanning; and incident-response procedures with breach notification protocols. Product Content Data is processed on-device by default and is not stored by MorphCast unless explicitly uploaded.
Data Accuracy (GDPR Article 5(1)(d)): MorphCast takes reasonable steps to ensure that personal information it holds is accurate, complete, and kept up-to-date, having regard to the purposes for which it is processed. Where you believe personal information we hold about you is inaccurate or incomplete, you may exercise your right to rectification as described in Section 9.
9. Your Privacy Rights
California Residents (CPRA): You may exercise rights to access/know, delete, correct, and limit the use/disclosure of sensitive personal information (the limit right is not applicable because we do not use or disclose sensitive PI for purposes that trigger it). No opt-out is needed because MorphCast does not sell or share personal information.
Residents of Other U.S. States: Depending on your state’s law (e.g., Virginia, Colorado, Connecticut, Utah, and others), you may have rights similar to California’s, including access/know, delete, correct, portability, and, where applicable, opt out of targeted advertising, sale, or certain profiling.
EU/EEA Residents (GDPR): Where GDPR applies, you may exercise rights to access, rectification, erasure, restriction of processing, data portability, and objection. You also have the right to lodge a complaint with your local supervisory authority. Where processing is based on consent, you have the right to withdraw your consent at any time; withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. To withdraw consent, contact privacy@morphcast.com or use the unsubscribe mechanism provided in the relevant communication. Where MorphCast acts as a Processor, data-subject requests should be directed to the Controller (your deployer/employer) in the first instance, and MorphCast will provide reasonable cooperation.
Canada (PIPEDA): Canadian residents may request access to and correction of personal information, subject to applicable exceptions. You may contact the Office of the Privacy Commissioner of Canada or your provincial privacy commissioner regarding unresolved concerns.
How to Exercise Your Rights: Submit a request to privacy@morphcast.com or by mail to Technologies MorphCast Inc., 203-1553 rue du Centre, Montréal, Québec, Canada. We will verify your identity and respond within 45 days (CPRA) or 30 days (GDPR), or any shorter period required by applicable law. You may designate an authorized agent to submit a request on your behalf; we may require the agent to provide proof of written authorization and may still verify your identity directly.
Non-Discrimination: MorphCast will not discriminate against you for exercising any of your privacy rights under the CCPA/CPRA or any other applicable law, including by denying you Services, charging you different prices, or providing a different level or quality of Services.
Financial Incentives: We do not offer financial incentives or price or service differences in exchange for the retention, sale, or sharing of personal information.
California Shine the Light (Civil Code §1798.83): MorphCast does not disclose personal information to third parties for their own direct marketing purposes.
Do Not Track Signals: Our Services do not use advertising cookies or third-party analytics trackers. Accordingly, our Services do not currently respond to Do Not Track (DNT) browser signals, as there is no tracking activity to disable. We do not track users across third-party websites.
10. Children’s Privacy
Our Services are not directed to children under 16, and we do not knowingly collect personal information from children under 16. By default, our emotion AI runs on-device and face images/video and biometric identifiers are not transmitted to MorphCast servers. We do not sell or share minors’ personal information for cross-context behavioral advertising. Where local law sets a specific age of consent for online services (typically 13–16), we apply the applicable threshold. If an organization enables account-based or cloud features for users who are minors, that organization is responsible for obtaining verifiable parental consent. If we learn we have collected personal information from a child without required consent, we will delete or de-identify it.
11. Data Retention, International Transfers, and Changes
We keep personal information only as long as necessary for the purposes described above or as required by law. Default retention periods are listed in the Categories table (Section 5); Supplemental Policies may set different periods.
MorphCast’s infrastructure is primarily hosted in the United States (AWS us-west-2). Where personal information is transferred internationally, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) where GDPR applies, and contractual protections under our DPA.
We may update this Policy from time to time. Material changes will be announced via a prominent notice on our website or by email. The effective date at the top of this document indicates when revisions became effective.
PART II: PRODUCT SUPPLEMENTAL PRIVACY POLICIES
Each Supplemental Policy below supplements and forms part of the Global Privacy Policy (Part I). The definitions and CPRA business purposes set out in Part I also apply to each Supplemental Policy unless otherwise stated. In the event of conflict, the Supplemental Policy prevails for that product.
12. MorphCast Portal (User Dashboard)
12.1 Product Overview
The MorphCast Portal is a lightweight dashboard where customers can generate license keys, view usage quotas, download invoices, and manage account settings. Access is granted via email verification code (single-use 6-digit code, valid 10 minutes) or third-party sign-in (OAuth 2.0/OpenID Connect via Google, Apple, Microsoft, or Yahoo). No password is stored by MorphCast.
12.2 Categories of Personal Information
| Category | Examples | Source | Role | Retention |
| Billing Email (hash) | SHA-256 hash of customer email | License purchase | Business | License expiry + 6 months |
| Verification Code | 6-digit numeric code | Portal auth | Business | Cache: 10 min, then purged |
| OAuth ID Token | Signed JWT from provider | OAuth provider | Business | Browser session; expires 2h |
| License Metadata | License key, creation date, plan tier | Portal DB | Business | Life of license |
| Activity Logs | IP, timestamp, endpoint accessed | Server logs | Business | 30 days; aggregated 12 months |
No passwords, names, addresses, or payment card numbers are stored in the Portal. Payments are processed externally by Stripe.
12.3 Purposes
Deliver secure code- or OAuth-based access to license management; maintain license metadata and usage quotas; detect unauthorized access or key abuse; generate and email invoices via Stripe.
12.4 CPRA Role
MorphCast acts as a Business for Portal data. OAuth authentication is handled by the chosen provider under its own privacy terms. Payment information is handled by Stripe; MorphCast receives only transaction IDs and invoice PDFs.
12.5 Cookies
The Portal sets no tracking cookies. Strictly necessary cookies include: portalPerm (session/permission), portal session token (JWT, session/short-term), Google reCAPTCHA cookies (security), and SSO provider cookies (only if you choose SSO). These are necessary to provide secure authentication and are not used for advertising.
12.6 Service Providers
Amazon Web Services (hosting, us-west-2); Amazon CloudFront (CDN); Stripe, Inc. (payment processing). Full list maintained in the DPA.
12.7 Security
Verification codes stored in encrypted Redis cache; auto-expire after 10 minutes. OAuth ID tokens validated server-side and stored only in browser session storage. All data in transit via TLS 1.2+; license DB encrypted at rest (AES-256). Role-based access for support staff; audit trail of admin actions.
12.8 Retention and Deletion
License metadata: life of license. Billing-email hash: removed 6 months after license expiry. Verification codes: purged after 10 minutes. OAuth tokens: expire within 2 hours. Activity logs: deleted after 30 days; aggregated stats kept 12 months. Customers may request full deletion from the dashboard or by contacting privacy@morphcast.com.
13. Website, Contact Form, and Feedback/Abuse Report Form
13.1 Website Privacy and Cookies
This section covers information collected when you visit pages under the www.morphcast.com domain, including embedded demos and the Voiceflow chat widget.
What we collect: HTTP request data (IP, user-agent, URL, timestamp — 30 days logs, aggregated 12 months); chat messages via the Voiceflow widget (anonymous, deleted after 24 hours); and strictly necessary or feature-requested cookies/storage.
Minimal-tracking philosophy: We do not use third-party analytics (e.g., Google Analytics), ad trackers, or social media pixels. By default, we set no tracking cookies. Third-party cookies are placed only when you explicitly use Translation or Portal sign-in.
Always-present cookies: legalAckCookie (first-party, 24h, stores legal disclaimer acknowledgment); cf_bm (Cloudflare bot manager, 30 min).
Optional-feature cookies (no tracking): vf_deviceId (localStorage, Voiceflow, ~6 months, random UUID for chat resumption); vf_session (sessionStorage, chat context); googtrans (session, translation preference).
Third-party cookies (Translation/Portal sign-in only): Google reCAPTCHA/Translate cookies, SSO provider cookies (Google, Apple, Yahoo, Microsoft) — set only when you use those features. Controlled by the respective providers.
Service providers: AWS (hosting), CloudFront (CDN/edge security), Cloudflare (WAF/bot management), Voiceflow Inc. (chat widget sub-processor).
13.2 Contact Form
The Contact Form collects information you explicitly enter: name, email address, message content, and optional project details (country, organization type, project type, product interest). No login or account is required. MorphCast does not request sensitive personal information; please avoid including such data in your message.
Retention: individual inquiries retained 24 months; server logs 30 days (aggregated 12 months). reCAPTCHA metadata retained 6 months. Service providers: AWS (hosting/email relay), CloudFront (CDN/WAF), Google LLC (reCAPTCHA).
13.3 Feedback and Abuse Report Form
The Feedback and Abuse Report Form enables users to report bugs, security issues, copyright violations, or harassment. The form accepts a free-text description and optional file attachments (e.g., screenshots, log snippets). No login or account is required.
Please ensure attachments do not contain sensitive personal information unless strictly necessary to demonstrate the issue. Retention and service providers follow the same schedule as the Contact Form.
14. Emotion AI HTML5 SDK (JS Engine)
14.1 Product Overview
The Emotion AI HTML5 SDK allows developers to embed MorphCast’s on-device facial-expression engine into their web applications. The SDK processes camera frames locally in the end-user’s browser and returns emotion metrics to the developer’s code via JavaScript callbacks. No photos, full video, biometric templates, face templates, or per-user emotion metrics are sent to MorphCast servers. In Protected Regions, no Emotion AI outputs or related aggregate metrics are transmitted to MorphCast in any form. Outside Protected Regions, where analytics are enabled, MorphCast may receive anonymous-by-design aggregate statistical counters only.
14.2 Categories of Personal Information
| Category | Examples | Source | Role | Retention |
| Camera Frames (ephemeral) | Pixel data from end-user camera | Browser getUserMedia | Not transmitted | In-memory < 100 ms |
| Emotion Metrics (local) | Valence, arousal, emotion labels | Derived on device | Not transmitted | Per developer’s implementation |
| License Key Telemetry | License validation, session count, errors | SDK ping | N/A for anonymous aggregate telemetry | Aggregated: 12 months |
| Optional: Data Storage Module | Anonymous-by-design aggregate emotion counters, subject to regional restrictions | Opt-in by developer and regional configuration | Service Provider | Per developer settings and regional restrictions |
No photos, full video, biometric templates, face templates, or per-user emotion metrics are sent to MorphCast servers. In Protected Regions, MorphCast does not receive Emotion AI outputs or aggregate emotion metrics in any form. Outside Protected Regions, if analytics or a Data Storage module is enabled, MorphCast may receive anonymous-by-design aggregate statistical counters only, generated without identifiers and stored only as aggregate time-window counters.
14.3 CPRA / GDPR Role
For end-user data processed entirely on the user’s device, MorphCast does not act as a Business/Controller or Service Provider/Processor because MorphCast does not receive or determine the purposes and means of processing that personal information. Where MorphCast does process personal information (e.g., customer account, licensing, billing, support), we act as a Business or Service Provider solely for those data. In Protected Regions, MorphCast does not receive Emotion AI outputs or related aggregate metrics. Outside Protected Regions, anonymous-by-design aggregate statistical counters are generated without identifiers and are not “personal information” under CPRA/CCPA or “personal data” under GDPR.
Where the Registered User deploys the SDK in a context subject to GDPR, the Registered User is the Controller for any End User personal data processed through the SDK. MorphCast will provide reasonable cooperation under the DPA.
14.4 Service Providers
AWS (hosting of telemetry endpoint); CloudFront (CDN/edge security); Stripe (payment processing, if paid tier). Third-party providers do not receive End User Emotion AI outputs, camera frames, biometric templates, face templates, or per-user emotion records through the SDK; infrastructure providers may process limited technical network data to deliver and secure the Services.
14.5 Security and Retention
All frame processing stays local; no outbound video. TLS 1.2+ for telemetry pings. In Protected Regions, inbound Emotion AI analytics are disabled through client configuration and server-side enforcement controls designed to reject unauthorized submissions. License telemetry and non-Emotion-AI service telemetry are aggregated and retained 12 months unless a Supplemental Policy states otherwise. Users can delete all local data by clearing browser storage.
15. MorphCast for Zoom and Emotion AI Video Conference
15.1 MorphCast for Zoom
MorphCast for Zoom is an add-on available in the Zoom App Marketplace that overlays real-time emotional analytics during Zoom video meetings.
| Category | Examples | Source | Role | Retention |
| Zoom Meeting Metadata | Meeting ID, host email, timestamps | Zoom API | Service Provider | 30 days; aggregated 12 months |
| Video Frames (ephemeral) | Pixel data from participants | Camera (local) | Not transmitted | In-memory < 100 ms |
| Emotional Metrics | Valence, arousal, emotion scores | Derived on device | Protected Regions: not transmitted to MorphCast; outside Protected Regions: guest-level aggregate metrics may be associated only with the display name provided by the guest when joining the video conference where enabled by the host/deployer | Protected Regions: none; outside Protected Regions: retained only as guest-level aggregate meeting analytics per host/deployer settings |
| ABD Usage Statistics | Session counts, feature toggles, error rates | Product telemetry | N/A for anonymous-by-design telemetry | 12 months |
No facial images, audio, chat content, biometric templates, face templates, or raw per-frame Emotion AI outputs are sent to MorphCast. In Protected Regions, no Emotion AI outputs or related aggregate metrics are transmitted to MorphCast in any form. Outside Protected Regions, where enabled by the host or deployer, MorphCast may receive and process guest-level aggregate Emotion AI metrics associated only with the display name provided by the guest when joining the video conference, solely to provide real-time host visibility and meeting analytics under the host’s or deployer’s instructions.
Important: Outside Protected Regions, guest-level aggregate Emotion AI metrics associated only with the display name provided by the guest when joining the video conference may qualify as personal information, Sensitive Personal Information, special category data, or biometric data under applicable law, depending on the host’s or deployer’s implementation and local law. In that scenario, MorphCast acts as a Service Provider/Processor and processes such data solely under the host’s or deployer’s instructions. The host or deployer is responsible for providing appropriate notices, obtaining any required consent or other lawful basis, and implementing appropriate safeguards.
For the regulation of the Zoom service embedded in MorphCast for Zoom, please refer to the Zoom Privacy Statement. MorphCast for Zoom participants who are Guests will not have cookies or data in localStorage by MorphCast for Zoom.
15.2 Emotion AI Video Conference
MorphCast Emotion AI Video Conference is a browser-based video conferencing application powered by AWS Chime with integrated emotion analytics. It is available as a hosted service at meet.morphcast.com.
The data categories and processing purposes mirror those of MorphCast for Zoom (Section 15.1), with the following differences: the video conferencing infrastructure is provided by AWS Chime (not Zoom); for the management of conference data by AWS Chime (e.g., video recording functionality), refer to the AWS Compliance GDPR Center. Customers or hosts using the service remain responsible for providing appropriate notices to participants and for satisfying any applicable legal requirements for their specific use case.
Service providers: AWS (hosting, Chime infrastructure, us-west-2); CloudFront (CDN); Stripe (payment processing, if paid tier).
15.3 Cookies (Zoom and Video Conference)
MorphCast for Zoom: cookies are used for the Host only, including authentication and session management via Zoom and MorphCast for Zoom. Guests do not have cookies or data in localStorage by MorphCast for Zoom. Zoom’s own cookies are governed by Zoom’s Cookie Policy.
Video Conference: strictly necessary cookies for session management. No advertising or tracking cookies.
16. Ready-to-Use Web Apps (Keeping Data Locally) and MyMoodScan
16.1 Product Overview
These single-page web apps run entirely in the browser and perform on-device facial-expression analysis using the Emotion AI HTML5 SDK. No Emotion AI data leaves the user’s device. Only minimal non-Emotion-AI usage telemetry, such as session count or fatal error counters, may be transmitted where enabled. The apps are free, ad-free, and do not require an account or license key. MyMoodScan is a free, ad-free web app that performs real-time or photo-based facial-expression analysis entirely on the user’s device.
16.2 Categories of Personal Information
| Category | Examples | Source | Role | Retention |
| Camera/Photo Frames | Pixel data from user’s camera | Browser getUserMedia | Not transmitted | In-memory < 100 ms |
| Emotion Metrics (local) | Valence, arousal, emotion labels | Derived on device | Not transmitted | Until user clears browser storage |
| Anonymous Usage Telemetry | Session count, fatal errors | Minimal ping | N/A for anonymous-by-design telemetry | Aggregated: 12 months |
No photos, videos, camera streams, per-user emotional metrics, biometric templates, face templates, or identifiers are sent to MorphCast servers. Only minimal non-Emotion-AI usage telemetry may be received; in Protected Regions, no Emotion AI outputs or related aggregate metrics are transmitted to MorphCast in any form.
16.3 CPRA / GDPR Role
MorphCast does not receive “personal information” as defined by the CPRA/CCPA for these products. All camera frames and on-device outputs remain on the user’s device. Accordingly, MorphCast does not act as a Business or Service Provider for locally processed end-user data. Anonymous-by-design aggregate non-Emotion-AI usage telemetry, where collected, is not personal information.
16.4 Service Providers, Security, and Retention
AWS (hosting of telemetry endpoint); CloudFront (CDN/edge security); Stripe (payment, if paid tier). All frame processing stays local. TLS 1.2+ for telemetry pings. Usage telemetry aggregates retained 12 months. Users can delete all local data by clearing browser storage or refreshing the page.
17. AI Interactive Media Platform (Studio) and Emotion AI Media Player
17.1 MorphCast Studio
MorphCast Studio is a desktop and web platform that lets creators build emotion-driven interactive videos using facial-expression triggers, avatars, and LLM prompts. Creators upload media assets to MorphCast’s cloud workspace, assemble interactive timelines, and publish output files or share live links with viewers through the Emotion AI Media Player.
| Category | Examples | Source | Role | Retention |
| Account Identity & Contact | Email, name, organisation, billing | Sign-up/purchase | Business | Active + 6 months |
| Uploaded Content | Video, audio, images, subtitles, LLM prompts | Creator upload | Service Provider | Until deleted or 36 months inactivity |
| Project Metadata | Title, timeline JSON, trigger settings | Saved automatically | Service Provider | Same as project |
| Viewer Analytics (aggregated) | Play count, watch time, and anonymous-by-design aggregate metrics subject to regional restrictions | Media Player ping | Service Provider | 36 months |
| System Logs | IP, API calls, error traces | Platform backend | Service Provider | 30 days; aggregated 12 months |
Creators control their uploaded assets. MorphCast does not analyse or monetise content except to provide the requested editing/rendering services.
MorphCast acts as a Service Provider for uploaded content and viewer analytics, and as a Business for account and billing data.
17.2 Emotion AI Media Player
The Emotion AI Media Player is a lightweight web player that streams interactive videos created in MorphCast Studio. While the video plays, an on-device Emotion AI engine monitors the viewer’s facial expressions and adapts the storyline in real time. No account or sign-in is required for viewers.
No raw camera frames, biometric templates, face templates, or per-frame emotion data leave the viewer’s device. In Protected Regions, no Emotion AI outputs or related aggregate metrics are transmitted to MorphCast in any form. Outside Protected Regions, where analytics are enabled, analytics consist of anonymous-by-design aggregate statistical counters only, such as view count, watch time, branch popularity, and aggregate emotion counters.
Viewer camera frames are ephemeral (in-memory < 100 ms). Interaction events (play, pause, branch clicks) are transmitted to the analytics endpoint. Aggregated analytics retained 36 months. System logs: 30 days raw, aggregated 12 months. MorphCast acts as a Business for CDN system logs; content creators control uploaded videos.
17.3 Service Providers
AWS (S3 storage, transcoding, database, streaming origin, analytics API); CloudFront (global CDN delivery); Stripe (payment, if paid tier). Full list maintained in the DPA.
17.4 Security
Encryption in transit (TLS 1.2+) and at rest (AES-256). Separate storage buckets per workspace with role-based access. Automatic virus scanning of uploads. SOC 2 Type II infrastructure partners and annual penetration tests.
17.5 Retention and Deletion
Uploaded Content and Projects: retained until the creator deletes them or after 36 months of inactivity, then permanently purged from backups within 30 days. Viewer analytics and anonymous-by-design aggregate metrics: retained 36 months for trend analysis, then aggregated further or deleted. Account data: removed 6 months after account closure (billing records kept per tax law). Creators can self-delete projects and assets at any time from the dashboard.
18. Contact Information
Email: privacy@morphcast.com
Postal: Technologies MorphCast Inc., 203-1553 rue du Centre, Montréal, Québec, Canada.
We aim to respond within 45 days (CPRA), 30 days (GDPR), or any shorter period required by applicable law.
Appendix A — Protected Regions for Emotion AI Analytics
For purposes of Emotion AI analytics, MorphCast applies a regional inbound analytics filtering configuration designed to prevent the transfer of Emotion AI analytics data to MorphCast servers from certain protected jurisdictions.
In these Protected Regions, Emotion AI processing occurs locally on the end-user device, and Emotion AI outputs or related analytics metrics are not transferred to MorphCast servers.
The current Protected Regions include:
European Union Member States: Austria (AT), Belgium (BE), Bulgaria (BG), Croatia (HR), Cyprus (CY), Czechia (CZ), Denmark (DK), Estonia (EE), Finland (FI), France (FR), Germany (DE), Greece (GR), Hungary (HU), Ireland (IE), Italy (IT), Latvia (LV), Lithuania (LT), Luxembourg (LU), Malta (MT), Netherlands (NL), Poland (PL), Portugal (PT), Romania (RO), Slovakia (SK), Slovenia (SI), Spain (ES), and Sweden (SE).
EEA countries outside the European Union: Norway (NO), Iceland (IS), and Liechtenstein (LI).
Additional protected jurisdictions: Switzerland (CH), China (CN), and the United Kingdom (GB).
MorphCast may update the list of Protected Regions from time to time to reflect legal, regulatory, technical, or operational requirements. Where a jurisdiction is included in the Protected Regions, MorphCast configures the relevant services so that inbound Emotion AI analytics from that jurisdiction are disabled or filtered and are not transferred to MorphCast servers.