Last updated: September 29, 2025
Relationship with the MorphCast Inc. Global Privacy Policy
This notice (the “Supplemental Privacy Policy”) supplements and forms part of the MorphCast Inc. Privacy Policy (https://www.morphcast.com/morphcast-inc-privacy-policy/). The definitions and CPRA business purposes set out in that policy also apply to this Product unless otherwise stated.
Territorial Exclusion — We do not currently offer our services in certain jurisdictions. For the up-to-date list and rationale, please see https://www.morphcast.com/legal-territorial-exclusion/.
· Product Overview
The MorphCast Portal is a lightweight dashboard where customers can generate products license keys, view usage quotas, download invoices and much more. Access is granted in two ways:
- Email verification code – a single‑use 6‑digit code sent to the billing email address; valid for 10 minutes.
- Third‑party sign‑in – OAuth 2.0 / OpenID Connect via Google, Apple, Microsoft or Yahoo. No password is stored by MorphCast.
MorphCast Inc. (“MorphCast“, “we“, “us“, “our“) is a Delaware corporation headquartered at 835 Fifth Avenue, San Rafael, CA 94901, USA.
· Categories of Personal Information Processed
| Category | Examples | Source | MorphCast role | Retention |
|---|---|---|---|---|
| Billing Email (hash) | SHA‑256 hash of customer email used to send verification code | Licence purchase record | Business | Until licence expires + 6 mths |
| Verification Code (ephemeral) | 6‑digit numeric code | Portal auth service | Business | Cache ≤ 10 min, then purged |
| OAuth ID Token (ephemeral) | Signed JWT from Google, Apple, Microsoft, Yahoo | OAuth provider | Business | Stored in browser session; expires ≤ 2 h |
| License Metadata | Licence key, creation date, plan tier | Portal DB | Business | Life of licence |
| Portal Activity Logs | IP, timestamp, endpoint accessed | Server logs | Business | 30 days logs; aggregated 12 mths |
No passwords, names, addresses or payment card numbers are stored in the Portal. Payments are processed externally by Stripe.
· Purposes of Processing
| Purpose | CPRA Business Purpose |
|---|---|
| Deliver secure code‑ or OAuth‑based access to licence management | Perform services |
| Maintain licence metadata and usage quotas | Perform services |
| Detect unauthorised access or key abuse (activity logs) | Detect security incidents |
| Generate and email invoices via Stripe | Comply with law / Perform services |
MorphCast does not sell or share personal information as defined by the CPRA.
· Roles under CPRA (Business / Service Provider)
MorphCast acts as a Business for Portal data. OAuth authentication is handled by the chosen provider under its own privacy terms. Payment information is handled by Stripe; MorphCast receives only transaction IDs and invoice PDFs.
· Additional Compliance
This Policy is designed to comply with the California Consumer Privacy Act and the California Privacy Rights Act (CCPA/CPRA) and, in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA). For other comprehensive U.S. state privacy laws that are materially similar to the CPRA, our practices and user-rights workflows are aligned and we make equivalent choices available, to the extent applicable to MorphCast in its role as Service Provider/Processor.
Because requirements may differ by jurisdiction (e.g., consent for certain sensitive categories, universal opt-out signals, or appeal mechanisms), Business customers are responsible for identifying any stricter or additional local obligations in the places where they operate and for instructing MorphCast accordingly; we will reasonably support such compliance through our Product configuration and our DPA.
Territorial availability. This Product is not available in all jurisdictions. For the up-to-date list of jurisdictions we do not serve and the rationale, please see https://www.morphcast.com/legal-territorial-exclusion/.
· Service Providers
| Provider | Service | Location |
|---|---|---|
| Amazon Web Services | Hosting of Portal and licence database (us‑west‑2) | USA |
| Amazon CloudFront | CDN delivery | Global |
| Stripe, Inc. | Payment processing & invoice emailing | USA |
Full list maintained in the DPA (https://www.morphcast.com/dpa).
· Security Measures
- Verification codes stored in encrypted Redis cache; auto‑expire after 10 minutes.
- OAuth ID tokens validated server‑side and stored only in browser session storage.
- All data in transit via TLS 1.2+; licence DB encrypted at rest (AES‑256).
- Role‑based access for support staff; audit trail of admin actions.
- SOC 2 Type II infrastructure partners.
· Cookies & Local Storage
Default: the Portal sets no tracking cookies. Only strictly-necessary cookies are used to enable secure login and account functionality.
| Name / Key | Domain | Lifespan | Purpose | Category |
|---|---|---|---|---|
portalPerm | .morphcast.com | Session / short-term | Stores permission/role information for your Portal session. | Strictly necessary |
Portal session token (e.g. JWT such as 1e54f50250a2) | cdn-api-portal.morphcast.com | Session / short-term | Keeps you signed in to the Portal. | Strictly necessary |
Google reCAPTCHA cookies (examples: __Secure-*, NID, AEC, OTZ, etc.) | .google.com | Varies (~6–24 months) | Protects login against abuse/spam and ensures secure authentication. | Strictly necessary for security |
| SSO provider cookies (Google / Apple / Yahoo / Microsoft) | accounts.google.com, appleid.apple.com, login.yahoo.com, login.live.com / microsoftonline.com | Varies per provider | Only set if you choose that SSO method; required to complete the login. | Strictly necessary for chosen SSO |
Note: these cookies are only set when you actively log in to the Portal or choose an SSO option. They are necessary to provide secure authentication and are not used for advertising or cross-site tracking.
· Data Retention & Deletion
- Licence metadata retained for the life of the licence.
- Billing‑email hash removed 6 months after licence expiry.
- Verification codes purged after 10 minutes; OAuth tokens expire ≤ 2 hours.
- Activity logs deleted after 30 days; aggregated stats kept 12 months.
- Customers may request earlier deletion from the dashboard or asking us to delete the account using the methods listed in the Contact Us section below
Customers may request full deletion of license records using the methods listed in the Contact Us section below.
· Your Privacy Rights
California Residents (CPRA)
If you reside in California you may: access/know, delete, correct, and limit the use/disclosure of sensitive personal information (not applicable because we do not use or disclose sensitive PI for purposes that trigger the right to limit).
No Opt-Out Needed: MorphCast does not sell or share personal information as defined by the CPRA.
Residents of Other U.S. States
Depending on your state’s law (e.g., Virginia, Colorado, Connecticut, Utah, and others), you may have rights similar to California’s, including access/know, delete, correct, portability, and, where applicable, the right to opt out of targeted advertising, sale, or certain profiling.
Canada (PIPEDA and applicable provincial laws)
Canadian residents may request access to and correction of personal information, subject to applicable exceptions. You may also contact the Office of the Privacy Commissioner of Canada or your provincial privacy commissioner regarding unresolved concerns.
How to Exercise Your Rights
Submit a request using the methods listed in the Contact Us section below. We will verify your identity and respond within 45 days, or any shorter period required by applicable law (Canadian requests will be handled within the timelines set by Canadian law).
Territorial Exclusion (Reference)
As noted at the beginning of this policy, we do not currently offer our services in certain jurisdictions. For the up-to-date list and rationale, please see: https://www.morphcast.com/legal-territorial-exclusion/.
· Children’s Privacy
Our Services are not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please submit a request using the methods listed in the Contact Us section below and we will promptly take steps to delete the information.
By default, our emotion AI runs on-device (in the user’s browser/app). Face images/video and biometric identifiers are not transmitted to MorphCast servers for analysis. We do not sell or share minors’ personal information for cross-context behavioral advertising.
Where local law sets a specific age of consent for online services (typically 13–16), we apply the applicable threshold in that jurisdiction. If an organization enables account-based or optional cloud features for users who are minors and those features involve transferring personal information to our systems, that organization is responsible for obtaining verifiable parental consent and providing any required notices. In such cases, MorphCast processes the data as a Service Provider/Processor under our DPA and only on documented instructions.
If we learn that we have collected personal information from a child without the required consent, we will delete or de-identify that information and, if applicable, disable the relevant account or feature.
· Contact Us
Email: privacy@morphcast.com
Postal: MorphCast Inc., 835 Fifth Avenue, San Rafael, CA 94901, USA
We aim to respond within 45 days (CPRA) or within any shorter period required by applicable law.
· Changes to This Policy
We may update this Policy from time to time. Material changes will be announced via a prominent notice on our website or by email where appropriate. The “Last update” date at the top indicates when revisions became effective.