Global Policy and Product Supplemental Notices
MorphCast Inc., a Delaware Corporation
835 Fifth Avenue – San Rafael, CA 94901
Effective Date: 2026-03-25
PART I: GLOBAL PRIVACY POLICY
1. Introduction
MorphCast Inc. (“MorphCast,” “we,” “us,” “our”) is a Delaware corporation headquartered at 835 Fifth Avenue, San Rafael, California 94901, USA. We develop Emotion AI software, developer tools, and interactive-media platforms delivered through our websites, mobile/desktop apps, APIs, and other online services (collectively, the “Services”).
This Policy explains how we collect, use, disclose, and protect personal information when you interact with our Services and outlines the choices and rights available to you under the California Consumer Privacy Act (CCPA/CPRA), other applicable U.S. state or federal privacy laws, the General Data Protection Regulation (GDPR) where applicable, and the privacy regulations of any non-U.S. jurisdictions in which we actively make the Services available.
This Policy is provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in accordance with Article 12 of the GDPR and the PIPEDA Openness Principle. It is publicly available at https://www.morphcast.com/morphcast-inc-privacy-policy/ at all times.
2. Supplemental Policies
Each product or feature listed below has its own supplemental privacy notice (and, where required, data-processing addendum — DPA). Those documents are set forth in Part II of this Policy and prevail over Part I in case of conflict for the specific product or feature:
• MorphCast Portal (User Dashboard) — Section 12
• Website, Contact Form, and Feedback/Abuse Report Form — Section 13
• Emotion AI HTML5 SDK (JS Engine) — Section 14
• MorphCast for Zoom and Emotion AI Video Conference — Section 15
• Ready-to-Use Web Apps (Keeping Data Locally) and MyMoodScan — Section 16
• AI Interactive Media Platform (Studio) and Emotion AI Media Player — Section 17
3. Scope and Applicability
This Policy applies to all personal information processed by MorphCast in connection with the Services unless a Supplemental Policy in Part II states otherwise. Where a Supplemental Policy covers a specific product or feature, it supersedes this Part I for that product or feature.
Excluded from this Policy: This Policy does not apply to personal information of MorphCast employees, contractors, or job applicants, which is governed by separate internal policies. This Policy also does not apply to data collected in connection with MorphCast-sponsored research studies, which are governed by separate research consent forms and protocols.
The Company may restrict the availability of the Services in specific jurisdictions from time to time as set forth at https://www.morphcast.com/legal-territorial-exclusion/. It is the responsibility of Business customers to identify and comply with all applicable local privacy obligations in the jurisdictions where they deploy the Services.
4. Roles: Controller/Processor Status
Business / Controller: MorphCast Inc. acts as a Business (CCPA/CPRA) or Controller (GDPR) for personal information related to our website, CRM, user accounts, billing, and direct customer communications.
Service Provider / Processor: For products, SDKs, and integrations where our customers decide the means and purposes of processing, MorphCast acts as a Service Provider (CCPA/CPRA) or Processor (GDPR) and processes data solely under the customer’s instructions and DPA.
On-Device Processing (No Role): For products where all processing occurs on the End User’s device and no personal information is transmitted to MorphCast (e.g., the SDK, Web Apps keeping data locally, MyMoodScan), MorphCast does not act as a Business/Controller or Service Provider/Processor for that End User data. MorphCast nonetheless maintains appropriate security and confidentiality commitments for any aggregated, de-identified telemetry it receives.
No Joint Controllership: MorphCast does not act as a joint controller (within the meaning of GDPR Article 26) with any deployer or customer. Where MorphCast processes personal data on behalf of a customer, MorphCast acts solely as a Processor/Service Provider under the customer’s instructions and DPA. If any deployment scenario were to give rise to joint controller obligations, MorphCast will enter into an appropriate joint controller arrangement with the relevant customer.
A Data Processing Addendum (DPA) is incorporated into our Business Terms of Service and available at https://www.morphcast.com/dpa/. Business customers may request a countersigned copy if needed.
Deployer Consent Obligations: Deployers are responsible for obtaining clear, informed consent from End Users before activating any Emotion AI processing through the Services. MorphCast’s architecture enables consent by design — the camera and AI engine do not activate without the End User’s affirmative action — but deployers must ensure their implementation respects this principle, provides appropriate notice, and obtains any consent required by applicable law (including, where GDPR applies, consent meeting the standard of Article 7 or another applicable lawful basis under Article 6).
Data Protection Impact Assessments: Deployers subject to GDPR should assess whether their specific use of the Services triggers a Data Protection Impact Assessment under Article 35 GDPR, particularly where emotion recognition is used on a large scale or in sensitive contexts. MorphCast will provide reasonable cooperation in connection with any DPIA conducted by a deployer.
EU Representative and Data Protection Officer: MorphCast is currently assessing whether its processing activities require the appointment of an EU Representative under Article 27 GDPR and/or a Data Protection Officer under Article 37 GDPR. Pending the outcome of this assessment, privacy inquiries from EU/EEA data subjects may be directed to privacy@morphcast.com. This section will be updated upon completion of the assessment.
5. Categories of Personal Information We Collect
| Category | Examples | Source | Role | Retention |
| Identity & Contact | Name, email, role, company | Registration, contact, feedback forms | Business | Account life + 6 months |
| Usage / Device Data | IP, browser type, pages viewed, API calls, event logs | Cookies, SDKs, server logs | Business | Raw: 30 days; aggregated: 12 months |
| Content Data | Images, video, audio, text processed by Emotion AI | Supplied by you or your end users | Varies | On-device by default; if uploaded: per settings or deletion |
| Support Data | Messages, attachments, screenshots | Support tickets | Business | 24 months |
| Blocked Service Logs | Timestamp, IP, country | AWS CloudFront | Business | 30 days |
Retention note: The periods above are default maximums. Product-specific Supplemental Policies may set different retention (e.g., Studio/Media Player viewer analytics retained up to 36 months). Where a Supplemental Policy specifies a different period, it controls for that product.
We do not intentionally collect sensitive personal information (as defined by CPRA). If you or your end users include such data within Content Data, it is processed on-device and, when we act as Service Provider/Processor, strictly under your instructions.
Classification of Emotion Data: Emotion-related outputs generated by the Services on-device (such as valence, arousal, and facial expression labels) may be classified as “sensitive personal information,” “special category data,” or “biometric data” under certain laws and jurisdictions. Because this data is processed on-device and not transmitted to MorphCast servers in the standard deployment architecture, MorphCast does not collect or process sensitive personal information from End Users. Deployers should assess the classification of emotion data under their applicable laws and implement appropriate safeguards, including where GDPR applies, identifying a lawful basis under Article 9(2) for any special-category processing they conduct.
Important: Our products are designed for edge/on-device processing. MorphCast does not receive or store face images, audio streams, or biometric identifiers from product use, unless you deliberately upload content to your account or enable a cloud feature described in a Supplemental Policy.
By default, emotional analytics are aggregated and anonymous by design (ABD) and therefore fall outside the personal information categories above.
No Training on User Data: MorphCast does not use End User data, camera frames, or emotion metrics derived from the Services to train or improve its AI models. MorphCast’s AI models are developed using separate, ethically sourced training datasets that are subject to independent ethics review. No data from deployed customer instances feeds back into model training. If MorphCast ever changes this practice, it will update this Policy and obtain any required consent before using customer or End User data for model improvement purposes.
6. Purposes for Processing
| Purpose | CPRA Business Purpose | GDPR Lawful Basis (Art. 6) | Examples |
| Provide, operate & maintain the Services | Perform services | Contract performance (Art. 6(1)(b)) | User authentication, billing, delivering apps & APIs |
| Improve & develop new features | Debug, R&D | Legitimate interest (Art. 6(1)(f)) | Usage analytics with aggregated/anonymous data, quality monitoring |
| Customer support & communications | Provide support | Contract performance / Legitimate interest | Tickets, bug reports, abuse complaints |
| Security & fraud prevention | Detect security incidents | Legitimate interest (Art. 6(1)(f)) | Log analysis, rate limiting, anti-spam |
| Legal compliance | Comply with law | Legal obligation (Art. 6(1)(c)) | Tax, accounting, export controls, AI/privacy regulations |
| Marketing (opt-in only) | Advertising (with consent) | Consent (Art. 6(1)(a)) | Newsletters, product updates (website/CRM data only; not product content) |
Legitimate interest balancing: Where we rely on legitimate interest as a lawful basis, we have conducted a balancing assessment and concluded that our interests in operating, securing, and improving the Services do not override the rights and freedoms of data subjects, particularly given the privacy-preserving, on-device architecture of our core products and the limited scope of personal information we process. You may request a copy of our balancing assessment by contacting privacy@morphcast.com.
MorphCast does not “sell” or “share” personal information as those terms are defined by the CCPA/CPRA.
7. Cookies and Similar Technologies
We use strictly necessary cookies and local storage items where needed to ensure the proper functioning and security of our core Services. No advertising cookies are used by our core products. Website-level cookies, consent management, and any analytics cookies are governed by the Website Supplemental Policy (Section 13). Third-party cookies may appear only when you explicitly activate optional features (e.g., translation, SSO). Our security providers may place temporary cookies for bot management.
8. Security Measures and Data Protection by Design
Data Protection by Design and by Default (GDPR Article 25): MorphCast implements data protection by design and by default. The core Emotion AI engine processes camera frames on the End User’s device, ensuring that facial images, video streams, and biometric data are never transmitted to MorphCast servers. This on-device architecture minimizes the personal data processed by MorphCast to the greatest extent technically feasible and provides the highest level of data protection by default. Only aggregated, anonymous-by-design (ABD) telemetry is transmitted, and only where necessary for service operation.
MorphCast maintains industry-standard technical and organizational measures to protect personal information, including: TLS encryption in transit; AES-256 encryption at rest for stored account/CRM data and backups; segmented production network with least-privilege access controls; regular penetration testing and vulnerability scanning; and incident-response procedures with breach notification protocols. Product Content Data is processed on-device by default and is not stored by MorphCast unless explicitly uploaded.
Data Accuracy (GDPR Article 5(1)(d)): MorphCast takes reasonable steps to ensure that personal information it holds is accurate, complete, and kept up-to-date, having regard to the purposes for which it is processed. Where you believe personal information we hold about you is inaccurate or incomplete, you may exercise your right to rectification as described in Section 9.
9. Your Privacy Rights
California Residents (CPRA): You may exercise rights to access/know, delete, correct, and limit the use/disclosure of sensitive personal information (the limit right is not applicable because we do not use or disclose sensitive PI for purposes that trigger it). No opt-out is needed because MorphCast does not sell or share personal information.
Residents of Other U.S. States: Depending on your state’s law (e.g., Virginia, Colorado, Connecticut, Utah, and others), you may have rights similar to California’s, including access/know, delete, correct, portability, and, where applicable, opt out of targeted advertising, sale, or certain profiling.
EU/EEA Residents (GDPR): Where GDPR applies, you may exercise rights to access, rectification, erasure, restriction of processing, data portability, and objection. You also have the right to lodge a complaint with your local supervisory authority. Where processing is based on consent, you have the right to withdraw your consent at any time; withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. To withdraw consent, contact privacy@morphcast.com or use the unsubscribe mechanism provided in the relevant communication. Where MorphCast acts as a Processor, data-subject requests should be directed to the Controller (your deployer/employer) in the first instance, and MorphCast will provide reasonable cooperation.
Canada (PIPEDA): Canadian residents may request access to and correction of personal information, subject to applicable exceptions. You may contact the Office of the Privacy Commissioner of Canada or your provincial privacy commissioner regarding unresolved concerns.
How to Exercise Your Rights: Submit a request to privacy@morphcast.com or by mail to MorphCast Inc., 835 Fifth Avenue, San Rafael, CA 94901, USA. We will verify your identity and respond within 45 days (CPRA) or 30 days (GDPR), or any shorter period required by applicable law. You may designate an authorized agent to submit a request on your behalf; we may require the agent to provide proof of written authorization and may still verify your identity directly.
Non-Discrimination: MorphCast will not discriminate against you for exercising any of your privacy rights under the CCPA/CPRA or any other applicable law, including by denying you Services, charging you different prices, or providing a different level or quality of Services.
Financial Incentives: We do not offer financial incentives or price or service differences in exchange for the retention, sale, or sharing of personal information.
California Shine the Light (Civil Code §1798.83): MorphCast does not disclose personal information to third parties for their own direct marketing purposes.
Do Not Track Signals: Our Services do not use advertising cookies or third-party analytics trackers. Accordingly, our Services do not currently respond to Do Not Track (DNT) browser signals, as there is no tracking activity to disable. We do not track users across third-party websites.
10. Children’s Privacy
Our Services are not directed to children under 16, and we do not knowingly collect personal information from children under 16. By default, our emotion AI runs on-device and face images/video and biometric identifiers are not transmitted to MorphCast servers. We do not sell or share minors’ personal information for cross-context behavioral advertising. Where local law sets a specific age of consent for online services (typically 13–16), we apply the applicable threshold. If an organization enables account-based or cloud features for users who are minors, that organization is responsible for obtaining verifiable parental consent. If we learn we have collected personal information from a child without required consent, we will delete or de-identify it.
11. Data Retention, International Transfers, and Changes
We keep personal information only as long as necessary for the purposes described above or as required by law. Default retention periods are listed in the Categories table (Section 5); Supplemental Policies may set different periods.
MorphCast’s infrastructure is primarily hosted in the United States (AWS us-west-2). Where personal information is transferred internationally, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) where GDPR applies, and contractual protections under our DPA.
We may update this Policy from time to time. Material changes will be announced via a prominent notice on our website or by email. The effective date at the top of this document indicates when revisions became effective.
PART II: PRODUCT SUPPLEMENTAL PRIVACY POLICIES
Each Supplemental Policy below supplements and forms part of the Global Privacy Policy (Part I). The definitions and CPRA business purposes set out in Part I also apply to each Supplemental Policy unless otherwise stated. In the event of conflict, the Supplemental Policy prevails for that product.
12. MorphCast Portal (User Dashboard)
12.1 Product Overview
The MorphCast Portal is a lightweight dashboard where customers can generate license keys, view usage quotas, download invoices, and manage account settings. Access is granted via email verification code (single-use 6-digit code, valid 10 minutes) or third-party sign-in (OAuth 2.0/OpenID Connect via Google, Apple, Microsoft, or Yahoo). No password is stored by MorphCast.
12.2 Categories of Personal Information
| Category | Examples | Source | Role | Retention |
| Billing Email (hash) | SHA-256 hash of customer email | License purchase | Business | License expiry + 6 months |
| Verification Code | 6-digit numeric code | Portal auth | Business | Cache: 10 min, then purged |
| OAuth ID Token | Signed JWT from provider | OAuth provider | Business | Browser session; expires 2h |
| License Metadata | License key, creation date, plan tier | Portal DB | Business | Life of license |
| Activity Logs | IP, timestamp, endpoint accessed | Server logs | Business | 30 days; aggregated 12 months |
No passwords, names, addresses, or payment card numbers are stored in the Portal. Payments are processed externally by Stripe.
12.3 Purposes
Deliver secure code- or OAuth-based access to license management; maintain license metadata and usage quotas; detect unauthorized access or key abuse; generate and email invoices via Stripe.
12.4 CPRA Role
MorphCast acts as a Business for Portal data. OAuth authentication is handled by the chosen provider under its own privacy terms. Payment information is handled by Stripe; MorphCast receives only transaction IDs and invoice PDFs.
12.5 Cookies
The Portal sets no tracking cookies. Strictly necessary cookies include: portalPerm (session/permission), portal session token (JWT, session/short-term), Google reCAPTCHA cookies (security), and SSO provider cookies (only if you choose SSO). These are necessary to provide secure authentication and are not used for advertising.
12.6 Service Providers
Amazon Web Services (hosting, us-west-2); Amazon CloudFront (CDN); Stripe, Inc. (payment processing). Full list maintained in the DPA.
12.7 Security
Verification codes stored in encrypted Redis cache; auto-expire after 10 minutes. OAuth ID tokens validated server-side and stored only in browser session storage. All data in transit via TLS 1.2+; license DB encrypted at rest (AES-256). Role-based access for support staff; audit trail of admin actions.
12.8 Retention and Deletion
License metadata: life of license. Billing-email hash: removed 6 months after license expiry. Verification codes: purged after 10 minutes. OAuth tokens: expire within 2 hours. Activity logs: deleted after 30 days; aggregated stats kept 12 months. Customers may request full deletion from the dashboard or by contacting privacy@morphcast.com.
13. Website, Contact Form, and Feedback/Abuse Report Form
13.1 Website Privacy and Cookies
This section covers information collected when you visit pages under the www.morphcast.com domain, including embedded demos and the Voiceflow chat widget.
What we collect: HTTP request data (IP, user-agent, URL, timestamp — 30 days logs, aggregated 12 months); chat messages via the Voiceflow widget (anonymous, deleted after 24 hours); and strictly necessary or feature-requested cookies/storage.
Minimal-tracking philosophy: We do not use third-party analytics (e.g., Google Analytics), ad trackers, or social media pixels. By default, we set no tracking cookies. Third-party cookies are placed only when you explicitly use Translation or Portal sign-in.
Always-present cookies: legalAckCookie (first-party, 24h, stores legal disclaimer acknowledgment); cf_bm (Cloudflare bot manager, 30 min).
Optional-feature cookies (no tracking): vf_deviceId (localStorage, Voiceflow, ~6 months, random UUID for chat resumption); vf_session (sessionStorage, chat context); googtrans (session, translation preference).
Third-party cookies (Translation/Portal sign-in only): Google reCAPTCHA/Translate cookies, SSO provider cookies (Google, Apple, Yahoo, Microsoft) — set only when you use those features. Controlled by the respective providers.
Service providers: AWS (hosting), CloudFront (CDN/edge security), Cloudflare (WAF/bot management), Voiceflow Inc. (chat widget sub-processor).
13.2 Contact Form
The Contact Form collects information you explicitly enter: name, email address, message content, and optional project details (country, organization type, project type, product interest). No login or account is required. MorphCast does not request sensitive personal information; please avoid including such data in your message.
Retention: individual inquiries retained 24 months; server logs 30 days (aggregated 12 months). reCAPTCHA metadata retained 6 months. Service providers: AWS (hosting/email relay), CloudFront (CDN/WAF), Google LLC (reCAPTCHA).
13.3 Feedback and Abuse Report Form
The Feedback and Abuse Report Form enables users to report bugs, security issues, copyright violations, or harassment. The form accepts a free-text description and optional file attachments (e.g., screenshots, log snippets). No login or account is required.
Please ensure attachments do not contain sensitive personal information unless strictly necessary to demonstrate the issue. Retention and service providers follow the same schedule as the Contact Form.
14. Emotion AI HTML5 SDK (JS Engine)
14.1 Product Overview
The Emotion AI HTML5 SDK allows developers to embed MorphCast’s on-device facial-expression engine into their web applications. The SDK processes camera frames locally in the end-user’s browser and returns emotion metrics to the developer’s code via JavaScript callbacks. No photos, full video, or per-user emotion metrics are sent to MorphCast servers. Aggregated stats are anonymous and unlinkable.
14.2 Categories of Personal Information
| Category | Examples | Source | Role | Retention |
| Camera Frames (ephemeral) | Pixel data from end-user camera | Browser getUserMedia | Not transmitted | In-memory < 100 ms |
| Emotion Metrics (local) | Valence, arousal, emotion labels | Derived on device | Not transmitted | Per developer’s implementation |
| License Key Telemetry | License validation, session count, errors | SDK ping | ABD (not PI) | Aggregated: 12 months |
| Optional: Data Storage Module | Aggregated anonymous emotion stats | Opt-in by developer | Service Provider | Per developer settings |
No photos, full video, or per-user emotion metrics are sent to MorphCast servers. The only data MorphCast receives is non-identifiable license telemetry and, if the developer explicitly enables the Data Storage module, aggregated anonymous statistics.
14.3 CPRA / GDPR Role
For end-user data processed entirely on the user’s device, MorphCast does not act as a Business/Controller or Service Provider/Processor because MorphCast does not receive or determine the purposes and means of processing that personal information. Where MorphCast does process personal information (e.g., customer account, licensing, billing, support), we act as a Business or Service Provider solely for those data. De-identified/aggregated data (ABD metrics) are not “personal information” under CPRA/CCPA or “personal data” under GDPR.
Where the Registered User deploys the SDK in a context subject to GDPR, the Registered User is the Controller for any End User personal data processed through the SDK. MorphCast will provide reasonable cooperation under the DPA.
14.4 Service Providers
AWS (hosting of telemetry endpoint); CloudFront (CDN/edge security); Stripe (payment processing, if paid tier). Third-party providers do not receive end-user personal information.
14.5 Security and Retention
All frame processing stays local; no outbound video. TLS 1.2+ for telemetry pings. License telemetry aggregated and retained 12 months. Users can delete all local data by clearing browser storage.
15. MorphCast for Zoom and Emotion AI Video Conference
15.1 MorphCast for Zoom
MorphCast for Zoom is an add-on available in the Zoom App Marketplace that overlays real-time emotional analytics during Zoom video meetings.
| Category | Examples | Source | Role | Retention |
| Zoom Meeting Metadata | Meeting ID, host email, timestamps | Zoom API | Service Provider | 30 days; aggregated 12 months |
| Video Frames (ephemeral) | Pixel data from participants | Camera (local) | Not transmitted | In-memory < 100 ms |
| Emotional Metrics | Valence, arousal, emotion scores | Derived on device | Service Provider (sent for host visibility) | One year |
| ABD Usage Statistics | Session counts, feature toggles, error rates | Product telemetry | N/A (ABD) | 12 months |
No facial images, audio, chat content, or sensitive personal information is sent to MorphCast.
Important: If the host chooses to associate emotional metrics with a guest’s display name or another identifier, those data may qualify as Sensitive Personal Information under applicable law. In that scenario, the host (Business/Controller) is responsible for providing appropriate notices and having a lawful basis. MorphCast continues to act only as a Service Provider/Processor.
For the regulation of the Zoom service embedded in MorphCast for Zoom, please refer to the Zoom Privacy Statement. MorphCast for Zoom participants who are Guests will not have cookies or data in localStorage by MorphCast for Zoom.
15.2 Emotion AI Video Conference
MorphCast Emotion AI Video Conference is a browser-based video conferencing application powered by AWS Chime with integrated emotion analytics. It is available as a hosted service at meet.morphcast.com and as a white-label deployment.
The data categories and processing purposes mirror those of MorphCast for Zoom (Section 15.1), with the following differences: the video conferencing infrastructure is provided by AWS Chime (not Zoom); for the management of conference data by AWS Chime (e.g., video recording functionality), refer to the AWS Compliance GDPR Center; the white-label deployer is responsible for providing their own privacy policy, terms of use, and DPA links to their end users.
Service providers: AWS (hosting, Chime infrastructure, us-west-2); CloudFront (CDN); Stripe (payment processing, if paid tier).
15.3 Cookies (Zoom and Video Conference)
MorphCast for Zoom: cookies are used for the Host only, including authentication and session management via Zoom and MorphCast for Zoom. Guests do not have cookies or data in localStorage by MorphCast for Zoom. Zoom’s own cookies are governed by Zoom’s Cookie Policy.
Video Conference: strictly necessary cookies for session management. No advertising or tracking cookies.
16. Ready-to-Use Web Apps (Keeping Data Locally) and MyMoodScan
16.1 Product Overview
These single-page web apps run entirely in the browser and perform on-device facial-expression analysis using the Emotion AI HTML5 SDK. No data leaves the user’s device. The apps are free, ad-free, and do not require an account or license key. MyMoodScan is a free, ad-free web app that performs real-time or photo-based facial-expression analysis entirely on the user’s device.
16.2 Categories of Personal Information
| Category | Examples | Source | Role | Retention |
| Camera/Photo Frames | Pixel data from user’s camera | Browser getUserMedia | Not transmitted | In-memory < 100 ms |
| Emotion Metrics (local) | Valence, arousal, emotion labels | Derived on device | Not transmitted | Until user clears browser storage |
| Anonymous Usage Telemetry | Session count, fatal errors | Minimal ping | N/A (ABD) | Aggregated: 12 months |
No photos, videos, camera streams, emotional metrics, or identifiers are sent to MorphCast servers. The only data received is non-identifiable usage telemetry.
16.3 CPRA / GDPR Role
MorphCast does not receive “personal information” as defined by the CPRA/CCPA for these products. All camera frames and on-device outputs remain on the user’s device. Accordingly, MorphCast does not act as a Business or Service Provider for locally processed end-user data. De-identified/aggregated ABD metrics are not personal information.
16.4 Service Providers, Security, and Retention
AWS (hosting of telemetry endpoint); CloudFront (CDN/edge security); Stripe (payment, if paid tier). All frame processing stays local. TLS 1.2+ for telemetry pings. Usage telemetry aggregates retained 12 months. Users can delete all local data by clearing browser storage or refreshing the page.
17. AI Interactive Media Platform (Studio) and Emotion AI Media Player
17.1 MorphCast Studio
MorphCast Studio is a desktop and web platform that lets creators build emotion-driven interactive videos using facial-expression triggers, avatars, and LLM prompts. Creators upload media assets to MorphCast’s cloud workspace, assemble interactive timelines, and publish output files or share live links with viewers through the Emotion AI Media Player.
| Category | Examples | Source | Role | Retention |
| Account Identity & Contact | Email, name, organisation, billing | Sign-up/purchase | Business | Active + 6 months |
| Uploaded Content | Video, audio, images, subtitles, LLM prompts | Creator upload | Service Provider | Until deleted or 36 months inactivity |
| Project Metadata | Title, timeline JSON, trigger settings | Saved automatically | Service Provider | Same as project |
| Viewer Analytics (aggregated) | Play count, watch time, anonymous emotion stats | Media Player ping | Service Provider | 36 months |
| System Logs | IP, API calls, error traces | Platform backend | Service Provider | 30 days; aggregated 12 months |
Creators control their uploaded assets. MorphCast does not analyse or monetise content except to provide the requested editing/rendering services.
MorphCast acts as a Service Provider for uploaded content and viewer analytics, and as a Business for account and billing data.
17.2 Emotion AI Media Player
The Emotion AI Media Player is a lightweight web player that streams interactive videos created in MorphCast Studio. While the video plays, an on-device Emotion AI engine monitors the viewer’s facial expressions and adapts the storyline in real time. No account or sign-in is required for viewers.
No raw camera frames or per-frame emotion data leave the viewer’s device. Analytics consist of anonymized, aggregated counters only (view count, watch time, branch popularity).
Viewer camera frames are ephemeral (in-memory < 100 ms). Interaction events (play, pause, branch clicks) are transmitted to the analytics endpoint. Aggregated analytics retained 36 months. System logs: 30 days raw, aggregated 12 months. MorphCast acts as a Business for CDN system logs; content creators control uploaded videos.
17.3 Service Providers
AWS (S3 storage, transcoding, database, streaming origin, analytics API); CloudFront (global CDN delivery); Stripe (payment, if paid tier). Full list maintained in the DPA.
17.4 Security
Encryption in transit (TLS 1.2+) and at rest (AES-256). Separate storage buckets per workspace with role-based access. Automatic virus scanning of uploads. SOC 2 Type II infrastructure partners and annual penetration tests.
17.5 Retention and Deletion
Uploaded Content and Projects: retained until the creator deletes them or after 36 months of inactivity, then permanently purged from backups within 30 days. Viewer analytics and emotion stats: retained 36 months for trend analysis, then aggregated further or deleted. Account data: removed 6 months after account closure (billing records kept per tax law). Creators can self-delete projects and assets at any time from the dashboard.
18. Contact Information
Email: privacy@morphcast.com
Postal: MorphCast Inc., 835 Fifth Avenue, San Rafael, CA 94901, USA
We aim to respond within 45 days (CPRA), 30 days (GDPR), or any shorter period required by applicable law.