Last updated: September 29, 2025
Relationship with the MorphCast Inc. Global Privacy Policy
This notice (the “Supplemental Privacy Policy”) supplements and forms part of the MorphCast Inc. Privacy Policy (https://www.morphcast.com/morphcast-inc-privacy-policy/). The definitions and CPRA business purposes set out in that policy also apply to this Product unless otherwise stated.
Territorial Exclusion — We do not currently offer our services in certain jurisdictions. For the up-to-date list and rationale, please see https://www.morphcast.com/legal-territorial-exclusion/.
· Scope of This Policy
This Policy covers information collected when you visit pages under the www.morphcast.com domain, including embedded demos and the Voiceflow chat widget. It explains our minimal-tracking philosophy and the limited cookies/local-storage keys we set.
· What We Collect
| Category | Examples | Source | MorphCast role (CPRA: Business / Service Provider) | Retention |
|---|---|---|---|---|
| HTTP Request Data | IP address, user-agent, URL, timestamp | Web server logs | Business | 30 days logs; aggregated 12 mths |
| Chat Messages (anonymous) | Text you type into the Voiceflow widget | Front-end POST | Business (handled via Voiceflow as Service Provider) | Deleted after 24 h; aggregated intents 12 mths |
| Contact Form Data | Name, email, message (if you submit) | Form submission | Business | 24 mths |
| Strictly-Necessary or Feature-Requested Cookies / Storage | See tables in §3 | Browser | Business | Lifespans below |
Voiceflow Inc. acts as a sub-processor for the provision of the chat widget (see DPA).
We do not use third-party analytics (e.g., Google Analytics), ad trackers or social media pixels.
· Cookies & Local Storage
Default: we set no tracking cookies. By default, only cookies listed in §3.1 are present. On-demand: third-party cookies may be placed only when you explicitly use Translation or access the Portal sign-in (including reCAPTCHA and optional SSO with Google/Apple/Yahoo/Microsoft). Keys for the chat widget are set only if you open/use the chat.
1. Always present (strictly necessary)
| Name / Key | Type | Lifespan | Purpose | Personal data? |
|---|---|---|---|---|
legalAckCookie | Cookie (first-party) | 24 h | Stores that you have seen the legal/territorial disclaimer; used to avoid re-showing it. | No |
cf_bm | Cookie (Cloudflare bot‑manager) | 30 min | Protects site from bots, ensures reliability | No |
2. Optional features (functional, no tracking)
| Name / Key | Type | Lifespan | Purpose | Personal data? |
|---|---|---|---|---|
vf_deviceId | localStorage (Voiceflow) | ~6 mths | Allows returning users to resume chat; random UUID. | No |
vf_session | sessionStorage (Voiceflow) | Session | Maintains chat context per tab. | No |
googtrans | Cookie (first-party) | Session | Stores the language you selected for page translation. Set only after you choose a language. | No |
Why consent is not required: these items are set strictly to deliver a feature you actively request (chat or translation preference). They involve no cross-site tracking and no sale/share of personal information.
3. Third-party cookies (set only when you use Translation or Portal sign-in)
When you activate Translation or access the Portal sign-in (which uses Google reCAPTCHA and may offer SSO with Google/Apple/Yahoo/Microsoft), the relevant providers place cookies on their own domains. These cookies are controlled by the provider and may change over time. They are required to deliver the specific external service you request.
| Name / Key (examples) | Provider domain | Lifespan (typical) | Purpose (high-level) | Category |
|---|---|---|---|---|
__Secure-1PAPISID, __Secure-1PSID,
__Secure-1PSIDCC, __Secure-1PSIDTS
| .google.com | up to ~2 years | Authentication & security for Google services (reCAPTCHA/SSO/Translate). | Necessary for requested service |
__Secure-3PAPISID, __Secure-3PSID,
__Secure-3PSIDCC, __Secure-3PSIDTS
| .google.com | up to ~2 years | Security across Google properties; fraud-prevention signals. | Necessary for requested service |
__Secure-ENID, AEC, NID,
OTZ, S, APISID, HSID,
ADS_VISITOR_ID
| .google.com / www.google.com | 6–24 mths | Service operation, security and preferences (incl. reCAPTCHA/Translate). | Necessary for requested service |
Portal session/SSO token (e.g. 1e54f50250a2)
| cdn-api-portal.morphcast.com | Session / up to 2 hours, then a new sign-in is required | Portal session / SSO state required to keep you signed-in. | Strictly necessary |
| Identity Provider cookies (Apple / Yahoo / Microsoft) |
appleid.apple.com,
login.yahoo.com,
login.live.com / microsoftonline.com
| varies by provider | Only set if you choose that SSO option; required to complete authentication. | Necessary for requested service |
Consent model: by default we place no third-party cookies. If you choose Translation or Portal sign-in, you request a feature delivered in part by those providers; their cookies then become necessary to fulfill your request. If you do not use those features, those cookies are not set.
· Purposes of Processing
| Purpose | CPRA Business Purpose |
|---|---|
| Serve website content and maintain security (server logs, WAF, rate-limiting) | Perform services / Detect security incidents |
| Provide optional chat support (Voiceflow) | Provide support |
| Provide Portal sign-in with security controls (reCAPTCHA) and optional SSO | Provide services / Detect security incidents |
| Provide optional page translation on user request | Provide services |
| Respond to contact form submissions | Provide support |
| Compile aggregated, anonymous traffic statistics | Research & development |
MorphCast does not sell or share personal information as defined by the CPRA.
· Additional Compliance
This Policy is designed to comply with the California Consumer Privacy Act and the California Privacy Rights Act (CCPA/CPRA) and, in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA). For other comprehensive U.S. state privacy laws that are materially similar to the CPRA, our practices and user-rights workflows are aligned and we make equivalent choices available, to the extent applicable to MorphCast in its role as Service Provider/Processor.
Because requirements may differ by jurisdiction (e.g., consent for certain sensitive categories, universal opt-out signals, or appeal mechanisms), Business customers are responsible for identifying any stricter or additional local obligations in the places where they operate and for instructing MorphCast accordingly; we will reasonably support such compliance through our Product configuration and our DPA.
Territorial availability. This Product is not available in all jurisdictions. For the up-to-date list of jurisdictions we do not serve and the rationale, please see https://www.morphcast.com/legal-territorial-exclusion/.
· Service Providers
| Provider | Role | Location |
|---|---|---|
| Amazon Web Services | Hosting (us-west-2) | USA |
| Amazon CloudFront | CDN & edge security | Global |
| Cloudflare, Inc. | Edge security (CDN, WAF, bot management) — Website (morphcast.com) | Global |
| Voiceflow Inc. | Chat widget backend (sub-processor) | USA |
Some features integrate with independent providers who set cookies on their domains to deliver the feature on your request: Google reCAPTCHA and Google Translate (Google), and optional SSO providers (Google, Apple, Yahoo, Microsoft). See §3.3 for details. The full list of MorphCast sub-processors is maintained in the DPA (https://www.morphcast.com/dpa).
· Security Measures
- TLS 1.2+ for all pages and API endpoints.
- Web Application Firewall and rate-limiting at the edge.
- Chat payloads encrypted in transit; purged after 24 h.
- SOC 2 Type II infrastructure partners.
· Data Retention & Deletion
- Server logs: 30 days raw; aggregated stats 12 months.
- Chat transcripts: automatically deleted 24 hours after last message.
- Contact-form submissions: kept 24 months for follow-up.
- Cookies/local storage: you can clear at any time via browser settings. Third-party cookies set by providers (e.g., Google, Apple, Yahoo, Microsoft) are controlled by those providers and may persist per their policies.
· Your Privacy Rights
California Residents (CPRA)
If you reside in California you may: access/know, delete, correct, and limit the use/disclosure of sensitive personal information (not applicable because we do not use or disclose sensitive PI for purposes that trigger the right to limit).
No Opt-Out Needed: MorphCast does not sell or share personal information as defined by the CPRA.
Residents of Other U.S. States
Depending on your state’s law (e.g., Virginia, Colorado, Connecticut, Utah, and others), you may have rights similar to California’s, including access/know, delete, correct, portability, and, where applicable, the right to opt out of targeted advertising, sale, or certain profiling.
Canada (PIPEDA and applicable provincial laws)
Canadian residents may request access to and correction of personal information, subject to applicable exceptions. You may also contact the Office of the Privacy Commissioner of Canada or your provincial privacy commissioner regarding unresolved concerns.
How to Exercise Your Rights
Submit a request using the methods listed in the Contact Us section below. We will verify your identity and respond within 45 days, or any shorter period required by applicable law (Canadian requests will be handled within the timelines set by Canadian law).
Territorial Exclusion (Reference)
As noted at the beginning of this policy, we do not currently offer our services in certain jurisdictions. For the up-to-date list and rationale, please see: https://www.morphcast.com/legal-territorial-exclusion/.
· Children’s Privacy
Our Services are not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please submit a request using the methods listed in the Contact Us section below and we will promptly take steps to delete the information.
By default, our emotion AI runs on-device (in the user’s browser/app). Face images/video and biometric identifiers are not transmitted to MorphCast servers for analysis. We do not sell or share minors’ personal information for cross-context behavioral advertising.
Where local law sets a specific age of consent for online services (typically 13–16), we apply the applicable threshold in that jurisdiction. If an organization enables account-based or optional cloud features for users who are minors and those features involve transferring personal information to our systems, that organization is responsible for obtaining verifiable parental consent and providing any required notices. In such cases, MorphCast processes the data as a Service Provider/Processor under our DPA and only on documented instructions.
If we learn that we have collected personal information from a child without the required consent, we will delete or de-identify that information and, if applicable, disable the relevant account or feature.
· Contact Us
Email: privacy@morphcast.com
Postal: MorphCast Inc., 835 Fifth Avenue, San Rafael, CA 94901, USA
We aim to respond within 45 days (CPRA) or within any shorter period required by applicable law.
· Changes to This Policy
We may update this Policy from time to time. Material changes will be announced via a prominent notice on our website or by email where appropriate. The “Last update” date at the top indicates when revisions became effective.