Privacy Policy

Morpheous (“Morpheous,” “we,” “us,” or “our”) operates the Morpheous platform at app.morpheous.cloud, an AI-driven landing page builder. This policy explains what personal information we collect from people who sign up to use Morpheous(our “Customers”), and from end-users who visit pages our Customers publish using Morpheous(“Visitors”).

• We collect what we need to run Morpheous and nothing more.
• We do not sell or rent your personal information.
• We do not use your content to train external AI models.
• Visitor analytics on Customer-published pages are anonymous — no names, emails, or full IP addresses are stored.
• Send privacy or data-rights requests to rossifilms@gmail.com.

This policy describes how we handle personal information for two groups:

• Customers — individuals who create an account on Morpheous to build, publish, and analyze landing pages.
• Visitors — end-users who visit a landing page that a Customer has published using Morpheous.

For Customer-published pages, the Customer is the data controller for any personal information collected by their own forms, integrations, or scripts.Morpheous acts as a data processor for those Customers and provides only anonymous behavioral analytics described below.

3.1 Account information

• Email address (required for sign-up and login).
• Password, stored as a salted hash by our authentication provider (Supabase). We never see your plaintext password.
• Account preferences and onboarding state.

3.2 Content you create

• Landing pages, sites, popups, products, and media you upload.
• Custom domain configuration (DNS records, domain names).
• Chat-edit messages and prompts you send to the builder.
• Adaptive video projects, scripts, and uploaded video assets.

3.3 Billing information

• Stripe Customer ID, subscription status (trialing, active, past_due, canceled), plan tier, and current billing period end date.
• Credit card numbers and full payment details are collected and stored by Stripe, not by us. Stripe is PCI-DSS Level 1 certified. We never see or store your card number, CVV, or expiration date.

3.4 Service usage data

• AI usage logs: model name, input/output token counts, cost, purpose (chat-edit, image-generation, etc.), and the user ID making the call. Used for quota enforcement and billing transparency.
• Server logs from our hosting provider (Vercel) containing request URLs, timestamps, response codes, and IP address for security and abuse prevention. Vercel retains these logs per its own policy.
• Authentication session cookies (see Section 7).

3.5 Support correspondence

• Anything you send through Contact Support or Submit a Bug — including the URL you were on, your email, and the message body. Routed via SendGrid to our support inbox.

3.6 Third-party integration data

• If you connect GoHighLevel (GHL), we store OAuth access tokens and your GHL location ID so we can publish funnel pages on your behalf. We do not access or store your GHL contacts or CRM data.

Our analytics tracker runs on landing pages published by our Customers. It collects anonymous behavioral signals only:

4.1 Session and visitor identifiers

• m_sid — a random session identifier stored in sessionStorage, cleared when the browser tab closes.
• m_vid — a random visitor identifier stored in localStorage. Persistent until the Visitor clears browser storage. Not linked to any real-world identity.
• Device type (mobile, tablet, desktop), referrer URL, and UTM parameters from the page URL.
• Country code derived server-side from the Visitor’s IP address. The full IP address is not stored.

4.2 Behavioral events

• Pageviews, scroll depth, attention time per section, heartbeats.
• Clicks (target element text and screen coordinates), form submission events, conversion events.
• Rage-click and dead-click signals used to surface UX issues.

4.3 Visitor archetype classification

We classify anonymous visitors into behavioral archetypes (e.g. price-sensitive, comparison shopper, returning hesitator) using signals such as referrer, scroll velocity, click count, and visit count. This classification is stored in the Visitor’s own browser localStorage and used by the Customer to tailor on-page content. It is anonymous and not tied to any real-world identity.

4.4 Adaptive Video tracking

If a Customer uses our Adaptive Video feature, we log: anonymous session ID, which video sections the Visitor reached, completion percentage, and which video variant was shown. No identifying information is recorded.

4.5 What we never collect from Visitors

• Visitor names, email addresses, phone numbers, or postal addresses.
• Full IP addresses (only country code is derived).
• Login credentials or financial information.
• Information from any other site the Visitor has browsed.

Note for Customers: if you add your own forms, third-party scripts, or trackers (e.g. Meta Pixel, Google Analytics) to pages you publish with Morpheous, those tools collect data under your own privacy policy. You are the controller for that data; Morpheous is not responsible for collection performed by tools you embed.

We use the information described above for the following purposes:

• Deliver the service — generate AI content, render and host your pages, process payments, send transactional and support email, and produce the analytics you see in the dashboard.
• Secure the service — detect abuse, enforce rate limits, prevent fraud, and investigate violations of our Terms.
• Improve the service — aggregated, de-identified usage signals help us prioritize features and fix bugs.
• Comply with law — respond to subpoenas, court orders, and other legal process where required.

We do notuse your content or your Visitors’ behavior to train third-party AI models. Anthropic, Google, and other AI providers we use have committed in writing not to train on customer API data. See their published policies linked in Section 6.

We share personal information with the following service providers (“subprocessors”) only as needed to operate Morpheous. Each is bound by its own data processing terms and security obligations.

An up-to-date subprocessor list is available at any time on request to rossifilms@gmail.com. We will give Customers notice of new subprocessors before they begin processing your data when feasible.

We use a small number of cookies and local-storage entries. Categories:

7.1 Strictly necessary (always on)

• Supabase authentication session cookies (e.g. sb-*-auth-token) — required to keep you logged in.
• Cross-site request forgery (CSRF) tokens issued during login and signup flows.
• morpheous_consent_v1 — records your cookie-banner choice so we don’t prompt you again.

7.2 Functional (on by default; gated by your consent on first visit)

• Builder state cached in localStorage so the editor feels instant when you reload.
• Visitor-side archetype, visit count, and conversion flags (anonymous).

7.3 Analytics (anonymous)

• The m_sid and m_vid identifiers described in Section 4. Anonymous, not used to identify individuals.

You can adjust your cookie preferences at any time by clicking the “Cookie preferences” link in our footer or visiting our Cookie Policy. You can also block cookies in your browser settings; doing so may prevent core features from working.

• Account data — retained for as long as your account is active. After you delete your account, we delete or anonymize account data within thirty (30) days, subject to legal-hold exceptions (e.g. tax records).
• Content (pages, projects, media) — deleted on account deletion within 30 days. You can also delete individual pages or sites from the builder at any time.
• Visitor analytics events — automatically deleted after 90 days via a scheduled cleanup job.
• AI usage logs — retained for the duration of your subscription so you can audit your spend; deleted within 30 days after account closure.
• Billing records — retained for at least seven (7) years to comply with U.S. tax law.
• Support correspondence — retained for up to two (2) years for quality and dispute-resolution purposes.
• Server logs (Vercel)— retained per Vercel’s own retention policy, typically 30 days.

Subject to applicable law, you may have the following rights with respect to personal information about you:

• Access — request a copy of the personal information we hold about you.
• Correction — ask us to correct inaccurate or incomplete data.
• Deletion — request that we delete your account and associated personal information.
• Portability — receive a machine-readable copy of the personal information you provided.
• Objection / restriction — object to or restrict certain processing.
• Withdraw consent — where we rely on your consent, you may withdraw it at any time.
• Complain — lodge a complaint with your local data protection authority.

To exercise any of these rights, email rossifilms@gmail.com. We will verify your request by confirming you control the email address on your account, then respond within thirty (30) days (or such shorter period as applicable law requires). We will not discriminate against you for exercising any of these rights.

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you specific rights regarding your personal information.

10.1 Categories of personal information collected

In the past twelve (12) months we have collected the categories of personal information described in Sections 3 and 4 — namely identifiers (email, account ID, anonymous session/visitor IDs), commercial information (billing status, subscription history), internet or other electronic network activity information (server logs, behavioral analytics events), geolocation data (country code only), and the contents of communications you send us.

10.2 Sources

We collect this information directly from you, from your interactions with our service, and from our subprocessors (e.g. Stripe billing webhooks).

10.3 Business purposes

We use this information for the purposes described in Section 5: delivering the service, securing the service, improving the service, and complying with law.

10.4 Sale or sharing of personal information

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising as those terms are defined under the CPRA. We have not done so in the past twelve (12) months.

10.5 Sensitive personal information

We do not collect or use sensitive personal information beyond what is needed to provide the service you requested (e.g. login credentials to authenticate you). You have the right to limit our use of sensitive personal information; in practice, the categories we collect are already strictly limited to what the service requires.

10.6 Your California rights

• Right to know what personal information we have collected.
• Right to delete personal information we have collected.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing (n/a — we do neither).
• Right to limit use of sensitive personal information.
• Right to non-discrimination for exercising your rights.
• Right to designate an authorized agent to make requests on your behalf (we will require written authorization).

To exercise California rights, email rossifilms@gmail.com with subject line “California Privacy Request.”

11.1 Roles

For Customer account information, Morpheous is the controller. For information our Customers store about their Visitors using our service, Morpheous acts as the processor and the Customer is the controller.

11.2 Legal bases for processing

• Contract (Art. 6(1)(b)) — to deliver the service you signed up for.
• Legitimate interests (Art. 6(1)(f)) — to secure the service, prevent fraud, and improve Morpheous, balanced against your interests.
• Consent (Art. 6(1)(a)) — for non-essential cookies and optional integrations you opt into.
• Legal obligation (Art. 6(1)(c)) — to retain billing records, respond to lawful requests.

11.3 International transfers

Our service is hosted in the United States. When we transfer personal information from the EEA, UK, or Switzerland to the U.S. or other third countries, we rely on the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable) entered into with our subprocessors. Copies are available on request to rossifilms@gmail.com.

11.4 Your GDPR rights

In addition to the rights listed in Section 9, you have the right to lodge a complaint with your local supervisory authority. For the UK, that is the Information Commissioner’s Office (ICO).

11.5 Data Protection Officer

We have not appointed a formal Data Protection Officer because our scale does not require it under GDPR Art. 37. Privacy questions and requests should be sent to rossifilms@gmail.com.

11.6 Data Processing Agreement

Customers who require a Data Processing Agreement (DPA) for their own GDPR compliance may request one at rossifilms@gmail.com.

Morpheous is not directed at children under the age of thirteen (13), and we do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided personal information to us, please contact rossifilms@gmail.comand we will delete it promptly. This complies with the Children’s Online Privacy Protection Act (COPPA).

For users in the EEA / UK, our minimum age is sixteen (16) unless local law permits a lower age with parental consent.

We use the following safeguards to protect your information:

• TLS encryption for all data in transit.
• Encryption at rest for our Supabase database and storage buckets.
• Salted password hashing managed by Supabase Auth.
• Row-level security policies on every database table.
• Subscription-based and rate-limited access controls on AI and write endpoints.
• API keys and secrets stored as environment variables, never in source code or client bundles.

No system is unbreachable. If we discover a security incident affecting your personal information, we will notify you and (where applicable) supervisory authorities without undue delay and in any event within the timelines required by applicable law (e.g. 72 hours under GDPR).

Morpheous uses generative AI (Anthropic Claude, Google Gemini) to produce page content, copy, and images at your request. These outputs are generated each time you trigger them. Morpheous does not make automated decisions that produce legal or similarly significant effects about you without human involvement. You may review, edit, or discard any AI-generated content before publishing.

Many browsers send a “Do Not Track” or Global Privacy Control (GPC) signal. Because there is no consensus standard, we honor GPC signals from California residents as a request to opt out of sale or sharing — though as noted in Section 10.4 we do neither. We do not separately respond to legacy Do Not Track signals.

We may update this policy from time to time. Material changes will be announced in the Morpheousdashboard or by email at least seven (7) days before they take effect. The “Effective date” at the top of this page indicates when the current version became effective.

• Privacy questions, data-rights requests, and DPA requests: rossifilms@gmail.com
• General support: contact@morpheous.cloud
• Operating entity: Morpheous (sole proprietor / individual). Mailing address available on written request.