Privacy Policy

Effective date: May 11, 2025 • Last updated: Nov 11, 2025

This Privacy Policy explains how Morphik, Inc. (“Morphik”, “we”, “us”, or “our”) collects, uses, and shares information when you:

  • Visit our websites (including www.morphik.ai)
  • Use Morphik Cloud and related applications (the “Hosted Services”)
  • Use our APIs, SDKs, or integrations
  • Interact with us in the usual course of business (sales, support, events, etc.)

It also describes your choices and privacy rights.

Important: When our customers upload documents or connect sources to Morphik, we generally process that information as a service provider / processor under our contract and data protection addendum (if any). In those cases, this Privacy Policy describes our general practices, but the contract with your organization controls if there is any conflict.

1. Scope and Roles

Services covered

This Privacy Policy applies to:

  • Our websites, marketing pages, and documentation
  • Morphik Cloud (hosted SaaS)
  • Our APIs, SDKs, and developer tools that link to this Policy
  • Our customer support, sales, and business operations

Self-hosted / on-premise deployments

If you or your organization run self-hosted Morphik or a dedicated/on-premise deployment, the handling of data (including logs, telemetry and configuration) is primarily governed by the contract between Morphik and your organization.

This Privacy Policy applies only to the limited personal information that Morphik processes directly (for example, if we administer a support portal or management plane). For everything else, your organization’s own privacy and security policies apply.

Controller vs. processor

  • For website visitors, marketing contacts, and account admins, Morphik is generally the data controller (or equivalent under applicable law).
  • For Customer Data (documents, knowledge bases, blueprints, files, and connected sources that your organization ingests into Morphik), Morphik generally acts as a processor / service provider and only processes that data according to the contract with your organization.

If you use Morphik through your employer or another organization, that organization controls how your information is used, and you should direct any specific privacy questions to them.

2. Information We Collect

We collect three main categories of information:

  1. Information you provide directly
  2. Information collected automatically
  3. Information we process on behalf of customers (“Customer Data”)

2.1 Information you provide

When you interact with Morphik, you may provide:

  • Account information

    • Email address
    • Password (if you sign up with email and password)
    • Name and, optionally, company name or workspace name
    • If you sign in with a third-party identity provider (e.g., Google), we receive identity information from that provider so we can authenticate you.

  • Business contact information

    • Email, name, company, role, and any information you submit via forms (demo requests, waitlists, contact forms, etc.)

  • Support and communication content

    • Messages you send us (support tickets, Slack/Discord messages, emails)
    • Feedback, survey responses, or other information you choose to share

  • Billing information

    • For hosted plans, payment processing is handled by Stripe or another payment provider.
    • We do not store your full payment card number; it is processed and stored by our payment processor on our behalf.
    • For enterprise or self-hosted deployments, billing terms and payment details are governed by your contract with us.

2.2 Information collected automatically

When you use our websites or Hosted Services, we and our service providers may automatically collect certain information, such as:

  • Usage and log data

    • Pages viewed, features used, timestamps, referring URLs
    • Basic actions, such as when you upload a document, create a knowledge base, or run a search

  • Device and technical data

    • IP address
    • Browser type and version
    • Operating system and device type

We use analytics tools (such as product analytics software) to understand how people use Morphik so we can maintain, secure, and improve our Services.

2.3 Customer Data (documents and connected sources)

Customers use Morphik to ingest and analyze various content (“Customer Data”), which may include:

  • Documents and files (e.g., PDFs, blueprints, technical manuals, contracts, etc.)
  • Data from third-party sources you choose to connect (e.g., Google Drive or other storage providers)
  • Metadata about your knowledge bases or workspaces
  • Queries / prompts and interactions with the system

Customer Data is owned and controlled by our customers. We process Customer Data only:

  • As described in this Policy, and
  • As permitted by the applicable contract and data protection terms with your organization.

We do not use Customer Data to train generalized or public models, unless a specific contract with your organization explicitly allows that.

3. How We Use Information

We use personal information (excluding Customer Data) for the following purposes:

3.1 To provide and maintain the Services

  • Create and manage user accounts and workspaces
  • Authenticate users and secure access
  • Provide core features of Morphik Cloud and our APIs
  • Process payments for hosted plans via our payment provider
  • Provide customer support, troubleshooting, and technical assistance

3.2 To operate on Customer Data

Subject to our contract with your organization, we process Customer Data to:

  • Ingest, index, embed, and store the content you connect or upload
  • Run queries, search, retrieval, and analysis
  • Execute AI/LLM calls based on your configuration
  • Provide workspace-level features (evals, monitoring, optimization, etc.)

Morphik engineers may access Customer Data only when a customer explicitly asks us to, for example:

  • Investigating a support ticket
  • Debugging a specific issue in your workspace
  • Providing implementation or configuration assistance

Access is limited, logged, and restricted to personnel who need it to provide the requested assistance.

3.3 To improve and secure the Services

We may use aggregated or de-identified information derived from usage and Customer Data to:

  • Monitor system performance and reliability
  • Detect, prevent, and investigate abuse, fraud, and security incidents
  • Improve search quality, retrieval performance, and product usability
  • Develop new features and functionality

When we say “aggregated” or “de-identified,” we mean data that does not identify you or your organization and does not reveal the content of specific documents or queries.

3.4 Sales, marketing, and communications

We may use your contact and usage information to:

  • Respond to demo and contact requests
  • Send product updates, onboarding materials, and educational content
  • Send marketing or event communications about Morphik, in line with your preferences
  • Conduct surveys or request feedback

You can opt out of marketing emails at any time by using the unsubscribe link in the email or by contacting us at privacy@morphik.ai. We may still send you non-marketing communications (e.g., security notices, billing updates, or service announcements).

3.5 Legal, compliance, and protection

We may use information as necessary to:

  • Comply with applicable laws, regulations, and legal processes
  • Respond to lawful requests (subpoenas, warrants, court orders)
  • Enforce our agreements, including billing and collection
  • Protect the rights, privacy, safety, or property of Morphik, our customers, or the public

4. How We Share Information

We do not sell personal information. We share information in the following contexts:

  1. Service providers / subprocessors: We use trusted vendors to help operate our Services (hosting, storage, analytics, communications, billing). They may access personal information only to provide services on our behalf and must protect it appropriately.
  2. Business operations: We share information with legal, financial, auditors, and advisors as needed to operate our business.
  3. Legal compliance: We may disclose information if required to comply with applicable law or to respond to lawful requests.
  4. Business transfers: If Morphik is involved in a merger, acquisition, or sale, we may transfer information as part of that transaction.

Customer Data is shared according to the customer’s configuration and instructions (for example, with third-party connectors or APIs you enable).

5. International Data Transfers

Morphik is based in the United States. If you access our Services from the EU/EEA, UK, or other regions with different laws, we transfer personal information according to applicable legal safeguards (such as standard contractual clauses or similar arrangements).

6. Data Retention

  • We retain Account Data and business contact records as long as needed to provide the Services and support.
  • Customer Data retention follows the customer’s configuration and contract. Customers can delete their data at any time or request assistance.
  • We may retain certain logs or records for a longer period for legal, security, or compliance purposes.

7. Security

We implement technical and organizational measures designed to protect personal information. These include:

  • Encryption in transit and at rest
  • Access controls and least-privilege policies
  • Monitoring, logging, and anomaly detection
  • Secure software development and code review practices
  • Employee training and confidentiality agreements

No system is fully secure, so please contact us at security@morphik.ai if you suspect a security issue.

8. Your Rights and Choices

Depending on where you live, you may have rights to:

  • Access, correct, or delete personal information
  • Object to or restrict certain processing
  • Receive a copy (portability) of information in a usable format
  • Opt out of marketing communications

To exercise these rights, contact privacy@morphik.ai. We will verify your request and respond according to applicable law. If you use Morphik through an organization, please direct requests to your administrator first.

9. Children's Data

Morphik is not intended for children under 13 (or the age required by local law). We do not knowingly collect personal information from children without parental consent. If you believe a child has provided us with personal information, please contact us so we can delete it.

10. Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will:

  • Update the “Last updated” date at the top of the Policy
  • Post the revised version on our website or within the Services

If we make material changes, we may also provide additional notice (for example, via email or in-product notifications).

11. Contact Us

If you have questions or concerns about this Privacy Policy or Morphik’s privacy practices, you can contact us at:

Email: privacy@morphik.ai

Mail:

Morphik, Inc.
548 Market St #17540
San Francisco, CA 94104
United States