Back to Home

    Privacy Policy

    Effective Date: March 1, 2026 · Last Updated: March 6, 2026

    1. Introduction

    MorphID.ai ("MorphID," "we," "us," or "our") operates a forensic face transformation and identity simulation platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, create an account, or use our Services.

    By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of the Service immediately.

    2. Information We Collect

    2.1 Account Information

    When you register, we collect your name, email address, and password (hashed). If you upgrade to a paid plan, payment processing is handled by our third-party payment processor; we do not store credit card numbers or full payment details on our servers.

    2.2 Biometric Data & Uploaded Images

    Our Service processes facial images that you upload. This processing generates biometric data, including facial geometry measurements, landmark coordinates, estimated age, gender classification, and other facial feature descriptors. Under laws such as the Illinois Biometric Information Privacy Act (BIPA), the California Consumer Privacy Act (CCPA/CPRA), and the EU General Data Protection Regulation (GDPR), this data may be classified as "sensitive personal information" or "special category data."

    • Consent: By uploading an image and initiating analysis, you provide explicit, informed consent to the collection and processing of biometric data derived from that image.
    • Purpose Limitation: Biometric data is processed solely to generate facial transformations, identity simulations, and forensic analysis as requested by you.
    • No Sale of Biometric Data: We will never sell, lease, trade, or otherwise profit from your biometric data.

    2.3 Generated Content

    AI-generated transformation images, timeline sequences, forensic reports, and related outputs created through the Service are stored in your account for your use. These are retained until you delete them or your account is terminated.

    2.4 Usage & Technical Data

    We automatically collect device information (browser type, operating system), IP addresses, access timestamps, pages visited, feature usage patterns, and error logs. This data is used for security, performance optimization, and analytics.

    2.5 Cookies & Tracking

    We use essential cookies for session management and authentication. We may use analytics cookies to understand Service usage. You can control cookie preferences through your browser settings.

    3. How We Use Your Information

    • To provide, operate, and maintain the Service
    • To process facial images and generate identity transformations as requested
    • To create and manage your account
    • To process payments and manage subscriptions
    • To communicate with you regarding updates, security alerts, and support
    • To detect, prevent, and address fraud and abuse
    • To comply with legal obligations and law enforcement requests
    • To improve and personalize the Service through aggregated, de-identified analytics

    4. Data Retention & Deletion

    4.1 Uploaded Images

    Original uploaded images are retained only for as long as necessary to process your requested transformations. You may delete uploaded images and associated case files at any time from your dashboard. Once deleted, images are purged from our servers within 30 days, including from backups.

    4.2 Biometric Data

    Facial analysis metadata (age, gender, facial landmarks) is retained alongside your case data to enable ongoing investigation features. This data is permanently deleted when you delete the associated case or your account.

    4.3 Account Data

    Upon account deletion, all personal data, cases, transformations, and associated biometric data are permanently deleted within 30 days. We may retain anonymized, aggregated analytics data that cannot be linked back to you.

    4.4 Biometric Retention Schedule (BIPA Compliance)

    In compliance with the Illinois Biometric Information Privacy Act, we maintain a publicly available retention schedule: biometric data is destroyed when (a) the initial purpose for collecting the data has been satisfied, or (b) within 3 years of the individual's last interaction with the Service, whichever occurs first.

    5. Data Sharing & Disclosure

    We do not sell your personal information, including biometric data, to third parties. We may share information in the following limited circumstances:

    • Service Providers: Cloud infrastructure providers, AI model providers, and payment processors who assist in operating the Service, bound by strict data processing agreements.
    • Legal Requirements: When required by law, subpoena, court order, or governmental regulation, or when we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, or investigate fraud.
    • Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred. You will be notified in advance of any such change.
    • With Your Consent: We may share data with third parties when you explicitly authorize us to do so.

    6. Data Security

    We implement industry-standard security measures to protect your data, including:

    • Encryption in transit (TLS 1.2+) and at rest (AES-256)
    • Row-level security (RLS) ensuring users can only access their own data
    • Hashed and salted password storage
    • Regular security audits and vulnerability assessments
    • Access controls and authentication for all API endpoints
    • Isolated storage buckets with access policies per user

    While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

    7. Your Rights

    7.1 General Rights

    Depending on your jurisdiction, you may have the right to:

    • Access the personal data we hold about you
    • Rectify inaccurate or incomplete data
    • Delete your personal data ("right to be forgotten")
    • Restrict processing of your data
    • Port your data to another service in a machine-readable format
    • Object to processing based on legitimate interests
    • Withdraw consent at any time without affecting prior lawful processing

    7.2 GDPR (European Economic Area)

    If you are an EEA resident, we process your data under lawful bases including consent, contract performance, and legitimate interests. You have the right to lodge a complaint with your local supervisory authority. Our legal basis for processing biometric data is your explicit consent (Article 9(2)(a) GDPR).

    7.3 CCPA / CPRA (California)

    California residents have the right to know what personal information is collected, request deletion, opt out of the sale of personal information (we do not sell your data), and not be discriminated against for exercising these rights. To exercise your rights, contact us at the address below.

    7.4 BIPA (Illinois)

    In compliance with the Illinois Biometric Information Privacy Act: we provide written notice before collecting biometric data; we obtain your informed written consent; we maintain a publicly available data retention policy (see Section 4.4); we do not sell, trade, or profit from biometric data; and we store and transmit biometric data using reasonable security measures.

    8. International Data Transfers

    Your data may be transferred to and processed in countries other than your country of residence. When transferring data internationally, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms, to ensure adequate protection of your data.

    9. Children's Privacy

    The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from minors. If we discover that a minor has provided us with personal data, we will promptly delete it. If you believe a minor has provided us with personal information, please contact us immediately.

    10. Third-Party AI Processing

    Our Service utilizes third-party AI models (including models from Google and OpenAI) to perform facial analysis and generate transformations. Images and prompts sent to these providers are subject to their respective privacy policies and data processing agreements. We ensure that:

    • Data is transmitted securely via encrypted channels
    • We use API-level access with data processing agreements that prohibit provider retention of input data for model training
    • No biometric templates are permanently stored by AI providers

    11. Changes to This Policy

    We reserve the right to update this Privacy Policy at any time. Material changes will be communicated via email notification and/or a prominent notice on the Service at least 30 days prior to the changes taking effect. Continued use of the Service after such changes constitutes acceptance of the updated policy.

    12. Contact Us

    If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a privacy concern, please contact us:

    MorphID.ai — Privacy Team

    Email: privacy@morphid.ai

    Data Protection Officer: dpo@morphid.ai