Morfo Confidential
Legal · Privacy

Privacy Policy

How Morfo collects, uses, and protects personal data when you visit morfoai.com, join the waitlist, or sign in for investor access.

EffectiveMay 26, 2026
Last updatedMay 26, 2026

Morfo Labs ("Morfo", "we", "us") respects your privacy. This page explains what data we collect on the morfoai.com marketing site and the investor preview, why we collect it, how long we keep it, and the rights you have over it. The Morfo iOS application has its own in-app privacy notice; this policy covers the website only.

01 Who we are

Morfo Labs is the data controller for personal data collected on morfoai.com. You can reach us at hello@morfoai.com with any privacy question or request.

02 What we collect

We only collect data you give us, plus the minimum the site needs to function:

Waitlist signups (home page, footer, stealth gate)
The email address you submit, the form it came from (hero / footer / gate), your IP address, and your browser user-agent. Used to contact you about the iOS beta and to rate-limit abuse.
Investor sign-in (LinkedIn)
When you sign in via LinkedIn OAuth we receive your first and last name, email, LinkedIn profile identifier (sub), and a session token we issue ourselves. The token is stored in an HttpOnly cookie named morfo-investor-session and is used to authenticate you on /investors.
Investor page visits
Each time you load the investor preview while signed in, we log your LinkedIn identifier, full name, email, and visit timestamp so we know who has reviewed the materials. No content of the page is logged.
Local browser state
The home page stores a flag named morfo-unlocked in localStorage after you submit the stealth-gate form so you don't have to enter your email again on the same browser. This stays on your device and isn't shared with us.
Infrastructure logs
Our hosting provider (Cloudflare) writes short-lived edge logs that include IP, request path, and response status. We use them for security, abuse prevention, and debugging.

We do not buy data about you, run third-party advertising trackers, run analytics scripts (no Google Analytics, no Facebook Pixel), or sell or rent any personal data.

03 Why we use it (legal basis)

  • To deliver the service you asked for — sending you waitlist updates, letting you into the investor preview, following up after a call.
  • Our legitimate interest in protecting the site from abuse (rate limits, security logs).
  • Your consent for the optional "follow Morfo on LinkedIn" action on the investor sign-in page.
  • Legal obligation where we have to respond to valid legal process.

04 Cookies & local storage

We use the minimum number of cookies needed to run the site. None are used for advertising.

NameTypePurposeLifetime
morfo-investor-sessionCookieKeeps you signed in to the investor preview.30 days
oauth_stateCookieProtects the LinkedIn sign-in flow from CSRF.10 minutes
follow_intentCookieRemembers whether you ticked "follow on LinkedIn".10 minutes
morfo-unlockedlocalStorageHides the stealth gate after you've submitted the form once.Until you clear it

05 Who else can see it

We share personal data only with the infrastructure providers that help us run the site:

  • Cloudflare — hosting, edge serving, and the D1 database where waitlist signups and investor visits are stored.
  • LinkedIn — only for the investor sign-in flow (OAuth 2.0 / OpenID Connect). LinkedIn's own privacy policy applies to the data they hold about you.

We do not transfer personal data to anyone else except where required by law.

06 How long we keep it

  • Waitlist emails — until you ask us to delete them, or until two years after our last contact with you, whichever is sooner.
  • Investor identity + visit logs — for as long as we're actively talking with you, plus up to two years after for follow-up. You can ask us to delete them sooner.
  • Edge / security logs — short-lived, typically under 30 days.
  • Session & OAuth cookies — see the lifetimes listed above.

07 Your rights

Wherever you live, you can ask us to access, correct, export, or delete the personal data we hold about you. If you're in the EU, UK, EEA, or California you also have the right to object to or restrict processing, withdraw consent, and lodge a complaint with your local data-protection regulator.

To make a request, email hello@morfoai.com. We'll reply within 30 days. We may need to confirm your identity before acting on a request.

08 Security

We use HTTPS everywhere, HttpOnly cookies for the investor session, short-lived OAuth state cookies, server-side rate limiting on form endpoints, and Cloudflare's edge protections. No system is perfectly secure, so if you believe your account or data is at risk please email security@morfoai.com.

09 Children

morfoai.com is not directed at children under 16 and we do not knowingly collect personal data from them. If you believe a child has submitted personal data to us, email hello@morfoai.com and we will delete it.

10 Changes to this policy

We'll update this page when our practices change. The "Last updated" date at the top of the page tracks the most recent substantive revision. For material changes that affect existing users we'll reach out by email before they take effect.

11 Contact

General privacy questions: hello@morfoai.com
Security disclosures: security@morfoai.com