Privacy Policy

Last updated: April 6, 2026

1. Controller

MORPH AI is operated by MORPH s.r.o. (společnost s ručením omezeným), a company registered in the Czech Republic (hereinafter "MORPH", "we", "us", or "our"). MORPH provides marketing services and an AI-powered Platform to marketing agencies and advertisers, encompassing campaign management, lead processing, analytics, and business operations.

Contact details for data protection matters:

Email: info@morph.cz
Company: MORPH s.r.o. (IČO: 10664548)
Registered office: Klatovská tř. 1460/83, 301 00 Plzeň, Czech Republic
Website: morphgrowth.com
Data Protection Officer: Reachable at info@morph.cz

2. Scope

This Privacy Policy applies to all personal data processed by MORPH in connection with:

The website at morphgrowth.com, morphscaling.com the Platform morphai.dev or any of their subdomains.
Use of the MORPH AI Platform by registered users
Personal data received through Facebook or Instagram Lead Ads managed by our clients
Any other interaction with MORPH

This policy supplements the terms of the applicable service agreement between MORPH and the client. In the event of conflict, this Privacy Policy shall prevail with respect to the processing of personal data.

3. Data We Collect

3.1 Account Data and Platform Data

The following personal data is collected for registered users of the Platform:

Name and email address
Company or agency name
Connected advertising account identifiers (e.g. Meta Ad Account IDs, Facebook Page IDs)

Authentication is performed via email-based verification. No passwords are stored. Provision of account data is a contractual requirement necessary to use the MORPH AI platform. Failure to provide this data will prevent account creation and access to the platform.

When a client connects their Meta account via Facebook Login for Business, we additionally receive:

Profile information associated with the connected account (user ID, name, email)
Information about the Facebook Pages the user manages
Ad account and campaign performance data (including spend, impressions, clicks, and conversions)

The following data is also collected automatically during use of the Platform: IP address, browser type, device information, pages visited, features used, and timestamps. For information on cookies and similar technologies, see Section 8.

3.2 Lead Data

We receive personal data via the Meta Marketing API on behalf of our clients. This data is not collected directly from end users - it originates from submissions made on Facebook or Instagram and is received indirectly from Meta Platforms, Inc. The categories of data received are:

Contact information submitted by the end user (which may include name, email address, phone number, and any additional fields configured on the lead form by the advertiser)
Lead and campaign metadata (lead identifier, form identifier, ad identifier, page identifier, submission timestamp)

MORPH processes this data as a data processor on behalf of the client (the advertising agency or their end-client), who is the data controller. The data controller determines the purposes and means of processing. Lead data shall be used only for the purpose declared in the campaign in which it was collected and shall not be repurposed without new consent. The data processing relationship is governed by our Terms of Service and this Privacy Policy, which together constitute a binding agreement within the meaning of GDPR Article 28. If you require a separately executed Data Processing Agreement, contact us at info@morph.cz.

3.3 Communication Data

Where a phone number is provided through booking forms or other intake processes, MORPH may collect and process that phone number along with records of communications exchanged between the user and MORPH, including via email, phone, and SMS.

By providing a phone number and consenting to receive SMS messages, the user agrees to receive text messages related to scheduled appointments and services provided by MORPH. These messages may include appointment confirmations, reminders, rescheduling or cancellation notifications, and follow-up communications. Message frequency varies based on user interactions. The user may opt out at any time by replying STOP to any message. To resume messages, reply START. For assistance, reply HELP or contact info@morph.cz. Message and data rates may apply depending on the user's mobile carrier. Phone numbers will not be used for marketing purposes unrelated to the services engaged, unless separate explicit consent is provided. Provision of a phone number is voluntary and is not a requirement for using the Platform or engaging MORPH's services. If a phone number is not provided, appointment-related SMS communications will not be sent, but all other services remain unaffected.

4. Purposes and Legal Basis for Processing

MORPH is the data controller for account and platform data, and a data processor for lead data and campaign data. As a data processor, MORPH processes data on behalf of and under the instructions of the client. The client, as data controller, bears responsibility for establishing the legal basis for lead data collection and for downstream use of such data.

Purpose	Data used	Legal basis
Operate the MORPH AI platform	Account data, platform data	Performance of contract - Art. 6(1)(b)
Display campaign analytics and dashboards	Ad account data, campaign metrics	Performance of contract - Art. 6(1)(b)
Route lead form submissions to client-configured destinations	Lead data received via Meta API	Performance of contract - Art. 6(1)(b). Processed as data processor under the controller's legal basis
Transmit conversion events to Meta (Conversions API)	Hashed lead data, lead status updates	Legitimate interest - Art. 6(1)(f): optimizing campaign performance and measuring ad spend effectiveness. Performed on the client's instruction. This interest is not overridden by the data subjects' rights, given that the data transmitted is hashed and used for aggregate campaign measurement.
AI-powered campaign analysis and recommendations	Campaign data, performance metrics, user-submitted queries	Performance of contract - Art. 6(1)(b)

5. Data Sharing

Personal data is disclosed only in the following circumstances:

To the client: Lead data and campaign analytics are made available through the platform and routed to destinations configured by the client.
To Meta: Hashed or aggregated conversion event data may be transmitted to Meta via the Conversions API for campaign attribution and optimization, in accordance with Meta's Platform Terms.
Service providers: Data is processed on behalf of MORPH by third-party providers in the categories of application hosting, database infrastructure, AI processing, workflow automation, telephony and SMS delivery, and integration services. These providers operate under data processing agreements. A current list of sub-processors is available upon request.
Legal requirements: Personal data may be disclosed where required by applicable law, regulation, legal process, or binding governmental request.
Business transfers: In the event of a merger, acquisition, reorganization, or sale of all or substantially all of MORPH's assets, personal data held by MORPH may be among the assets transferred to the acquiring entity. Data subjects will be notified in advance where feasible, and the acquiring entity will be required to process personal data in accordance with this Privacy Policy or to obtain new consent where required by applicable law.

6. Data Retention

Personal data is retained only for as long as necessary to fulfill the purposes described in this policy, or as required by law. Specific retention periods are as follows:

Account data: Retained for the duration of the business relationship. Deleted within 30 days of account closure, except where retention is required by law (e.g. invoicing records under Czech statutory requirements).
Campaign and platform data: Retained for the duration of the active Meta connection. Deleted within 30 days of disconnection.
Lead data: Retained for up to 90 days after delivery to the configured destination, to enable delivery verification, error resolution, and conversion event processing. A different retention period may be agreed. Immediate deletion may be requested at any time.
Usage and technical data: Retained for up to 24 months for platform security and fraud prevention purposes. Data used solely for analytics purposes is anonymized within 12 months. Upon expiry of the applicable retention period, data is deleted or anonymized.

7. Data Subject Rights and Deletion

You have the following rights with respect to your personal data under the GDPR

Access (Art. 15): Obtain a copy of personal data held.
Rectification (Art. 16): Correct inaccurate personal data.
Erasure (Art. 17): Request deletion of personal data.
Restriction (Art. 18): Restrict processing of personal data.
Portability (Art. 20): Receive personal data in a structured, machine-readable format.
Objection (Art. 21): Object to processing based on legitimate interests.
Withdrawal of consent: Where processing is based on consent, consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal. Withdrawal may result in reduced platform functionality.
Exercising any of the above rights will not result in any disadvantage to the data subject.

To exercise any of these rights, contact info@morph.cz. Requests are processed without undue delay and within one month of receipt.

Deletion of data may also be initiated through the following self-service actions:

Disconnect Meta account within the MORPH AI platform - revokes access and initiates deletion of all associated platform data within 30 days.
Remove MORPH AI from Facebook Business Integrations settings - revokes access at the Meta platform level.

Upon receipt of a deletion request from Meta (e.g. when a user removes the application), all associated data is deleted within 30 days, except where retention is required by law.

End users: End users who submitted information through a Facebook or Instagram Lead Ad should direct requests to the advertiser (data controller). Requests received at info@morph.cz are forwarded to the relevant client.

Data subjects have the right to lodge a complaint with a supervisory authority. In the Czech Republic: Office for Personal Data Protection (ÚOOÚ).

8. Cookies and Tracking Technologies

The Platform uses cookies and similar technologies for the following purposes:

Essential cookies: Required for Platform functionality, authentication, and security.
Analytics cookies: Used to monitor Platform usage and improve services.
Advertising and tracking cookies: Used to deliver relevant advertisements, measure ad performance, and track user interactions across sessions.

Cookie preferences may be managed through browser settings.

9. Third-Party Links

The Platform and website may contain links to websites or services operated by third parties. MORPH does not control and is not responsible for the privacy practices of such external sites. Users are advised to review the applicable privacy policy of any third-party website before providing personal data.

10. Data Security

MORPH implements appropriate technical and organizational measures to protect personal data in accordance with Art. 32 GDPR, including:

Encryption of data in transit (TLS/HTTPS) and at rest
Role-based access controls
Regular review of security practices
Segregation of client data

MORPH will notify the relevant supervisory authority within 72 hours as required by Art. 33 GDPR, notify affected data controllers without undue delay, and where the breach is likely to result in a high risk to the rights and freedoms of individuals, notify affected data subjects in accordance with Art. 34 GDPR.

11. International Data Transfers

The provision of our services involves the transfer of personal data to the United States. These transfers are protected by appropriate safeguards as required by Chapter V of the GDPR, including:

Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46(2)(c) GDPR, incorporated into data processing agreements with the relevant providers
The EU-US Data Privacy Framework adequacy decision, where applicable

A copy of the relevant safeguard documentation may be obtained by contacting info@morph.cz.

12. Meta Platform Data

Under the Meta Platform Terms, MORPH operates as a Tech Provider. All Meta Platform Data is processed in compliance with the Meta Platform Terms and Developer Policies. Nothing in this Privacy Policy supersedes, modifies, or is inconsistent with the Meta Platform Terms or any other applicable Meta terms and policies.

Only permissions necessary for the stated functionality of the Platform are requested and used.
Meta Platform Data is not sold, licensed, or transferred to data brokers, ad networks, or any third party not directly involved in providing services.
Meta Platform data is not used to discriminate against or target individuals based on race, ethnicity, religion, sexual orientation, or other protected characteristics.
User profiles are not built or augmented using Meta Platform Data without valid user consent.
Meta Platform Data maintained on behalf of one Client is kept separately from that of other clients.
Clients are promptly notified of any communication from Meta concerning a user's request regarding the processing of their Platform Data, including data subject rights requests.
Users may revoke access at any time by disconnecting their account within the MORPH AI Platform or by removing the application from their Facebook Business Integrations settings.
Upon revocation or deletion request, all associated Meta Platform Data is deleted within 30 days, except where retention is required by law.
Security incidents involving Meta Platform Data are reported to Meta using the designated incident reporting process and remediation is initiated immediately.
This policy is accessible via HTTPS, is not geo-blocked, and is crawlable by Meta's automated systems.

13. Changes to This Policy

This Privacy Policy may be updated to reflect changes in our practices, services, or legal requirements. In the event of material changes:

The "Last updated" date at the top of this page will be revised.
Registered users will be notified by email or through a notice in the Platform.
Where required by law, consent will be obtained before changes take effect.