GDPR Compliance Documentation
1. Data Controller Information
Morphedby.AI acts as the data controller for your personal information:
- Company Name: Morphedby.AI
- Data Protection Officer Email: [email protected]
- Contact for Data Requests: [email protected]
2. Legal Basis for Processing
We process your data under the following legal bases as defined in GDPR Article 6:
- Contract (Art. 6(1)(b)): Processing necessary for our service contract
- Consent (Art. 6(1)(a)): Processing based on your explicit consent
- Legal Obligation (Art. 6(1)(c)): Processing required by law
- Legitimate Interests (Art. 6(1)(f)): Processing for our legitimate business interests
3. Data Processing Activities
3.1 Image Processing
- Purpose: Transformation of user-uploaded images using AI
- Duration: Original images deleted within 24 hours
- Transformed images stored for 30 days maximum
- Processing location: EU-based servers with appropriate safeguards
3.2 Account Management
- Purpose: User authentication and service provision
- Duration: Account active period plus 30 days after deletion
- Data categories: Email, account preferences, login history
3.3 Payment Processing
- Purpose: Processing payments for credits
- Duration: 7 years (legal requirement)
- Processor: Stripe (with appropriate data processing agreement)
4. Your Rights Under GDPR
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Obtain a copy of your personal data | Email [email protected] |
| Rectification (Art. 16) | Correct inaccurate personal data | Account settings or email support |
| Erasure (Art. 17) | Request deletion of your data | Account deletion option or email |
| Portability (Art. 20) | Receive your data in a structured format | Request via [email protected] |
| Object (Art. 21) | Object to certain processing | Email with specific objection |
5. Data Retention Periods
- Original Images: 24 hours maximum
- Transformed Images: 30 days
- Account Data: Duration of account plus 30 days
- Payment Records: 7 years (legal requirement)
- Login History: 90 days
- Usage Logs: 30 days
6. International Data Transfers
When we transfer your data outside the EEA, we ensure appropriate safeguards through:
- EU Standard Contractual Clauses
- Privacy Shield certification (where applicable)
- Adequacy decisions by the European Commission
7. Technical and Organizational Measures
- End-to-end encryption for data transmission
- Regular security audits and penetration testing
- Access control and authentication mechanisms
- Employee training on data protection
- Incident response procedures
8. Cookie Policy
8.1 Essential Cookies
- Session management
- Security features
- Basic service functionality
8.2 Optional Cookies (Require Consent)
- Analytics
- Performance monitoring
- Feature preferences
9. Data Breach Procedures
In case of a data breach that risks your rights and freedoms:
- We will notify supervisory authorities within 72 hours
- Affected users will be informed without undue delay
- Incident response team will implement mitigation measures
10. Contact Information
For any GDPR-related inquiries or to exercise your rights:
- Email: [email protected]
- Data Protection Officer: [email protected]
- Response Time: Within 30 days maximum
11. Updates to This Documentation
This GDPR documentation is regularly reviewed and updated. Major changes will be notified via:
- Email notification
- Website announcement
- In-app notification
Last updated: February 06, 2025