Privacy Policy

Last updated: April 12, 2026

This Privacy Policy explains how Manikandan G, operating as Ironmint (“we”, “us”, “Morph”), collects, uses, and shares personal data when you use Morph — the Framer plugin and web dashboard available at https://app.morph-app.com (the “Service”).

We are the controller for personal data we collect about you as a Morph customer. When you use Morph to personalize your own Framer site, you are the controller of the personal data of your visitors, and we act as your processor. That relationship is governed by our Data Processing Agreement.

1. Who we are

| Item | Value | |---|---| | Operator | Manikandan G, trading as Ironmint (individual, not a registered company) | | Address | Coimbatore, Tamil Nadu, India | | Country | India | | Contact | support@ironmint.studio |

If you are in the EU/EEA and have concerns we cannot resolve, you may contact your local data protection authority.

2. What data we collect

2.1 Data you give us when you sign up

• Email address
• Name (optional)
• Password (hashed — we never see the plaintext)
• Any information you enter into the dashboard (site names, rules, variant content)

2.2 Billing data

When you start a paid plan, our payment processor (Lemon Squeezy) collects your billing details — name, billing address, tax ID where required, and payment method. We receive from Lemon Squeezy only the subscription status, plan, and last-four of your card. We never see or store your full card number.

2.3 Data we collect automatically when you use the dashboard

• IP address and approximate location (country/region)
• Browser type, device type, operating system
• Pages viewed, features used, timestamps
• Error logs and crash diagnostics

This data is used to operate and secure the Service, detect abuse, and understand which features are used. We do not sell it or use it for advertising.

2.4 Data from your Framer site visitors (processed on your behalf)

When Morph is installed on your Framer site, it evaluates visitor context to decide which personalized variant to render. That context may include:

• Referrer URL and UTM parameters
• Device type and browser
• Approximate geolocation (country/region) derived from IP
• A first-party cookie used to detect return visits (opt-in, see Section 8)

We process this data only on your instructions and only to deliver the Service. We do not build visitor profiles, combine data across customers, or use it for any purpose other than serving your personalization rules. Details and safeguards are in the DPA.

3. How we use your data

We process your personal data for the following purposes:

| Purpose | Legal basis (GDPR) | |---|---| | Providing and maintaining the Service | Performance of a contract | | Taking payment and managing subscriptions | Performance of a contract | | Sending transactional emails (verification, receipts, trial & lifecycle notices) | Performance of a contract | | Providing customer support | Performance of a contract | | Product analytics and improvement | Legitimate interest | | Fraud prevention and security | Legitimate interest | | Compliance with legal obligations (tax, accounting) | Legal obligation | | Occasional product update emails (opt-out any time) | Legitimate interest |

We do not use your data for marketing by third parties. We do not sell your data.

4. Who we share data with

We share data only with vendors necessary to run the Service. A current list of our subprocessors, their function, and their location is at Subprocessors. At the time of writing it includes:

• Supabase — database, authentication, storage
• Vercel — hosting, edge functions, logs
• Lemon Squeezy — payments, subscription billing, tax handling
• Resend — transactional email

Each subprocessor is bound by a data processing agreement and appropriate security obligations.

We may also disclose data:

• To comply with a lawful request from a court or government authority
• To protect our rights, property, or safety, or that of our users
• In connection with a merger, acquisition, or sale of assets — in which case we will notify affected users before any transfer

5. Data retention

| Category | Retention | |---|---| | Account data (email, hashed password) | For the life of your account + 30 days after deletion | | Billing records | 7 years (tax/accounting obligations) | | Dashboard rules, sites, configuration | For the life of your account. Paused accounts: 90 days, then automatically deleted | | Aggregate analytics (counts, impressions) | Retained as anonymized aggregates, indefinitely | | Server logs | 30 days | | Support email threads | 2 years from last message |

If your account is paused (e.g., trial expired and not converted), we keep your rules and sites for 90 days, send you a warning email at day 83, and permanently delete rules and sites at day 90. Your profile and aggregated stats are preserved so you can reactivate later without losing your history.

6. Your rights

If you are in the EU/EEA, UK, or a jurisdiction with comparable law, you have the right to:

• Access — get a copy of the personal data we hold about you
• Rectification — correct inaccurate data
• Erasure — request deletion ("right to be forgotten")
• Restriction — ask us to pause processing while a dispute is resolved
• Portability — receive your data in a machine-readable format
• Object — object to processing based on legitimate interest
• Withdraw consent — where processing is based on consent
• Complain to a supervisory authority

To exercise any of these rights, email support@ironmint.studio. We will respond within 30 days. We may need to verify your identity first.

If you are in California, you have equivalent rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioural advertising.

7. International transfers

Our primary infrastructure is hosted in the United States (Supabase, Vercel, Lemon Squeezy, Resend). Where we transfer personal data out of the EU/EEA or UK, we rely on:

• The European Commission's Standard Contractual Clauses (SCCs) with subprocessors
• Adequacy decisions where applicable
• Supplementary technical and organizational measures (encryption in transit and at rest, access controls)

8. Cookies and similar technologies

Dashboard (app.morph-app.com)

We use a small number of strictly necessary cookies for authentication and security. We do not use advertising, tracking, or third-party analytics cookies in the dashboard.

Your Framer site (when Morph is installed)

Morph sets a single first-party cookie named morph_visitor on your site to detect return visits. This cookie:

• Contains only a random opaque ID
• Is a first-party cookie (set on your domain, not ours)
• Expires after 180 days
• Is only set when "Return visitor" is part of an active rule — otherwise no cookie is set at all

If your jurisdiction (e.g. EU ePrivacy) requires visitor consent before non-essential cookies are set, you are responsible for obtaining that consent on your site. We provide a setting to delay Morph until consent is granted — see your dashboard settings.

9. Security

We take reasonable technical and organizational measures to protect your data:

• All data encrypted in transit (TLS 1.2+)
• All data encrypted at rest (AES-256 via our database provider)
• Scoped access controls — only Mani, as sole operator, has production data access
• Hashed passwords (bcrypt via Supabase Auth)
• Row-level security (RLS) enforced at the database level so customers can never read each other's data
• Regular dependency scanning and security updates
• Incident response procedure with 72-hour notification under GDPR Article 33

No system is perfectly secure. If we detect a breach affecting your data, we will notify you without undue delay and in any event within 72 hours of becoming aware of it.

10. Children

Morph is a B2B product not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact support@ironmint.studio and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or an in-app notice at least 14 days before the changes take effect. The "Last updated" date at the top of this policy always reflects the most recent version.

12. Contact

Manikandan G, trading as Ironmint Email: support@ironmint.studio Address: Coimbatore, Tamil Nadu, India