Privacy Policy

This Privacy Policy explains how Mor Labs, Inc. ("Mor," "we," "our," or "us") collects, uses, discloses, retains, and protects information in connection with the Mor mobile application, website(s), and related products and services (collectively, the "Service").

This Policy applies to use of the Service on or after the Effective Date.

This Policy is intended to comply with applicable global privacy and data protection laws, including but not limited to the General Data Protection Regulation (GDPR), UK GDPR, ePrivacy Directive, California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), CalOPPA, Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), and similar frameworks.

1. Data Controller

Mor Labs, Inc.

Mor acts as the data controller for personal information processed through the Service unless explicitly stated otherwise.

2. Binding Privacy Commitments

Mor operates under the following non-negotiable privacy principles, which govern all current and future implementations of the Service unless expressly disclosed and consented to:

• We do not sell personal information.
• We do not engage in cross-context behavioral advertising.
• We do not purchase personal data from data brokers.
• We collect and process only what is reasonably necessary to operate, secure, improve, and support the Service.
• We design systems to minimize data retention, access, and exposure.
• We do not use personal information to train models for third-party benefit.
• Any material expansion of data use is preceded by disclosure and, where required, user consent.

3. Information We Collect

3.1 Information You Provide Voluntarily

We collect information you choose to provide, which may include:

• Name or display name (which does not need to be your legal name)
• Date of birth (for age verification and eligibility purposes)
• Email address
• Optional phone number
• Messages, chats, and other content you submit through the Service
• Preferences and settings
• Communications, reports, and feedback

You are not required to provide sensitive personal information, and we do not request information such as health data, biometric identifiers, or political or religious beliefs.

3.2 Information Collected Automatically

When you use the Service, we may automatically collect certain technical and usage information, including:

• Device and browser characteristics
• IP address
• Approximate location derived from network information
• Precise location information, if you choose to enable location services
• Interaction and usage metadata (such as feature usage and timestamps)
• Diagnostic, security, and error logs

Automatic collection is limited to what is necessary for functionality, security, reliability, or user-enabled features.

3.3 Information from Third Parties

We receive information only from the following categories of third parties:

• Infrastructure and hosting providers
• Security, abuse-prevention, and performance-monitoring providers

We do not receive personal information from data brokers, advertisers, or social networks.

4. AI-Related Processing and Model Training

Certain features of the Service use automated systems, including machine learning models, to generate responses, insights, or other outputs based on user inputs.

User chats and interactions may be used to train, fine-tune, and improve Mor's machine learning models, subject to the safeguards described below.

Model training is conducted solely for the following limited purposes:

• Improving response quality and relevance
• Enhancing safety, integrity, and abuse prevention
• Improving system performance and reliability

Where required by applicable law, or where Mor elects to rely on consent as a legal basis, user consent is obtained before chats are used for model training purposes. Users may withdraw consent at any time.

Mor applies technical and organizational measures to reduce privacy risk during training, including data minimization, access controls, and separation of training environments from production systems.

Mor does not design models to reproduce, recall, or disclose personal information about specific individuals, and trained models are not intended to be used to identify users.

5. Purposes of Processing

We process personal information for the following purposes only:

• Operating, maintaining, and providing the Service
• Personalizing features and functionality
• Training and improving Mor's machine learning models, where permitted and consented to
• Supporting location-based features, where users choose to enable location services
• Ensuring security, integrity, and abuse prevention
• Monitoring performance and reliability
• Responding to inquiries and support requests
• Complying with legal obligations and enforcing our policies

We do not use personal information for purposes incompatible with those listed above.

6. Legal Bases for Processing

Where applicable, Mor processes personal information based on the following legal grounds:

• Performance of a contract
• Legitimate interests, supported by documented balancing assessments
• Consent, where required by law
• Compliance with legal obligations

Users may object to processing based on legitimate interests at any time.

7. Cookies, SDKs, and Consent Controls

The Service uses cookies, SDKs, and similar technologies as described in our Cookie Policy.

• Non-essential cookies and similar technologies are technically blocked by default.
• They are activated only after valid consent, where required by law.
• Declining non-essential cookies does not restrict access to core functionality.
• Users may withdraw consent at any time.
• Consent for optional features, including precise location access and use of chats for model training, is obtained separately.
• We honor Global Privacy Control (GPC) signals where legally required.

8. Disclosure of Information

We disclose personal information only to:

• Service providers acting on our instructions and bound by confidentiality and data-protection obligations
• Legal authorities where disclosure is required by law
• Successor entities in the event of a merger, acquisition, financing, or sale of assets

We do not disclose personal information beyond the categories expressly stated in this Policy.

9. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, subject to hard maximum limits, including:

• Account information: retained until deletion request or account inactivity plus a limited administrative grace period
• Chats and interaction data: retained as necessary for model training, safety, and reliability, then deleted or anonymized
• Logs and diagnostics: retained only as long as necessary for security and system integrity
• Legal records: retained as required by applicable law

When retention is no longer required, personal information is deleted or irreversibly anonymized.

10. International Data Transfers

Personal information may be processed outside your country of residence. Where required, Mor relies on legally recognized safeguards, including:

• Standard Contractual Clauses
• UK International Data Transfer mechanisms
• Adequacy decisions where applicable

11. Your Privacy Rights

Depending on your jurisdiction, you may have the right to:

• Access your personal information
• Correct inaccurate information
• Delete personal information
• Object to or restrict processing
• Withdraw consent
• Request data portability

Privacy-related requests may be submitted using the contact interface provided below or, alternatively, via email at privacy@themorapp.com.

You will not be discriminated against for exercising your rights.

12. California Privacy Rights

We do not sell or share personal information as defined under California law.

We honor Global Privacy Control signals as an opt-out of sale or sharing where required.

California residents may submit privacy requests using the contact interface provided below or via email at privacy@themorapp.com.

13. Children's Privacy

The Service is not directed to individuals below the minimum age required by applicable law.

We use date of birth information solely to determine age eligibility and to prevent access by users below the applicable minimum age.

User chats from ineligible users are not used for model training.

If we become aware that personal information has been collected from a child in violation of applicable law, we will delete it.

14. Security

Mor implements reasonable administrative, technical, and organizational safeguards designed to protect personal information, including encryption, access controls, and monitoring.

These measures do not imply certification under any specific security framework.