Skip to content
MorphMorph Docs
Cookies & Privacy

GDPR & Privacy

How Morph handles visitor data and what site owners need to know about GDPR compliance.

Morph is designed with privacy in mind. Here's a breakdown of what data Morph collects, how it's processed, and what you need to do as a site owner.

Data Morph collects on your published site

When the Morph runtime script runs on a visitor's page load, it reads:

  • URL query parameters — specifically UTM parameters (utm_source, utm_medium, etc.)
  • User-Agent header — to determine device type (mobile, tablet, desktop)
  • Cookie — the morph_ret cookie (value: 1) to classify new vs. returning visitors

Data sent to Morph servers

When a rule matches and a variant is shown, the runtime sends an impression event to the Morph tracking endpoint. This event includes:

  • Site key (identifies your site)
  • Rule ID and variant ID (which rule fired, which variant was shown)
  • Timestamp
  • Device type
  • Page URL (the path, not the full URL with query parameters)

The impression event does not include:

  • IP addresses (not logged or stored)
  • Personal identifiers (no email, no user ID)
  • Full URL with query parameters
  • Cookie values
  • Browser fingerprint data

Data storage

  • Impression events are stored in Morph's database (hosted on Supabase)
  • Data is aggregated daily into summary statistics
  • Raw impression data is retained based on your plan's analytics window (7, 30, or 90 days)
  • Aggregated data may be retained longer for dashboard display

Your responsibilities as a site owner

If you have EU/EEA visitors, you should:

  1. Disclose the Morph cookie in your cookie policy — see Cookies for the exact details to include
  2. Update your privacy policy to mention that you use content personalization based on UTM parameters, device type, and visitor status
  3. Consider cookie consent — since the morph_ret cookie is non-essential, some GDPR implementations require consent before it's set. Check with your legal advisor.

Data processing agreement

If you need a Data Processing Agreement (DPA) for GDPR compliance, contact us at support@ironmint.studio.

Data deletion

If a visitor requests deletion of their data under GDPR, note that Morph does not store any personally identifiable information. The morph_ret cookie can be cleared by the visitor from their browser. Impression events cannot be tied back to individual visitors since they contain no personal identifiers.

Cookies

What cookies Morph sets on your published site and what they're used for.

Plans & Pricing

Compare Morph plans — Free, Pro, and Business.

On this page

Data Morph collects on your published siteData sent to Morph serversData storageYour responsibilities as a site ownerData processing agreementData deletion