MORSIS PLATFORM — PRIVACY POLICY
Synergy Shock LLC
Version: 2.0
Last updated: May 6, 2026
1. Introduction
Synergy Shock LLC ("Morsis," "we," "our," or "us") operates the MORSIS platform — a business operations solution for restaurants, retailers, shopping centers, and other businesses. This Privacy Policy explains how we collect, use, store, protect, and share information through the MORSIS platform, including our website (morsis.com), web application, APIs, interactive kiosks, point-of-sale systems, online stores, messaging integrations, and related services.
This policy complies with data protection regulations across multiple jurisdictions, including Argentina (Law 25.326), Mexico (LFPDPPP), Chile (Law 19.628), Peru (Law 29.733), Colombia (Statutory Law 1581 of 2012), Brazil (LGPD), the European Union (GDPR), California (CCPA/CPRA), and other applicable laws.
This policy applies to:
- Customer Data: Information about the businesses that use the Platform.
- End User Data: Information about individuals who interact with Customer services (e.g., kiosk users, online store shoppers, loyalty program members).
- Visitor Data: Information collected from visitors to morsis.com.
2. Data Controller and Processor Roles
2.1 When Synergy Shock Acts as Data Processor
For most Platform data, the Customer (the business using Morsis) is the data controller, and Synergy Shock acts as a data processor. This includes:
- End user information from kiosks, online stores, and QR menus
- Loyalty program data
- Transaction and order data
- Messaging data (WhatsApp, Instagram)
- Customer employee data (Authorized Users)
When using WhatsApp or Instagram integrations, Customers must inform their end users that communications are processed through MORSIS and that personal data will be handled by Synergy Shock as a data processor.
2.2 When Synergy Shock Acts as Data Controller
Synergy Shock acts as data controller for:
- Customer account information (business registration and contact details)
- Communications with Customers
- Website visitor information
- Business analytics and marketing activities related to Morsis's own operations
- Aggregated and anonymized usage data
2.3 Co-Controller (Customer-Facing Services)
In some contexts — particularly for kiosk interactions and online store orders — the Customer and Synergy Shock may act as co-controllers regarding certain operational data, such as product information, prices, and service configurations provided by the Customer.
2.4 Data Protection Officer
Luciano Ganga
Email: luciano@synergyshock.com
Synergy Shock LLC
1603 Capitol Ave Ste 415 PMB 134544, Cheyenne, Wyoming 82001, USA
3. What We Do NOT Collect (Interactive Kiosks)
Our self-service kiosk system is designed to protect End User anonymity. Unless a specific feature described in Section 4 is active:
- No facial recognition or biometric identification of End Users
- No permanent recording or storage of images or audio from kiosk interactions
- No collection of names, emails, or phone numbers through anonymous kiosk interactions
- No individual user profiles or cross-session tracking
- No demographic estimations linked to individuals
Audio captured during voice queries is processed in real time and discarded immediately after the query is answered. Video used to detect user presence is processed locally and not stored.
Note: Facial recognition and demographic identification from video are not currently active and will not be enabled without a policy update, clear notice at the device, and required consent mechanisms.
4. Information We Collect
4.1 Customer Account Information
When a business subscribes to the Platform, we collect:
- Business name and legal entity information
- Contact name, email, and phone
- Billing address and payment information
- Login credentials (passwords are hashed; payment data is handled by third-party processors)
4.2 End User Data (Processed on Customer's Behalf)
We process the following categories of End User data on behalf of Customers:
Online Store and QR Menu Orders:
- Name, email, phone number, and delivery address
- Order contents, amounts, and dates
- Non-sensitive payment data (last 4 digits, card type, bank)
- Order status and fulfillment information
Loyalty Program (with End User consent):
- Name, email, phone, and national or tax ID
- Date of birth, age, and gender
- Consumption preferences and purchase history
- Points balance and redemption history
- Age verification declarations
Reservations:
- Name, phone number, and email
- Party size, preferred date and time
- Special requests
Messaging (WhatsApp and Instagram):
- Phone numbers and usernames
- Message content and conversation history
- Message metadata (timestamps, delivery status)
Transaction Data (POS and Online):
- Products purchased, amounts, and payment method
- Non-sensitive payment data
- Order and fulfillment records
Technical and Usage Data (Anonymized):
- Diagnostic logs
- Aggregated usage metrics
- Performance data
4.3 Customer Employee Data (Authorized Users)
We collect information about the Customer's staff who use the Platform:
- Name and corporate email
- Role and permissions within the Platform
- Activity logs (login history, actions taken)
- Biometric data (fingerprints): When the Customer enables fingerprint-based staff authentication on POS terminals, fingerprint data is captured solely for identity verification. This data is encrypted and stored securely, and is not shared with third parties. Customers must inform their staff and obtain any consents required by applicable law before enabling this feature.
- Time and attendance records (when using the time tracking module): clock-in/out timestamps, shift assignments, and related workforce data.
4.4 Delivery Driver Data
When a Customer uses Morsis's own delivery fleet management module, we process:
- Driver name and contact information
- Real-time GPS location during active delivery sessions
- Delivery history and performance data
Location data is not stored after a delivery session ends. Aggregate delivery metrics may be retained for analytics purposes.
4.5 AI Content Generation (AI Media Studio)
When using the AI Media Studio feature:
- Brand assets, product information, and other content provided by the Customer are processed to generate marketing materials (posts, stories, campaigns).
- Inputs are processed through AI providers listed in Section 7.
- Morsis does not use this content to train AI models without the Customer's explicit consent.
4.6 Website Visitor Data
- IP address and device information
- Browser type and language preferences
- Pages visited and time spent
- Referral source
- Cookies and tracking technologies (see Section 10)
5. How We Use Information
5.1 Customer Account Data
- To provide, maintain, and improve the Platform
- To process billing and payments
- To communicate about service updates, security, and support
- To comply with legal obligations
5.2 End User Data
Processed to:
- Generate real-time responses to kiosk queries
- Process and fulfill orders from online store, QR menus, and kiosks
- Operate loyalty programs and process redemptions
- Handle reservations
- Route and display messaging conversations
- Generate reports and analytics for the Customer
- Monitor and diagnose system performance
- Provide technical support
What we do not do with End User data:
- Sell it to third parties
- Use it for Morsis's own marketing
- Use it for targeted advertising
- Share it beyond what is necessary for service delivery (see Section 7)
- Use it to identify individuals, except in loyalty programs (with consent) and Authorized User authentication
5.3 Messaging Data (WhatsApp / Instagram)
- Display incoming messages in the Customer's dashboard
- Enable Customer responses and automated replies
- Store conversation history
- Integrate messaging with order management
5.4 Aggregated and Anonymized Data
We may use aggregated, anonymized data derived from Platform usage to improve products, analyze trends, and develop new features. This data does not identify individual End Users.
6. Legal Basis for Processing
| Basis | When Applied |
|---|---|
| Contract performance | Necessary to provide Platform services |
| Legitimate interests | Service improvement, security, fraud prevention |
| Legal obligation | Compliance with applicable laws |
| Consent | Optional features, biometric authentication, marketing communications |
For End User data, the Customer is responsible for establishing the appropriate legal basis for processing.
7. Data Sharing and Sub-processors
7.1 Sub-processors
We currently engage the following sub-processors:
| Provider | Service | Location | Data Processed |
|---|---|---|---|
| Google Cloud Platform | Cloud infrastructure | United States | Aggregated metrics, session data |
| OpenAI | AI/NLP processing (kiosk, content generation) | United States | Text and audio for inference |
| Cloudflare | CDN, edge compute, security | Global | Web traffic, IP addresses |
| Vercel | Hosting | Global | HTTP requests, server logs |
| Sentry | Error monitoring | United States | Error logs, stack traces |
| Resend | Email delivery | United States | Email addresses, content |
| Meta Platforms | WhatsApp/Instagram APIs | Global | Phone numbers, usernames, messages |
| Mercado Pago | Payment processing | Argentina / Latin America | Transaction data, non-sensitive payment info |
| Payway | Payment processing | Argentina | Transaction data, non-sensitive payment info |
| Modo | Payment processing | Argentina | Transaction data, non-sensitive payment info |
| Fiserv | Payment processing | Global | Transaction data, non-sensitive payment info |
| Nave | Payment processing | Argentina | Transaction data, non-sensitive payment info |
| PedidosYa | Delivery platform integration | Latin America | Order data, delivery addresses |
| Rappi | Delivery platform integration | Latin America | Order data, delivery addresses |
| Mailchimp (Intuit) | Email marketing integrations | United States | Email addresses, marketing data |
OpenAI note: Audio and text data sent via API is retained for a maximum of 30 days for abuse monitoring, then deleted. OpenAI does not use API-submitted data for model training.
A complete sub-processor list with Data Processing Agreement links is available upon request at privacy@synergyshock.com.
7.2 Payment Processors
Morsis does not store or process credit card numbers or sensitive payment credentials. All payment processing is handled by the configured third-party processor.
7.3 Other Disclosures
We may share information:
- With the Customer's consent
- To comply with legal obligations or respond to valid legal process
- To protect the rights, safety, or property of Morsis, Customers, or End Users
- In connection with a merger, acquisition, or sale of assets (with prior notice)
We do not sell, rent, or trade personal information.
7.4 Meta Platform Compliance
When processing WhatsApp and Instagram messaging data, Morsis:
- Accesses only data permitted by Meta's terms and user permissions
- Does not sell, license, or transfer Meta data to third parties
- Does not use Meta data to build profiles unrelated to messaging services
- Maintains appropriate security measures per Meta's requirements
- Deletes data per Meta's policies upon request
Customers are responsible for obtaining valid opt-in consent from their end users. End users can opt out by contacting the Customer directly or blocking on WhatsApp.
Reference: WhatsApp Privacy Policy | Meta Privacy Policy
8. International Data Transfers
Data may be transferred to and processed in countries outside your country of residence, including the United States. We apply appropriate safeguards including:
- Standard Contractual Clauses (SCCs) for EEA transfers
- Data Privacy Framework certifications where applicable
- Encryption in transit and at rest
- Contractual data protection obligations with sub-processors
9. Data Retention
| Data Type | Retention |
|---|---|
| Kiosk audio and images | Not stored; discarded after real-time processing |
| Customer account data | Duration of business relationship, plus a reasonable period thereafter |
| End User data | Per Customer instructions; deleted or returned upon contract termination |
| Biometric data (staff fingerprints) | Until the Customer removes the enrollment or terminates the service |
| Delivery driver location | Not stored after delivery session ends |
| Reservation data | Per Customer instructions |
| Messaging data | While module is active; deleted per Customer instructions upon deactivation |
| Technical logs | Generally no more than 90 days |
| Aggregated/anonymized metrics | Retained indefinitely given their non-personal nature |
10. Cookies and Tracking Technologies
Our website uses cookies and similar technologies to:
- Maintain session state
- Remember preferences
- Analyze traffic and improve user experience
You can control cookies through your browser settings. Some features may not function correctly if cookies are disabled.
11. Data Security
We implement reasonable technical and organizational measures to protect personal data, including:
- Encryption in transit (TLS) and at rest
- Access controls and role-based permissions
- Regular security assessments
- Employee confidentiality obligations
- Incident response procedures
No system is completely secure. We will notify affected parties of data breaches as required by applicable law.
12. Your Rights
Depending on your location, you may have the right to:
- Access your personal information
- Rectify inaccurate data
- Erase your data
- Restrict or object to processing
- Portability — receive your data in a portable format
- Non-discrimination for exercising these rights (California residents)
For End Users (kiosk users, loyalty members, messaging contacts): Contact the business you interacted with, or reach Morsis directly at luciano@synergyshock.com. We will coordinate with the relevant Customer to fulfill your request within applicable legal timeframes.
For Customers and website visitors: Contact Morsis directly using the information in Section 20.
13. Children's Privacy
The Platform is not directed to children under 18. Loyalty programs are restricted to adults. We do not knowingly collect personal information from minors. If future features require data from minors, parental or guardian consent will be obtained as required by law.
14. Future Collection of Personal Data
If future features involve collecting new categories of personal data not described in this policy, before activation we will:
1. Update this policy
2. Implement appropriate consent mechanisms
3. Provide clear disclosure about what is collected and why
15. Future Biometric and Demographic Processing
Staff fingerprint authentication is currently active and is covered in Section 4.3.
Facial recognition and demographic estimation (age range, perceived gender) from video feeds are not currently active. If activated in the future, we will:
1. Update this policy
2. Add clear physical notice at affected devices
3. Implement required consent mechanisms per applicable law
16. Business Information Disclaimer
Product details, prices, promotions, and commercial terms configured in the Platform belong to the Customer operating the applicable service. Morsis is not responsible for the accuracy or completeness of that business information.
17. California Privacy Rights (CCPA/CPRA)
California residents have the right to:
- Know what personal information is collected and how it is used
- Delete personal information
- Opt out of the sale or sharing of personal information
- Non-discrimination for exercising these rights
Morsis does not sell personal information.
To exercise rights, contact privacy@synergyshock.com.
18. Changes to This Policy
We may update this policy from time to time. Material changes will be posted with an updated "Last updated" date. For existing Customers, material changes will be communicated at least 30 days in advance.
19. Jurisdiction-Specific Information
Argentina
Processing complies with Law 25.326 (Personal Data Protection Act). The Agency for Access to Public Information (AAIP) is the supervisory authority.
Brazil
Processing complies with the Lei Geral de Proteção de Dados (LGPD). Data subjects have rights under Articles 17–22.
Mexico
Processing complies with the LFPDPPP. Data subjects have ARCO rights (Access, Rectification, Cancellation, Opposition).
European Economic Area
EEA residents may lodge complaints with their local data protection authority.
Other Latin American Jurisdictions
Processing complies with applicable laws in Chile (Law 19.628), Peru (Law 29.733), Colombia (Statutory Law 1581 of 2012), and other jurisdictions where we operate.
20. Contact Us
Data Protection Officer:
Luciano Ganga — luciano@synergyshock.com
General privacy inquiries:
privacy@synergyshock.com
Synergy Shock LLC
1603 Capitol Ave Ste 415 PMB 134544, Cheyenne, Wyoming 82001, USA
https://morsis.com
By using MORSIS, you acknowledge that you have read and understood this Privacy Policy.
© 2026 Morsis. All rights reserved.