Back to home

Privacy Policy

Last updated: February 13, 2026

FragmentX ("we," "us," or "our") operates the MorphX AI-powered chatbot platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service, including our website, dashboard, APIs, and embedded chat widgets.

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please discontinue use of the Service immediately.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Full name
  • Email address
  • Password (stored in hashed form)
  • Language preference

1.2 Tenant & Business Information

When you set up a chatbot tenant, we collect:

  • Business name and unique slug
  • System prompt and welcome message configuration
  • Platform credentials (LINE Channel Access Token, Facebook Page Token, etc.), stored encrypted
  • AI provider preferences and model configuration
  • Handoff settings and keywords

1.3 Documents & Knowledge Base

When you upload documents (PDF, DOCX, CSV, TXT) to build your knowledge base, we process and store:

  • Original file metadata (filename, size, upload date)
  • Document content, which is chunked and converted into vector embeddings
  • Vector embeddings stored in our vector database for retrieval

1.4 Chat & Conversation Data

When end users interact with your chatbot, we collect:

  • Platform user identifiers (LINE user ID, Facebook PSID, anonymous web session ID)
  • Message content (both user messages and AI-generated responses)
  • Conversation metadata (timestamps, platform, session status)
  • Handoff status and resolution data

1.5 Usage & Analytics Data

  • Token consumption per operation (chat completion, embedding, reranking, intent detection)
  • AI model used and estimated cost
  • Message volume and platform distribution

1.6 Technical Data

  • IP address, browser type, and device information
  • Access logs and error logs
  • Cookies and similar tracking technologies

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service — Process documents, generate embeddings, retrieve relevant context, and generate AI-powered responses to end-user queries
  • Manage your account — Authenticate your identity, manage subscriptions, and enforce plan limits
  • Deliver messages — Send AI-generated responses back through the appropriate platform (LINE, Facebook Messenger, or web widget)
  • Improve the Service — Analyze usage patterns, monitor system performance, and develop new features
  • Provide support — Respond to your inquiries, troubleshoot issues, and provide technical assistance
  • Ensure security — Detect and prevent fraud, abuse, and unauthorized access
  • Comply with legal obligations — Meet applicable legal and regulatory requirements

3. Third-Party Service Providers

We rely on trusted third-party providers to deliver the Service. These providers process data on our behalf and are contractually obligated to protect your information:

3.1 AI & Machine Learning

  • OpenAI — Processes chat completions and generates text embeddings. Message content and document chunks are sent to OpenAI's API for processing. See OpenAI's Privacy Policy.
  • Cohere — Performs result reranking to improve answer relevance. Query text and retrieved document chunks are sent for reranking. See Cohere's Privacy Policy.

3.2 Data Storage

  • Neon (PostgreSQL) — Stores account data, tenant configuration, chat sessions, messages, and usage records in a managed PostgreSQL database.
  • Pinecone — Stores vector embeddings generated from your documents for similarity search and retrieval.

3.3 Platform Integrations

  • LINE Corporation — When you connect a LINE Official Account, messages are exchanged through LINE's Messaging API.
  • Meta (Facebook) — When you connect a Facebook Page, messages are exchanged through Meta's Graph API.

3.4 Infrastructure

  • Vercel — Hosts the application and processes web requests.

4. Data Retention

  • Account data — Retained for the duration of your account. Deleted within 30 days of account closure.
  • Chat messages — Retained for the duration of your subscription. You may request deletion at any time.
  • Documents & embeddings — Retained until you delete them or close your account. Vector embeddings are purged from Pinecone within 7 days of document deletion.
  • Usage records — Retained for 12 months for billing and analytics purposes, then aggregated and anonymized.
  • Server logs — Retained for up to 90 days for security and debugging purposes.

5. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • All data in transit is encrypted using TLS 1.2 or higher
  • Database connections use SSL encryption
  • Platform credentials are stored encrypted at rest
  • Passwords are hashed using industry-standard algorithms
  • Webhook signatures are verified for LINE and Facebook to prevent unauthorized access
  • Access to production systems is restricted and logged

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — Request a copy of the personal data we hold about you
  • Correction — Request correction of inaccurate personal data
  • Deletion — Request deletion of your personal data, subject to legal retention requirements
  • Data portability — Request your data in a structured, machine-readable format
  • Restriction — Request that we limit the processing of your personal data
  • Objection — Object to the processing of your personal data for certain purposes
  • Withdrawal of consent — Withdraw consent at any time where processing is based on consent

To exercise these rights, contact us at privacy@fragmentx.ai. We will respond within 30 days.

7. Thailand Personal Data Protection Act (PDPA)

For users in Thailand, we comply with the Personal Data Protection Act B.E. 2562 (2019) (PDPA). Under the PDPA:

  • We act as a Data Controller for account and tenant data
  • We act as a Data Processor for end-user chat messages processed on behalf of our customers (tenants)
  • We collect and process personal data based on contractual necessity, legitimate interest, or your explicit consent
  • You have the right to access, correct, delete, restrict, and port your data as provided under the PDPA
  • We do not transfer personal data outside Thailand except to the third-party providers listed in Section 3, which maintain adequate data protection standards

8. End-User Data (Your Customers)

As a MorphX customer, you are the Data Controller for the personal data of your end users (the people who chat with your bot). You are responsible for:

  • Providing appropriate privacy notices to your end users
  • Obtaining necessary consents for data processing
  • Responding to data subject requests from your end users
  • Ensuring your use of the Service complies with applicable data protection laws

We process end-user data solely on your behalf and according to your instructions through the Service.

9. Cookies

We use minimal cookies:

  • Session cookies — Required for authentication and maintaining your logged-in state
  • Preference cookies — Store your language preference (localStorage)

We do not use third-party advertising or tracking cookies.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete such information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after any changes constitutes acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: