Data & AI
Last updated: 3 July 2026 · A plain-English statement; the Privacy policy and DPA are the binding documents
In plain words
- On Pro and Studio, you can run AI on your own provider keys.
- We don’t use your work to train our own models.
- Every AI decision is logged so both you and regulators can see exactly what happened.
Which models do the work
Macromuffin routes each task to a model tier suited to its stakes: routine work runs on fast, inexpensive models; high-stakes work (regulatory writing, sensitive code) runs on stronger ones. On Pro and Studio you can bring your own model API keys, and those requests run on your own provider account at your provider’s prices. Your keys are envelope-encrypted per business, never logged in plaintext, and revocable in one click.
Where it happens
AI processing is carried out by third-party model providers, which may be located in the United States or other countries. A per-business choice of processing region is planned but not available in this version; where processing happens outside the UK/EEA, we rely on the transfer safeguards set out in our Privacy policy and DPA.
Training
We don’t use your content or your customers’ data to train our own models. AI processing is performed by third-party providers under their own terms, which govern how they handle the requests we send.
The trail
Every agent decision is logged with its model, tier, cost, data provenance, and the exact change made, and you can read it in plain English or full technical detail inside the product. This per-decision logging is also our foundation for EU AI Act technical documentation (Annex IV): a documentation stub ships at launch, and the full Annex IV programme will be operational before 2 August 2026, when the relevant obligations begin.
Human control
Public or money-moving actions wait for your approval by default; autonomy is granted by you, per category, and is always revocable. Statutory filings and sensitive code paths require your explicit confirmation no matter what. Reversible autonomous actions carry rollback records.
Security, briefly
AES-256 at rest, TLS 1.3 in transit, a single gated and logged pathway for every external action, browser automation only on properties you’ve authorised, full export and deletion from Settings → Data. SOC 2 Type II is targeted post-launch. Sub-processor list: /legal/subprocessors.