Legal

The paperwork, in plain sight.

Every document starts with a plain-words summary, then the full text. Questions about any of it: hello@macromuffin.ai.

Privacy policy

Last updated: 3 July 2026

In plain words

  • We collect what we need to run your account and operate your business, nothing for resale, ever.
  • Your content goes to AI model providers only to do the work you’ve asked for. We don’t use it to train models.
  • You can export or delete everything from your settings, whenever you want.

Sections: 1 Who we are · 2 What we collect · 3 How we use it · 4 AI processing · 5 Your customers’ data · 6 Legal bases · 7 Who we share with · 8 International transfers · 9 Security · 10 Retention · 11 Your rights · 12 Cookies · 13 Children · 14 Changes · 15 Contact

1Who we are

Macromuffin (“Macromuffin”, “we”) is a service based in England and Wales. For your account data and our website, we are the data controller. For data belonging to your business’s own customers, we act as your processor; see section 5 and our Data Processing Agreement.

2What we collect

Account data. Name, email, password hash, plan, billing currency, and payment status. Card details are held by Stripe, not by us.

Business data. The content of the businesses you run on Macromuffin: your idea descriptions, brand voice profile, website and product content, analytics, drafts, approval decisions, and the connections you authorise (for example your domain, email sending, analytics, or code repository).

Operational records. Every external action Macromuffin’s agents take passes through a single action gateway and is logged with full context (what was done, by which agent, with which model) so you can audit it and we can meet our regulatory obligations. This logging exists for your protection and is visible to you in the product’s activity trail.

Usage data. Standard technical information (device, browser, pages viewed) and product interaction events, used to operate and improve the service.

3How we use it

  • To provide the service: building, running, and improving the businesses you operate on Macromuffin, on your instructions and within the autonomy settings you choose.
  • To bill you, communicate service messages, and provide support.
  • To keep the service secure, debug it, and prevent abuse.
  • To meet legal obligations, including the audit logging described above.

We do not sell personal data, and we do not use your content for advertising.

4AI processing

Macromuffin works by sending relevant parts of your business content to AI model providers to perform the tasks you’ve configured. These providers may process your content in the United States or other countries (see International transfers below); a per-business choice of processing region is planned but not offered in this version. On Pro and Studio plans you may bring your own model API keys, in which case those requests run on your own provider account; your keys are encrypted with per-business envelope keys, are never logged in plaintext, and can be revoked in one click from your settings.

Training. We do not use your content, or your customers’ data, to train our own models. AI processing is carried out by third-party model providers under their respective terms, which govern how they handle the requests we send.

5Your customers’ data

When Macromuffin operates your business (sending emails to your subscribers, handling your customers’ support messages, processing sign-ups), it handles personal data belonging to your customers. For that data, you are the controller and we are your processor, acting only on your instructions under our Data Processing Agreement, which forms part of your contract with us.

6Legal bases

Where UK or EU data protection law applies, we rely on: contract (providing the service you signed up for), legitimate interests (securing and improving the service, preventing abuse), legal obligation (audit and regulatory records, tax), and consent where we ask for it (for example non-essential cookies or marketing emails, which you can withdraw at any time).

7Who we share with

Sub-processors who help us run the service: AI model providers (and, on Pro and Studio, your own provider account where you bring API keys), Stripe for payments, cloud hosting and database providers, error monitoring, and email delivery. The current list is published at /legal/subprocessors and we give notice before adding to it. We also disclose data where the law requires it, and in a merger or acquisition under equivalent protections.

8International transfers

Where a sub-processor or AI model provider processes data outside the UK/EEA, transfers are protected by appropriate safeguards: the UK International Data Transfer Agreement or EU Standard Contractual Clauses, plus supplementary measures where needed.

9Security

Connection tokens are encrypted at rest (AES-256) and in transit (TLS 1.3). Bring-your-own API keys are encrypted with per-business envelope keys and never logged in plaintext. Every external action is gated and logged. Browser automation operates only on properties you have authorised, revocable at any time. A SOC 2 Type II programme is targeted post-launch.

10Retention

We keep account and business data while your account is active. After deletion of a business or account, data is removed within 30 days, except records we must keep for legal, tax, or audit purposes, which are retained only as long as the law requires. You can export everything first; see your rights below.

11Your rights

Under UK and EU law you can access, correct, export, delete, restrict, or object to our processing of your personal data, and withdraw consent where consent is the basis. Full data export and deletion are self-serve from Settings → Data; for anything else, email hello@macromuffin.ai. You can also complain to the UK Information Commissioner’s Office (ico.org.uk) or your local EU authority.

12Cookies

We use essential cookies to keep you signed in and the service secure, and (only with your consent) a small set of analytics cookies to understand product usage. When analytics are enabled, they load only after you consent and never before. We do not use advertising cookies.

13Children

Macromuffin is for people aged 18 or over running businesses. We do not knowingly collect data from children.

14Changes

If we materially change this policy we’ll tell you by email or in the product before the change takes effect, and the “last updated” date above will always be accurate.

15Contact

Macromuffin · hello@macromuffin.ai.