This Privacy Policy describes how Mashin, Inc. (“we,” “us,” or “our”) collects, uses, stores, and shares personal information when you use the Mashin platform, including the Koda intelligent development environment and the Kura package registry (collectively, the “Services”). This policy applies to personal information we collect about visitors to our websites, account holders, and users of our Services.
This Privacy Policy does not apply to “Customer Data” (data that our customers submit to or process through the Services on behalf of their own end users). Our processing of Customer Data is governed by our Data Processing Addendum and the customer’s agreement with us.
1. Information We Collect
1.1 Information You Provide Directly
- Account information: Full name, email address, username, and password when you create an account.
- Profile information: Optional details such as display name, organization name, job title, and profile picture.
- Billing information: Billing address, tax identification number, and payment method details for paid plans. Full payment card numbers are processed by our payment processor (currently Stripe) and are not stored on our systems.
- Communications: Messages, support requests, feedback, and other correspondence you send to us.
- Machine content: Machine definitions, workflow configurations, governance rules, and other materials you create within the Services.
- AI interactions: Prompts, inputs, and configuration data you provide when using AI features (
:reasonsteps, model routing). What data is sent to AI model providers is determined by your machine definitions, governed by your governance configuration, and recorded in the behavioral ledger.
1.2 Information Collected Automatically
- Usage data: Features used, actions taken, pages viewed, links clicked, frequency and duration of activities, and navigation patterns within the Services.
- Device information: Device type, operating system, browser type and version, screen resolution, and device identifiers.
- Log data: IP address, access times, referring URL, request identifiers, HTTP method, response codes, and payload sizes.
- Execution metadata: Machine execution records, governance decisions, performance metrics, and cost data generated during your use of the Services. This is functional data necessary to operate the Service.
- Location: Approximate location derived from IP address. We do not collect precise geolocation data.
1.3 Information from Third Parties
- Authentication providers: If you sign in using a third-party provider (e.g., GitHub, Google), we receive your name, email address, and profile information as permitted by your settings with that provider.
- Payment processor: Transaction confirmations and billing events from our payment processor.
- AI model providers: We receive model outputs (inference responses) from third-party AI providers when you use AI features. We do not receive personal information from these providers beyond the outputs generated from your inputs.
2. How We Use Information
We use the information we collect for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide, operate, and maintain the Services | Performance of contract |
| Process payments and send billing information | Performance of contract |
| Respond to support requests and communications | Performance of contract |
| Send technical notices, security alerts, and service updates | Legitimate interest |
| Monitor and analyze usage trends to improve the Services | Legitimate interest |
| Detect, investigate, and prevent fraud, abuse, and security threats | Legitimate interest |
| Enforce our terms, policies, and legal rights | Legitimate interest |
| Comply with legal obligations | Legal obligation |
| Send marketing communications (with consent where required) | Consent / Legitimate interest |
| Generate aggregated, anonymized analytics | Legitimate interest |
We do not use your information to:
- Train AI or machine learning models on Customer Content (see Section 7)
- Build advertising profiles or sell personal information to third parties
- Make automated decisions that produce legal effects concerning you without human review
3. Information Sharing and Disclosure
We do not sell personal information. We share personal information only in the following limited circumstances:
Service providers. We share information with vendors who perform services on our behalf, including cloud infrastructure providers, payment processors, analytics services, and customer support tools. These providers are bound by contractual obligations to protect your data, limit their use of it to the services they provide to us, and comply with applicable data protection law.
AI model providers. When you use AI features, the data specified in your machine definitions is sent to third-party model providers (currently Anthropic and OpenAI) for inference. What data is sent is determined by your machine configuration, governed by your governance rules, and recorded in the behavioral ledger. We do not send personal information to AI model providers beyond what your machine definitions specify.
Legal requirements. When required by applicable law, regulation, legal process, or enforceable governmental request. We will notify you before disclosing your information in response to legal process unless prohibited by law or court order, or unless notification would be futile or create a risk of harm.
Protection of rights. When reasonably necessary to protect the rights, property, or safety of Mashin, Inc., our users, or the public, including to enforce our agreements and policies.
Business transfers. In connection with a merger, acquisition, bankruptcy, reorganization, or sale of assets, in which case personal information may be transferred to the successor entity. We will notify affected users before personal information becomes subject to a different privacy policy.
With your consent. When you direct us to share information with a third party or give us explicit consent to do so.
Aggregated data. We may share aggregated, anonymized data that cannot reasonably be used to identify you or any individual. This data is not personal information.
4. Data Retention
We retain personal information for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required by law.
| Data Category | Retention Period |
|---|---|
| Account information | Duration of active account + 90 days after closure |
| Billing and transaction records | As required by tax and accounting law (typically 7 years) |
| Machine execution data and behavioral ledger | Available for export for 30 days post-termination, deleted within 90 days |
| Usage and log data | 12 months from collection |
| Support correspondence | 3 years from resolution |
| Aggregated, anonymized analytics | Retained indefinitely |
| Backup systems | Purged within 180 days of source data deletion |
We may retain information longer when required by law, to resolve disputes, or to enforce our agreements.
5. International Data Transfers
Mashin, Inc. is based in the United States. If you are located outside the United States, your information will be transferred to and processed in the United States and potentially other countries where our service providers operate.
We protect international data transfers through the following mechanisms:
- EU/EEA: EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our Data Processing Addendum.
- United Kingdom: UK International Data Transfer Addendum in conjunction with SCCs.
- Switzerland: Swiss-US Data Privacy Framework and SCCs.
- Australia: Compliance with Australian Privacy Principles (APPs) for cross-border disclosures of personal information under the Privacy Act 1988.
6. Your Rights and Choices
Depending on your location, you may have some or all of the following rights regarding your personal information:
6.1 All Users
- Access and update: View and update your account information through your account settings.
- Export: Export your data using the Service’s built-in export tools.
- Delete: Delete your account through account settings. Deletion requests are processed within 30 days, subject to legal retention requirements.
- Marketing opt-out: Unsubscribe from marketing communications using the link in any marketing email. This does not affect transactional or service-related communications.
6.2 EEA, UK, and Switzerland Residents (GDPR / UK GDPR)
You have the right to: access your personal data and receive a copy; rectify inaccurate personal data; request erasure of personal data (subject to legal retention requirements); restrict processing of your personal data; data portability (receive your data in a structured, machine-readable format); object to processing based on legitimate interests; withdraw consent at any time where processing is based on consent; and lodge a complaint with your local data protection authority.
Our legal bases for processing are: performance of our contract with you (providing the Services), legitimate interests (improving the Services, fraud prevention, security), compliance with legal obligations, and consent where applicable.
6.3 California Residents (CCPA / CPRA)
You have the right to: know what personal information we collect and how we use it; request deletion of your personal information; correct inaccurate personal information; and opt out of the sale or sharing of personal information. We do not sell personal information and do not use or disclose sensitive personal information for purposes other than providing the Services. We will not discriminate against you for exercising your privacy rights.
6.4 How to Exercise Your Rights
To exercise your privacy rights, contact us at privacy@mashin.live. We will respond within the timeframe required by applicable law (typically 30 days for GDPR, 45 days for CCPA). We may need to verify your identity before processing your request.
7. No Training Commitment
Mashin, Inc. will not use Customer Content (machine definitions, inputs, outputs, workflow data, governance trails) to train any artificial intelligence or machine learning models. This commitment is contractual and applies to Mashin, Inc.’s own systems. Mashin, Inc. contractually requires the same from third-party model providers via their API agreements. Current API agreements with Anthropic and OpenAI prohibit use of API inputs and outputs for model training.
8. Children’s Privacy
The Services are not directed to children under 16 years of age (or under 13 in jurisdictions where 13 is the applicable threshold). We do not knowingly collect personal information from children under these age thresholds. If we learn that we have collected personal information from a child below the applicable age threshold, we will delete that information promptly. If you believe a child has provided us with personal information, contact us at privacy@mashin.live.
9. Product-Specific Information
9.1 Mashin Desktop Application (Koda)
The Mashin desktop application runs locally on your device. Local data (machine definitions, project files, local execution data) is stored on your device and is not transmitted to Mashin, Inc. unless you use cloud-connected features (authentication, cloud execution, registry access, model inference, synchronization). When connected to cloud services, the cloud platform’s data practices described in this Policy apply.
Telemetry. The desktop application may collect optional telemetry data, including crash reports, feature usage analytics, and performance metrics. Telemetry is opt-in and can be enabled or disabled in Settings > Privacy > Telemetry. Critical crash reports may be collected even when telemetry is disabled to maintain application stability; these contain no Customer Content.
9.2 Mashin Cloud Platform
When using the cloud platform, your machine definitions, execution data, and governance trails are processed on Mashin, Inc.’s infrastructure. Behavioral ledger records (execution traces, governance decisions, hash chains, model routing decisions, cost and latency data) are functional data necessary to provide the Service and implement your governance configuration. You can export all of this data at any time.
9.3 Mashin Package Registry (Kura)
When you publish packages (krates) to the registry, your publisher identity (username or organization name) and package metadata (name, version, description, license, dependencies) are publicly visible on the registry. Download counts are collected and displayed in aggregate. Private packages are visible only to authenticated members of the owning organization.
9.4 AI Features
When you use AI features (:reason steps, governed model routing), the data specified in your machine definitions is sent to third-party AI model providers for inference. Which data is sent is determined by your machine configuration, governed by your governance rules, and recorded in the behavioral ledger. Mashin, Inc. does not control or monitor the content of AI model outputs. See our AI Product Terms for additional details.
10. Security
We implement commercially reasonable technical and organizational measures to protect personal information, including: encryption of data in transit (TLS 1.2+) and at rest (AES-256); access controls and least-privilege access policies; audit logging of administrative access; regular security assessments and vulnerability scanning; and incident response procedures.
No method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your information. If we become aware of a security breach affecting your personal information, we will notify you in accordance with applicable law.
11. Cookies and Tracking Technologies
We use cookies and similar technologies on our websites and web applications. For details about the specific cookies we use, their purposes, and how to manage your preferences, see our Cookie Policy.
12. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes that affect how we collect, use, or share your personal information, we will provide at least 30 days’ notice via email to the address associated with your account and/or by posting a prominent notice on the Services. Continued use of the Services after the effective date of a revised policy constitutes acceptance. Previous versions of this policy are available upon request.
13. Contact Information
For privacy-related questions, requests, or complaints:
Privacy inquiries: privacy@mashin.live General inquiries: legal@mashin.live Data Protection Officer: privacy@mashin.live
Mashin, Inc.
If you are in the EU/EEA and are not satisfied with our response to your privacy concern, you have the right to lodge a complaint with your local supervisory authority.
No Training Commitment
Mashin, Inc. will not use Customer Content (machine definitions, inputs, outputs, workflow data, governance trails) to train any artificial intelligence or machine learning models. This commitment is contractual and applies to Mashin, Inc.’s own systems. Mashin, Inc. contractually requires the same from third-party model providers via their API agreements. Current API agreements with Anthropic and OpenAI prohibit use of API inputs and outputs for model training.
Third-Party Model Providers
Mashin, Inc. uses third-party AI model providers (currently Anthropic and OpenAI) to execute inference steps in Customer’s machines. Data sent to these providers is governed by the machine definition and visible in the behavioral ledger. Each provider’s API terms apply to their respective services. Mashin, Inc. will notify Customer of material changes to model provider relationships, including the addition or removal of providers. A current list of model providers is maintained in the Subprocessors List at https://mashin.live/legal/subprocessors.
Questions? Contact Mashin, Inc. at legal@mashin.live.