Privacy Policy
Last Updated :
16th August 2025
1. Introduction
Ashlar Creative ("we," "us," or "our") operates Machu AI, a waste management platform for UK waste industry professionals. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our service at https://machu.ai and https://app.machu.ai (the "Service").
We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
2. Data Controller Information
Data Controller: Ashlar Creative
Contact Email: support@machu.ai
Website: https://machu.ai
3. Information We Collect
3.1 Information You Provide
Account Information:
Name and job title
Email address
Organization name and details
Phone number (optional)
Billing information (processed by Outseta)
Service Data:
Uploaded PDF documents for analysis
EWC codes and waste classification data
Permit and compliance information
Search queries and preferences
Business location data for geographic searches
Communications:
Support requests and correspondence
Feedback and suggestions
Survey responses
3.2 Information Collected Automatically
Usage Data:
IP address and device information
Browser type and version
Pages visited and features used
Date and time of access
Referring website addresses
Cookies and Tracking:
Session cookies for authentication
Performance analytics cookies
Preference cookies for user settings
3.3 Information from Third Parties
Public Data Sources:
Environmental Agency permit database
Companies House business information
Publicly available waste management facility data
Authentication Providers:
Outseta authentication service data
OAuth provider information (if applicable)
4. Legal Basis for Processing
We process your personal data based on:
4.1 Contract Performance
Processing necessary to provide the Service you've requested, including:
Account creation and management
Service delivery and support
Billing and payment processing
4.2 Legitimate Interests
Processing for our legitimate business interests, including:
Service improvement and development
Security and fraud prevention
Analytics and performance monitoring
Marketing to existing customers
4.3 Legal Obligations
Processing necessary to comply with legal requirements:
Waste management regulatory compliance
Tax and accounting obligations
Legal document retention
4.4 Consent
Where we rely on consent, you may withdraw it at any time by contacting us.
5. How We Use Your Information
We use your information to:
Provide and Maintain the Service:
Process EWC code validations
Deliver permit and business directory searches
Analyze uploaded documents
Generate compliance reports
Provide daily regulatory updates
Improve and Develop the Service:
Analyze usage patterns and preferences
Develop new features and functionality
Optimize performance and user experience
Train and improve our AI models (using anonymized data only)
Communicate with You:
Send service updates and notifications
Respond to support requests
Provide regulatory alerts and industry news
Send marketing communications (with consent)
Ensure Security and Compliance:
Detect and prevent fraud
Monitor for security threats
Maintain audit logs for compliance
Enforce our Terms of Service
6. Data Sharing and Disclosure
6.1 Service Providers
We share data with trusted service providers who assist us in operating the Service:
Outseta - Authentication and subscription management
OpenAI and Antrhopic - Document analysis and AI processing
Mapbox - Geographic search and mapping
Postmark - Email notifications
Cloud Infrastructure Providers - Data hosting and storage
All service providers are contractually required to protect your data and use it only for providing services to us.
6.2 Business Transfers
If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
6.3 Legal Requirements
We may disclose your information if required to:
Comply with legal obligations
Respond to valid legal requests
Protect our rights and property
Prevent fraud or security issues
Protect the safety of any person
6.4 Aggregated Data
We may share aggregated, anonymized data that cannot identify you, such as industry trends and usage statistics.
7. Data Security
We implement appropriate technical and organizational measures to protect your data:
Technical Measures:
Encryption in transit (TLS/SSL)
Encryption at rest for sensitive data
Secure authentication with JWT tokens
Regular security audits and penetration testing
Virus scanning for uploaded files
Rate limiting and DDoS protection
Organizational Measures:
Access controls and authentication
Employee training and confidentiality agreements
Regular security reviews
Incident response procedures
Data minimization principles
8. Data Retention
We retain your personal data only as long as necessary:
Account Data: For the duration of your account plus 30 days after closure
Transaction Records: 7 years for tax and accounting purposes
Uploaded Documents: 90 days after processing (unless you delete sooner)
Usage Logs: 12 months for security and analytics
Marketing Data: Until consent is withdrawn
You may request deletion of your data at any time, subject to legal retention requirements.
9. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
9.1 Access
Request a copy of the personal data we hold about you.
9.2 Rectification
Request correction of inaccurate or incomplete data.
9.3 Erasure
Request deletion of your data ("right to be forgotten").
9.4 Restriction
Request we limit processing of your data.
9.5 Portability
Receive your data in a structured, machine-readable format.
9.6 Object
Object to processing based on legitimate interests or direct marketing.
9.7 Automated Decision-Making
Not be subject to decisions based solely on automated processing.
9.8 How to Exercise Your Rights
To exercise any of these rights, contact us at privacy@machu.ai. We will respond within one month of receipt of your request, though we may extend this by two months for complex requests. We will not charge a fee unless your request is manifestly unfounded or excessive.
9.9 Complaints
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the ICO (details in Section 17).
10. International Data Transfers
As our service providers may process data outside the UK, we ensure appropriate safeguards are in place:
UK-approved standard contractual clauses
Adequacy decisions recognised by the UK government
Appropriate technical and organisational measures
All transfers comply with Chapter V of the UK GDPR.
11. Children's Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware of such collection, we will delete the data immediately.
12. Cookie Policy
12.1 Essential Cookies
Required for the Service to function:
Session management
Authentication tokens
Security features
12.2 Analytics Cookies
Help us understand Service usage:
Page views and navigation
Feature usage statistics
Performance metrics
12.3 Managing Cookies
You can control cookies through your browser settings. Disabling essential cookies may prevent you from using certain Service features.
13. Marketing Communications
13.1 Opt-in
We will only send marketing emails with your consent.
13.2 Opt-out
You can unsubscribe from marketing emails:
Using the unsubscribe link in any marketing email
Updating your account preferences
Contacting us at support@machu.ai
13.3 Service Communications
We may send non-marketing communications necessary for the Service (security alerts, regulatory updates, account notifications).
14. Third-Party Links
The Service may contain links to third-party websites. We are not responsible for their privacy practices. We encourage you to review their privacy policies.
15. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms:
We will notify the ICO within 72 hours
We will notify affected users without undue delay
We will provide information about the breach and our response
16. Updates to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes via:
Email notification
Prominent notice on the Service
Requiring acknowledgment for continued use
17. Contact Information
For privacy-related questions or to exercise your rights.
Email: support@machu.ai
Supervisory Authority:
You have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: https://ico.org.uk
Phone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
18. Accessibility
We are committed to making this Privacy Policy accessible to all users. If you need this policy in an alternative format, please contact us.