Privacy Policy

Last Updated :

16th August 2025

1. Introduction

Ashlar Creative ("we," "us," or "our") operates Machu AI, a waste management platform for UK waste industry professionals. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our service at https://machu.ai and https://app.machu.ai (the "Service").

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

2. Data Controller Information

Data Controller: Ashlar Creative
Contact Email: support@machu.ai
Website: https://machu.ai

3. Information We Collect

3.1 Information You Provide

Account Information:

  • Name and job title

  • Email address

  • Organization name and details

  • Phone number (optional)

  • Billing information (processed by Outseta)

Service Data:

  • Uploaded PDF documents for analysis

  • EWC codes and waste classification data

  • Permit and compliance information

  • Search queries and preferences

  • Business location data for geographic searches

Communications:

  • Support requests and correspondence

  • Feedback and suggestions

  • Survey responses

3.2 Information Collected Automatically

Usage Data:

  • IP address and device information

  • Browser type and version

  • Pages visited and features used

  • Date and time of access

  • Referring website addresses

Cookies and Tracking:

  • Session cookies for authentication

  • Performance analytics cookies

  • Preference cookies for user settings

3.3 Information from Third Parties

Public Data Sources:

  • Environmental Agency permit database

  • Companies House business information

  • Publicly available waste management facility data

Authentication Providers:

  • Outseta authentication service data

  • OAuth provider information (if applicable)

4. Legal Basis for Processing

We process your personal data based on:

4.1 Contract Performance

Processing necessary to provide the Service you've requested, including:

  • Account creation and management

  • Service delivery and support

  • Billing and payment processing

4.2 Legitimate Interests

Processing for our legitimate business interests, including:

  • Service improvement and development

  • Security and fraud prevention

  • Analytics and performance monitoring

  • Marketing to existing customers

4.3 Legal Obligations

Processing necessary to comply with legal requirements:

  • Waste management regulatory compliance

  • Tax and accounting obligations

  • Legal document retention

4.4 Consent

Where we rely on consent, you may withdraw it at any time by contacting us.

5. How We Use Your Information

We use your information to:

Provide and Maintain the Service:

  • Process EWC code validations

  • Deliver permit and business directory searches

  • Analyze uploaded documents

  • Generate compliance reports

  • Provide daily regulatory updates

Improve and Develop the Service:

  • Analyze usage patterns and preferences

  • Develop new features and functionality

  • Optimize performance and user experience

  • Train and improve our AI models (using anonymized data only)

Communicate with You:

  • Send service updates and notifications

  • Respond to support requests

  • Provide regulatory alerts and industry news

  • Send marketing communications (with consent)

Ensure Security and Compliance:

  • Detect and prevent fraud

  • Monitor for security threats

  • Maintain audit logs for compliance

  • Enforce our Terms of Service

6. Data Sharing and Disclosure

6.1 Service Providers

We share data with trusted service providers who assist us in operating the Service:

  • Outseta - Authentication and subscription management

  • OpenAI and Antrhopic - Document analysis and AI processing

  • Mapbox - Geographic search and mapping

  • Postmark - Email notifications

  • Cloud Infrastructure Providers - Data hosting and storage

All service providers are contractually required to protect your data and use it only for providing services to us.

6.2 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

6.3 Legal Requirements

We may disclose your information if required to:

  • Comply with legal obligations

  • Respond to valid legal requests

  • Protect our rights and property

  • Prevent fraud or security issues

  • Protect the safety of any person

6.4 Aggregated Data

We may share aggregated, anonymized data that cannot identify you, such as industry trends and usage statistics.

7. Data Security

We implement appropriate technical and organizational measures to protect your data:

Technical Measures:

  • Encryption in transit (TLS/SSL)

  • Encryption at rest for sensitive data

  • Secure authentication with JWT tokens

  • Regular security audits and penetration testing

  • Virus scanning for uploaded files

  • Rate limiting and DDoS protection

Organizational Measures:

  • Access controls and authentication

  • Employee training and confidentiality agreements

  • Regular security reviews

  • Incident response procedures

  • Data minimization principles

8. Data Retention

We retain your personal data only as long as necessary:

  • Account Data: For the duration of your account plus 30 days after closure

  • Transaction Records: 7 years for tax and accounting purposes

  • Uploaded Documents: 90 days after processing (unless you delete sooner)

  • Usage Logs: 12 months for security and analytics

  • Marketing Data: Until consent is withdrawn

You may request deletion of your data at any time, subject to legal retention requirements.

9. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

9.1 Access

Request a copy of the personal data we hold about you.

9.2 Rectification

Request correction of inaccurate or incomplete data.

9.3 Erasure

Request deletion of your data ("right to be forgotten").

9.4 Restriction

Request we limit processing of your data.

9.5 Portability

Receive your data in a structured, machine-readable format.

9.6 Object

Object to processing based on legitimate interests or direct marketing.

9.7 Automated Decision-Making

Not be subject to decisions based solely on automated processing.

9.8 How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@machu.ai. We will respond within one month of receipt of your request, though we may extend this by two months for complex requests. We will not charge a fee unless your request is manifestly unfounded or excessive.

9.9 Complaints

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the ICO (details in Section 17).

10. International Data Transfers

As our service providers may process data outside the UK, we ensure appropriate safeguards are in place:

  • UK-approved standard contractual clauses

  • Adequacy decisions recognised by the UK government

  • Appropriate technical and organisational measures

All transfers comply with Chapter V of the UK GDPR.

11. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware of such collection, we will delete the data immediately.

12. Cookie Policy

12.1 Essential Cookies

Required for the Service to function:

  • Session management

  • Authentication tokens

  • Security features

12.2 Analytics Cookies

Help us understand Service usage:

  • Page views and navigation

  • Feature usage statistics

  • Performance metrics

12.3 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using certain Service features.

13. Marketing Communications

13.1 Opt-in

We will only send marketing emails with your consent.

13.2 Opt-out

You can unsubscribe from marketing emails:

  • Using the unsubscribe link in any marketing email

  • Updating your account preferences

  • Contacting us at support@machu.ai

13.3 Service Communications

We may send non-marketing communications necessary for the Service (security alerts, regulatory updates, account notifications).

14. Third-Party Links

The Service may contain links to third-party websites. We are not responsible for their privacy practices. We encourage you to review their privacy policies.

15. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms:

  • We will notify the ICO within 72 hours

  • We will notify affected users without undue delay

  • We will provide information about the breach and our response

16. Updates to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via:

  • Email notification

  • Prominent notice on the Service

  • Requiring acknowledgment for continued use

17. Contact Information

For privacy-related questions or to exercise your rights.

Email: support@machu.ai

Supervisory Authority:
You have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: https://ico.org.uk
Phone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

18. Accessibility

We are committed to making this Privacy Policy accessible to all users. If you need this policy in an alternative format, please contact us.