Privacy Policy
Last updated: 4th May 2026
This Privacy Policy outlines how we collect, use, protect, and share information about you when you use our media form, media channel, software, application, mobile website or mobile application related, linked, or otherwise connected thereto (collectively, the "Service") through access to and use of the machined.ai website (the "Website") operated by Sibu Ventures Ltd ("us", "we", "our" or “Sibu Ventures”). By accessing or using the Website and/or the Service, you agree to this Privacy Policy.
We value your privacy and strive to protect your personal data in compliance with global privacy standards, including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the California Consumer Privacy Act (CCPA).
Definitions
- Personal Data: Information about an individual that can be identified from those data (or from those and other information either in our possession or likely to come into our possession).
- Usage Data: Data collected automatically, generated by the use of the Service or from the Service infrastructure itself (e.g., the duration of a page visit).
- Cookies and Similar Technologies: Cookies, localStorage, sessionStorage, and similar mechanisms used to store information on, or read information from, your device.
- Data Controller: For the purposes of this Privacy Policy, we are the Data Controller of your Personal Data.
- Data Processors (Service Providers): Any natural or legal person who processes the data on behalf of the Data Controller.
- Data Subject (User): Any living individual who is using our Service and is the subject of Personal Data.
Data Controller
Sibu Ventures Ltd (“Sibu Ventures”, “we”, “us”, or “our”) is the Data Controller responsible for your personal data.
Registered Office: Suite A, 82 James Carter Road, Mildenhall, IP28 7DE, United Kingdom
Company Number: 14958943
Contact: privacy@machined.ai
Types of Data Collected
(a) Personal Information You Disclose to Us
We collect personal information that you voluntarily provide when you register, express interest in obtaining information, use our services, or contact us. This may include:
- Contact Information: Name, business name, email address, website URL.
- Credentials: Passwords, authentication data, and API keys.
- Payment Information: Payment instrument details (e.g., credit card number). Payment data is processed by our payment provider Stripe and not stored on our servers.
- Stripe’s Privacy Policy: https://stripe.com/privacy
(b) Information Automatically Collected
- Usage Data: Includes your IP address, browser type and version, pages visited, date/time of visit, time spent on pages, and device identifiers.
- Approximate Location Data: We do not request precise device-level location (GPS) or browser geolocation permissions. However, several of our service providers (including Intercom, PostHog, Sentry, and Vercel) automatically derive approximate location — typically country, region, and sometimes city — from your IP address. This is used to route customer support, generate aggregate analytics, diagnose errors, and detect abuse. Stripe additionally processes the full billing address you provide for payment and tax compliance purposes.
(c) Cookies and Similar Technologies
We do not use cookies or similar tracking technologies for advertising or cross-site profiling. We do use product analytics (PostHog) and Vercel Analytics, which may set first-party cookies or use similar storage to count sessions, identify returning visitors, and measure feature usage; these are described under "Analytics & Monitoring" below. The other technologies we use are limited to the following:
On our marketing website (machined.ai):
- Affiliate attribution (Tolt): When a visitor arrives via an affiliate link containing an affiliate URL parameter, our affiliate provider Tolt records the referring affiliate using browser storage (localStorage and/or a first-party cookie) so that a future signup can be attributed to the correct affiliate. The Tolt script is loaded on every page of our marketing website. No personal data is collected through this mechanism. You can block this by disabling third-party scripts or browser storage in your browser settings, without affecting your ability to use the Service.
- Testimonial widget (Senja): Our homepage embeds a third-party widget from Senja that displays customer testimonials. When the widget loads, Senja may set cookies or use similar storage in your browser. We do not control these cookies; please refer to Senja's Privacy Policy for details. You can block this by disabling third-party scripts or browser storage. Senja is also used within the Machined application to collect testimonials via Senja-hosted forms; if you choose to use those forms, Senja may set cookies on its own domain in connection with that submission.
Within the Machined application (logged-in users):
- Authentication and session cookies (Supabase): Strictly necessary first-party cookies that keep you signed in and secure your session.
- Site access cookies: Where applicable, strictly necessary cookies are used to remember basic password access and to permit access during maintenance windows.
The session, authentication, and site-access cookies described above are first-party and strictly necessary for the Service to function. PostHog and Vercel Analytics may set additional first-party cookies or use similar storage for product analytics; these are not used for advertising or cross-site tracking. Because we do not set advertising or cross-site profiling cookies, we do not display a cookie consent banner. If you are subject to UK PECR or EU ePrivacy rules and require granular consent for analytics, please contact privacy@machined.ai.
How We Use Your Information
We process your personal data to:
- Provide, maintain, and improve our Service
- Notify you about updates and changes
- Enable participation in interactive features
- Provide customer care and support
- Conduct analytics to improve performance
- Monitor and prevent security or technical issues
- Fulfil contractual obligations and process payments
- Comply with legal requirements
Lawful Basis for Processing
Under both the UK GDPR and EU GDPR, we rely on one or more of the following lawful bases:
| Purpose | Lawful Basis |
|---|---|
| Account registration and service delivery | Performance of a contract (Art. 6(1)(b)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Testimonial submission and publication | Consent (Art. 6(1)(a)) |
| Analytics and service improvement | Legitimate interests (Art. 6(1)(f)) |
| Legal and compliance obligations | Legal obligation (Art. 6(1)(c)) |
| Fraud prevention and security | Legitimate interests (Art. 6(1)(f)) |
Administrative Access
We may access your personal data to:
- Provide customer support and assistance. This includes responding to your inquiries, requests for technical support, and other customer support requests.
- Investigate and respond to complaints or concerns. This includes investigating and responding to complaints or concerns about our Service, including complaints or concerns about the completenes or accuracy of the information we have collected about you.
- Ensure compliance with our policies and legal requirements such as the GDPR and other data protection laws.
- Protect our rights and property. This includes protecting our rights and property, including our intellectual property rights and our property rights.
This access is required for us to provide you the best possible service and to comply with our legal obligations. The access is limited to the minimum necessary to perform the tasks described above.
Data Sharing and Sub-Processors
We share personal data with the following third-party service providers acting as data processors. All processors have Data Processing Agreements in place and are required to handle your data in accordance with applicable data protection law.
We may also share your personal information in connection with a merger, acquisition, or sale of assets, or when disclosure is necessary to comply with law, protect rights, prevent fraud, or ensure safety.
Infrastructure & Hosting
| Provider | Purpose | Data Shared | Location | Transfer Mechanism |
|---|---|---|---|---|
| Supabase | Database & authentication | Account data, content, usage data | EU | N/A |
| Vercel | Application hosting | Request logs, IP addresses | US | SCCs |
| Render | Background job processing (worker tier) | Job metadata, article/project identifiers | US | SCCs |
| Inngest | Background job orchestration (article and content cluster generation) | User ID, project ID, article ID, keywords, titles, target audience, research settings, custom instructions, media settings | US | SCCs |
Legacy Sub-Processors (Decommissioning)
As part of our recent platform migration, the following service is being decommissioned. We have stopped sending new data to it and are working to delete all residual data. Until that deletion is complete, the service remains a sub-processor for the data it still holds. We are targeting full deletion by the end of June 2026.
| Provider | Status | Data Still Held | Location | Transfer Mechanism |
|---|---|---|---|---|
| Bubble.io | Frozen snapshot; no longer receiving updates; full deletion targeted by end of June 2026 | Full historic database from our previous platform as of the migration date, including account data, content, and usage data. The database is not synchronised with our current platform and is no longer used to deliver the Service. | US | SCCs |
AI Processing
| Provider | Purpose | Data Shared | Location | Transfer Mechanism |
|---|---|---|---|---|
| Anthropic | AI content generation | Keywords, article briefs, generated content | US | SCCs |
| OpenAI | AI content generation & embeddings | Keywords, article briefs, generated content | US | SCCs |
| Google (Gemini) | AI content generation | Keywords, article briefs, generated content | US | SCCs |
| OpenRouter | AI routing fallback and BYOK pass-through (forwards requests to Anthropic, OpenAI, or Google Gemini) | Keywords, article briefs, generated content, request metadata | US | SCCs |
| Perplexity | Deep research and grounded query responses | Research queries and source URLs | US | SCCs |
| Black Forest Labs (Flux) | AI image generation | Image prompts, generated images | EU/US | SCCs |
| Langfuse | AI quality monitoring & service improvement | AI prompts, generated outputs, model usage metadata | EU | N/A |
Note on AI processing: When you use Machined to generate content, your inputs (keywords, article briefs, brand voice settings, image prompts) and the resulting outputs are processed by the AI providers listed above solely to deliver the service. Anthropic, OpenAI, Google (Gemini), OpenRouter (which routes only to Anthropic, OpenAI, or Gemini), and Langfuse do not use your data to train their AI models under our agreements with them. Perplexity and Black Forest Labs may, under their respective terms, use submitted prompts and outputs to operate, secure, and improve their services, including model improvement; please see their privacy policies (Perplexity, Black Forest Labs) for details. We minimise the data we send to these providers to what is necessary to fulfil your request. Generated content is also monitored via Langfuse for service quality and improvement.
Payments & Communications
| Provider | Purpose | Data Shared | Location | Transfer Mechanism |
|---|---|---|---|---|
| Stripe (Stripe Payments Europe, Limited) | Payment processing | Billing information, transaction data | EU (Ireland) | N/A |
| Loops | Transactional & marketing email | Email address, name, account status | US | SCCs |
| Intercom | Customer support | Name, email, support conversation data | US | SCCs |
Analytics & Monitoring
| Provider | Purpose | Data Shared | Location | Transfer Mechanism |
|---|---|---|---|---|
| PostHog | Product analytics (signed-in app and marketing site) | Pseudonymous user ID, workspace ID, role, plan, BYOK status, usage events, page views, IP-derived approximate location | EU | N/A |
| Vercel Analytics | Privacy-focused page-view analytics (marketing site and app) | Page URLs, referrers, viewport, anonymised visitor signals | US | SCCs |
| Sentry | Error monitoring | Error logs, stack traces, pseudonymous user identifiers | US | SCCs |
| ChartMogul | Subscription & revenue analytics (MRR, churn, retention) — ingests subscription data from Stripe | Customer name, email, billing country, subscription plan, transaction and subscription event data (sourced from Stripe) | EU (Germany) | N/A |
Research & Search
| Provider | Purpose | Data Shared | Location | Transfer Mechanism |
|---|---|---|---|---|
| Firecrawl | Web research (user-initiated) | URLs submitted for content research | US | SCCs |
| Serper | Search data (user-initiated) | Keywords submitted for SERP analysis | US | SCCs |
| DataForSEO | Keyword data (user-initiated) | Keywords submitted for volume/difficulty data | US | SCCs |
| Keywords Everywhere | Keyword data fallback (user-initiated) | Keywords submitted for volume/difficulty data | US | SCCs |
| ProAPIs / SerpsBot | SERP data fallback (user-initiated) | Keywords submitted for SERP analysis | US | SCCs |
| YouTube Data API (Google) | Video search (user-initiated) | Search queries submitted for video discovery | US | SCCs |
Stock Media
| Provider | Purpose | Data Shared | Location | Transfer Mechanism |
|---|---|---|---|---|
| Unsplash | Stock image search and retrieval (user-initiated) | Search query terms | US | SCCs |
| Pexels | Stock image search and retrieval (user-initiated) | Search query terms | US | SCCs |
Affiliate & Referral
| Provider | Purpose | Data Shared | Location | Transfer Mechanism |
|---|---|---|---|---|
| Tolt | Referral attribution (script loaded on all marketing pages) | Referral parameters, anonymised page-load events, browser storage identifiers | US | SCCs |
Embedded Content & Social Proof
| Provider | Purpose | Data Shared | Location | Transfer Mechanism |
|---|---|---|---|---|
| Senja | Testimonial collection and display | Name, email address, testimonial content (text, video, and/or audio), optional profile metadata (job title, photo, company), IP address, widget interactions | EU | N/A |
We use Senja both to display customer testimonials on our marketing website (via an embedded widget) and to collect testimonials from users via Senja-hosted forms accessible from within the Machined application. Submission of a testimonial is entirely voluntary. Where you choose to submit one, you are giving your consent for the information you provide — including any text, image, video, or audio content — to be processed by Senja on our behalf and to be displayed publicly on our website, marketing materials, and social channels. You may withdraw your consent at any time by emailing privacy@machined.ai, in which case we will remove the testimonial from public display and request deletion from Senja. Withdrawal does not affect the lawfulness of any processing carried out before withdrawal. When the testimonial display widget loads on our website, Senja may set cookies or use similar storage technologies in your browser. For details, see Senja's Privacy Policy.
User-Connected Publishing Destinations
Where you choose to connect a third-party content management system (CMS) — such as WordPress or Webflow — Machined will, on your instruction, transmit articles, media, and metadata to that destination using the credentials you provide. These services are not our sub-processors; they are third-party services that you (or your organisation) directly contract with, and you remain the controller of any content published to them. We process the credentials and connection details you provide solely to authenticate with and publish to the destination you selected.
| Destination | Purpose | Data Transmitted |
|---|---|---|
| WordPress (self-hosted or WordPress.com) | Publishing articles and media to a user-connected WordPress site | Article content, media files, metadata, user-supplied authentication credentials |
| Webflow | Publishing articles and media to a user-connected Webflow site | Article content, media files, metadata, user-supplied authentication credentials |
Embedded media in published content. Articles published via Machined may contain references to third-party media (for example, YouTube videos). Once content is published to your CMS, the destination platform — not Machined — controls how that content is rendered to your site visitors. In particular, WordPress's built-in oEmbed feature will typically transform a YouTube URL into a standard youtube.com iframe at render time, which causes Google/YouTube to set cookies on your visitors' browsers when the page loads (not only on video play), regardless of any cookie posture Machined applies in its own preview. As the operator of the destination site, you are the controller for processing that takes place on your site, including any cookie or consent disclosures that may be required under UK PECR, EU ePrivacy, or other applicable rules. Machined does not control, and is not responsible for, embed rendering, cookies, or trackers set by third parties on your destination site.
Copies of the relevant SCCs can be requested by emailing privacy@machined.ai
Payments
We may provide paid products and/or services within the Service. In that case, we use third-party services for payment processing (e.g. payment processors).
We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy.
These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.
The payment processors we work with are: Stripe
Their Privacy Policy can be viewed at https://stripe.com/us/privacy
Retention of Data
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including:
- Account data: Retained while your account is active and for up to 3 years after closure.
- Payment records: Retained for 7 years to comply with tax and accounting laws.
- Marketing data: Retained until consent is withdrawn, with inactive contacts reviewed after 2 years.
International Data Transfers
Your personal data may be transferred to and processed in countries outside the UK or EEA.
We ensure appropriate safeguards are in place, including:
- The UK International Data Transfer Addendum (IDTA), or
- The EU Standard Contractual Clauses (SCCs).
The UK has been recognised by the European Commission as providing an adequate level of protection (Commission Implementing Decision (EU) 2021/1772), so transfers from the EEA to the UK are permitted without additional safeguards.
Copies of relevant safeguards may be requested at privacy@machined.ai.
Your Privacy Rights
Depending on your location, you have the following rights regarding your personal data:
- Access: Request a copy of the data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure (“Right to be Forgotten”): Request deletion of your personal data.
- Restriction: Request limited processing of your data.
- Data Portability: Receive your data in a structured, commonly used format.
- Objection: Object to processing based on legitimate interests or direct marketing.
- Withdrawal of Consent: Withdraw consent at any time (without affecting prior processing).
To exercise any of these rights, email us at privacy@machined.ai. We will respond within 30 days as required under the GDPR.
You also have the right to lodge a complaint:
- UK residents: With the Information Commissioner’s Office (ICO) – https://www.ico.org.uk
- EEA residents: With your local data protection authority.
EU Representative
Machined has appointed a representative in the European Union to act as our contact point for supervisory authorities and data subjects in the EU.
This representative will handle any GDPR-related inquiries or data subject requests concerning our processing of personal data of individuals located in the European Economic Area (EEA).
The representative is: Data Privacy and Security Services Ltd (Trading as Data Privacy Services)
The representative's contact details are: info@dataprivacyservices.co.uk
CCPA Privacy Rights (California Residents)
Under the California Consumer Privacy Act (CCPA), California residents have the right to:
- Know the categories of personal information we collect and how it is used
- Request deletion of personal information
- Opt out of the sale or sharing of personal information (we do not sell personal data)
- Receive equal service and price even if privacy rights are exercised
Requests can be made by emailing privacy@machined.ai.
Children’s Privacy
Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a child has provided us with data, contact us immediately at privacy@machined.ai, and we will delete it promptly.
Security of Data
We use industry-standard security measures to protect your personal data. However, no online transmission or storage system is completely secure, and we cannot guarantee absolute security.
Automated Decision-Making
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
Links to Other Sites
Our Service may contain links to third-party websites. We are not responsible for their content or privacy practices. Please review their privacy policies before providing any personal information.
Changes to This Privacy Policy
We may update this Privacy Policy periodically. Any changes will be posted on this page with an updated “Last Updated” date. Continued use of our Service after such updates constitutes your acceptance of the new terms.
Contact Us
For any questions about this Privacy Policy or your personal data, please contact us:
- Email: privacy@machined.ai
- Address: Sibu Ventures Ltd, Suite A, 82 James Carter Road, Mildenhall, IP28 7DE, United Kingdom