PatchBuddy. Get started
Legal

Privacy policy.

Last updated: 5 May 2026

How Cirql Works Ltd ("we", "us") handles your data when you use PatchBuddy. Plain English first; legal precision second.

1. Who we are

PatchBuddy is a trading name of Cirql Works Ltd, registered in England & Wales (company number 16173373), VAT GB483372767. Throughout this policy "we", "us", and "our" mean Cirql Works Ltd. "You" means anyone using PatchBuddy on behalf of an integration agency.

We're the data controller for personal data we collect about you (the operator). We're the data processor for content you put into the product — see Section 6.

Contact for any privacy enquiry: privacy@patchbuddy.ai.

2. What we collect

When you sign up for and use PatchBuddy, we collect:

  • Account data — your name, work email, agency name, password hash.
  • Billing data — billing address and tax info for invoicing. Card details are handled by Stripe; we never see them.
  • Patchworks API credentials — encrypted at rest, decrypted only at the moment of an outbound API call. Never logged.
  • Usage data — chat counts, model selections per turn, token usage, feature interactions, errors. Used to bill, debug, and improve.
  • Server logs — IP address, user-agent, timestamps. Retained 30 days for security and abuse investigations.
  • Cookies — strictly necessary cookies for security and consent storage are set without asking. The optional CirqlCRM live-chat cookie is only set after you accept it on the consent banner. No advertising / no analytics / no remarketing cookies. Full list on the cookie policy page.

3. Why we process it

  • Run the service — authentication, routing chats, billing.
  • Improve the platform — aggregated, de-identified usage data to spot errors and shape new features.
  • Comply with our obligations — invoicing, tax records, legal requests.

Lawful bases under UK GDPR Article 6: contract performance (running the service you signed up for), legitimate interests (security, fraud prevention, product improvement), and consent for any non-essential marketing email (which we currently don't send anyway).

4. Who we share data with

We use a small set of third-party processors:

  • Stripe Inc. — payments and subscription management (PCI-DSS Level 1 certified).
  • Cloudflare Inc. — DNS, edge caching, DDoS protection, and Pages hosting for this marketing site.
  • DigitalOcean LLC — application hosting and managed database.
  • Anthropic, OpenAI, DeepSeek, Moonshot AI, Mistral (and other model providers we add over time) — AI inference. Each turn's chat is sent to whichever model the operator selected for that turn.
  • CirqlCRM — live-chat widget on the marketing site (this site, patchbuddy.ai). Operated by Cirql Works Ltd, the same legal entity as PatchBuddy, so this is a first-party processor in practice.

We do not sell your personal data. We do not share it with advertising networks.

5. International transfers

Some processors above are based outside the UK / EEA — primarily in the United States. We rely on the UK International Data Transfer Agreement (IDTA) and the EU's Standard Contractual Clauses where applicable, plus any provider-specific safeguards (Stripe and Cloudflare are certified to the EU-US Data Privacy Framework, for example).

6. Content you put into AI chats

This is the part agencies care about most. Read it once carefully.

When you use PatchBuddy to build a flow, you (or members of your agency) type or paste content into a chat: integration briefs, API specs, sample payloads, configuration values, screenshots, files. That content is sent to whichever AI model you selected for that turn so the model can respond.

Cirql Works and PatchBuddy do not originate that content. The agency operating the chat is the data controller for everything that goes into it, including any personal data of end-customers, employees, or third parties that the agency chooses to put in front of the model. The agency is responsible for:

  • Having a lawful basis to process that data;
  • Obtaining any consents required from end-customers or data subjects;
  • Redacting or anonymising data the agency does not want sent to a third-party AI provider;
  • Complying with the agency's own privacy notices and data-processing agreements with its clients.

We act as the data processor. We pass the chat content to the AI provider you selected, store the resulting transcript so you can refer to it later, and bill you for the tokens used. We do not review, mine, or monetise the content of agency chats. We do not use them to train models — see the AI Policy for the operational detail.

PII randomisation runs by default. Before any chat content reaches an AI provider, PatchBuddy replaces customer names, email addresses, phone numbers, and postal addresses with locale-coherent fakes. System identifiers (order IDs, SKUs, country codes, prices, timestamps) are preserved so the model can still reason. The randomisation map is held in the runtime scope of the chat and is not stored or cached on our infrastructure. The agency can toggle this off per organisation when a specific support task requires raw data; the change is logged. Full operational detail on the Privacy by default page.

If you need a Data Processing Agreement (DPA) for your records, contact privacy@patchbuddy.ai.

7. Data retention

  • Account data — for as long as your account is active. Deleted within 30 days of account closure, except where we're required to retain billing records (UK tax law: 6 years from the end of the financial year).
  • Chat transcripts — kept indefinitely while the project is active so you can refer back to them. Archived projects retain their chats. Deleted within 30 days if you delete the project or close the account.
  • Server logs — 30 days, then automatic deletion.
  • Billing records — 6 years (UK statutory requirement).

8. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you;
  • Have it corrected if inaccurate;
  • Have it erased ("right to be forgotten") subject to our legal retention obligations;
  • Restrict or object to certain processing;
  • Export your data in a portable format;
  • Withdraw any consent you previously gave.

Email privacy@patchbuddy.ai with the request. We respond within one calendar month.

If you're unhappy with how we've handled a request, you can complain to the UK Information Commissioner's Office (ico.org.uk).

9. Children's data

PatchBuddy is a B2B product for integration agencies. We don't knowingly collect data from anyone under 16. If you believe we have, contact us and we'll delete it.

10. Changes to this policy

We update this page when our processing practices change. The "Last updated" date at the top reflects the most recent revision. Material changes are announced in-app at least 30 days before they take effect.

11. Contact

Cirql Works Ltd
Registered in England & Wales · Company number 16173373
VAT GB483372767

Privacy enquiries: privacy@patchbuddy.ai