On the bench How it works Compatibility Marketplace Pricing Community Docs Download

Privacy Policy

Effective date: May 6, 2026 Version: 1.0 Last updated: May 6, 2026

In 30 seconds

  • Muxit runs on your machine. Your scripts, connectors, dashboards, and device communication never leave your computer unless you explicitly enable a feature that sends them somewhere.
  • We collect the minimum we need to run the waitlist, sell licenses, validate them, and — only if you choose to use Muxit’s managed AI — proxy AI requests.
  • We do not store the content of your AI prompts, tool calls, or AI responses beyond what is needed to bill and rate-limit your usage.
  • Voice input goes through your browser’s built-in speech recognition — never through Muxit’s servers.
  • We are based in the Netherlands. Where possible, your data stays in the EU.
  • You can ask us at any time what we have on you, get a copy, or have it deleted: info@muxit.io.

This policy explains the details.

1. Who we are

The “controller” of your personal data — the company that decides what happens with it — is:

Keuper Ventures BV Papenvoort 67, 5663 AE Geldrop, the Netherlands Chamber of Commerce (KvK): 56948964 Email: info@muxit.io

Muxit is a product of Keuper Ventures BV. Where this policy says “we”, “us”, or “Muxit”, it means Keuper Ventures BV.

We are not required to appoint a Data Protection Officer under the GDPR (Dutch: AVG), but you can reach us about privacy matters at the email address above.

2. What this policy covers

This policy applies to:

  • The website muxit.io and any subdomain we operate (including docs.muxit.io and api.muxit.io)
  • The Muxit software you install on your own machine, where that software communicates with our backend (license activation, AI proxy, updates)
  • Our email and Discord communications with you as a customer or waitlist member

It does not cover:

  • Third-party services we link to (GitHub, Discord, Polar, AI providers) — those have their own privacy policies, and we list the relevant ones below.
  • What happens inside your local Muxit installation. Your scripts, connectors, dashboards, and device communication are stored on your own machine and we have no access to them.

3. The data we process, and why

We group personal data into a few categories. For each category we tell you what we collect, why, and on what legal basis under Article 6 of the GDPR.

3.1 Waitlist sign-ups

What: Your email address, the date you signed up, and (if you tell us) what you intend to use Muxit for. Why: To send you the launch announcement and occasional updates about the beta. Legal basis: Your consent (Article 6(1)(a) GDPR), given by submitting the form. You can withdraw at any time by clicking “unsubscribe” or emailing us. Retention: Until you unsubscribe, or 24 months after your last interaction with us — whichever comes first.

3.2 Subscription and one-time purchases

What: Your name, email, billing address, country, VAT number (if you provide one), and the products and amounts you purchased. Payment card data is handled by our payment processor (see §4) — we never see or store it. Why: To process your order, deliver your license, send invoices, comply with tax law, and provide customer support. Legal basis: Performance of a contract with you (Article 6(1)(b)) and our legal obligations (Article 6(1)(c), notably the seven-year tax retention rule of Article 52 of the Dutch General State Taxes Act). Retention: For seven years after the end of the financial year, as required by Dutch tax law. Where you hold a long-running or lifetime entitlement (for example, a perpetual driver licence), the minimum order metadata needed to verify that entitlement (which products, when, against which licence) is kept for as long as the entitlement is active and for up to 24 months after it ends.

3.3 License activation

What: Your license key (or a hash of it), a machine fingerprint, an instance name you choose, your IP address at activation, and the timestamp of each periodic license check.

The machine fingerprint is a SHA-256 hash computed locally on your machine from a small set of stable identifiers: your operating-system machine name, your operating-system user name (yes — your local OS account name, hashed; we never see it in plain text), up to three active MAC addresses (sorted, with loopback and tunnel interfaces excluded), and an OS-installation identifier (/etc/machine-id on Linux, HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid on Windows, the IOPlatformUUID on macOS). The Software sends only the resulting hash and a list of per-component hashes (used to tolerate minor changes such as swapping a network adapter); the underlying values themselves are not transmitted. Why: To prevent abuse of license keys, to enforce the activation limit per license, and to give you a working installation. Legal basis: Performance of a contract (Article 6(1)(b)) and our legitimate interest in preventing license abuse (Article 6(1)(f)). Retention: For as long as your license is active, plus twelve months after expiry or deactivation.

3.4 AI proxy usage — only when you use Muxit’s managed AI

This section applies only if you use Muxit’s built-in managed AI features (chat, voice, the ai() function in scripts, AI-assisted SCPI authoring) on a paid plan. It does not apply if you use:

  • MCP with your own AI provider key — available on every tier, including Free. Your requests go directly from your AI client (Claude Desktop, Claude Code, ChatGPT, any MCP-aware client) to the AI provider whose key you supplied. We are not in the path and have no record of your prompts or usage.
  • Local LLMs via Ollama or LM Studio (Pro tier and higher) — your requests never leave your machine.

When you use Muxit’s managed AI, we record the following:

What: Your user identifier (linked to your license), the AI model you used, the number of input and output tokens, the cost in credits, and the timestamp. Why: To bill credits, enforce rate limits, prevent abuse, and let you see your usage on a future dashboard. Legal basis: Performance of a contract (Article 6(1)(b)) and our legitimate interest in fraud and abuse prevention (Article 6(1)(f)). Retention: Detailed records for 90 days; aggregated daily totals (no prompt content) for 24 months for analytics and billing reconciliation.

We do not retain the content of your prompts, tool calls, or AI responses on our servers. Requests pass through api.muxit.io to OpenRouter, which forwards them to the model provider. The proxy logs only the metadata listed above. The AI providers themselves may retain content briefly for safety review — see §4.

3.5 Voice (speech recognition and read-aloud)

Voice input in Muxit uses your browser’s built-in Web Speech API to convert what you say into text. This is a feature of the browser itself — not a service we operate.

What this means in practice:

  • The audio of your voice does not pass through Muxit’s servers. We never receive or store it.
  • Your browser sends the audio to its own speech recognition service to transcribe it. On Chromium-based browsers (Chrome, Edge, Brave, and the Electron build of Muxit), this is typically Google’s speech recognition service. Other browsers may use their own provider or perform recognition locally.
  • The transcribed text of your prompt then takes the same path as any other AI prompt — see §3.4 if you use Muxit’s managed AI, or no path through us at all if you use MCP or a local LLM.
  • For read-aloud (text-to-speech), Muxit also defaults to your browser’s built-in speech synthesis. Some browsers perform this locally; others may stream it from a cloud voice. We do not control or see this audio.

If we ever add an optional cloud-based voice provider for higher quality (for example, ElevenLabs for premium voices), we will list it in the sub-processor table in §4 and update this policy at least 14 days before the change takes effect.

Legal basis: Performance of a contract (Article 6(1)(b)) for the parts of this flow we are involved in. Retention: Not applicable for audio — we never receive it.

3.6 Customer support and email correspondence

What: Your email, the content of your message, and any attachments you send us. Why: To answer your question, fix your bug, or fulfil your support request. Legal basis: Performance of a contract (Article 6(1)(b)) for paid users; legitimate interest (Article 6(1)(f)) for non-customers. Retention: 24 months from the last message in the thread.

3.7 Website server logs

What: Standard server logs at our hosting provider — IP address, request line, response code, user-agent — recorded for security and abuse prevention. Why: To detect attacks, debug broken links, and absorb traffic spikes. Legal basis: Legitimate interest (Article 6(1)(f)). Retention: No longer than 30 days.

We currently use no website analytics at all on muxit.io. We do not run Google Analytics, Meta Pixel, Plausible, Cloudflare Web Analytics, or any other analytics product, and we do not set advertising or tracking cookies. The only data the site retains beyond the page you are looking at is the short-lived server log described above. If we ever introduce analytics, we will list the provider in §4 and update this policy at least 14 days before the change takes effect.

3.8 Discord community

What: Your Discord handle and the messages you post in our community channel. Why: To run the community. Legal basis: Your consent (Article 6(1)(a)) given when you join the server. Retention: As long as you stay in the server. Discord retains messages under its own policy.

4. Who we share data with

We use a small number of trusted third parties to run Muxit. Their role under the GDPR differs by provider, as shown in the Role column. We are bound by a data processing agreement (DPA) with every party that acts as our processor; for parties that are independent or joint controllers, their own privacy notice governs what they do with the data after it reaches them.

ProviderRoleWhat they do for usWhere they’re basedPersonal data they receive
Cloudflare, Inc.ProcessorWebsite hosting, DNS, DDoS protection, EU-located D1 database and Durable Objects for our backendUnited States, with EU data residency configured (--jurisdiction eu)All data we store server-side (waitlist, licenses, AI usage metadata)
Polar (Polar Software, Inc.)Independent controller (Merchant of Record)Payment processing as Merchant of Record for all subscriptions and one-time purchases. The legal seller of your purchase is whichever Merchant of Record is shown at checkout (currently Polar Software, Inc.) — they invoice you in their own name and act as controller for the payment data.United StatesName, email, billing address, payment data, purchase history
OpenRouter, Inc.ProcessorRoutes AI requests to underlying language model providers — only engaged when you use Muxit’s managed AI. Not in the path for MCP-with-your-own-key or local LLM usage.United StatesAI prompts and responses in transit (not stored by us)
Anthropic, OpenAI, Google, and other model providersIndependent controller (subject to their own retention for safety review)Run the language models that respond to your AI prompts — only engaged when you use Muxit’s managed AI. They may retain prompt content briefly under their own policies.United States and EUThe content of your AI prompts and tool call results during the request
Your browser vendor (typically Google for Chromium-based browsers)Not contracted by usSpeech recognition through the Web Speech API when you use voice input. This is not a service we contract — it is your browser’s built-in feature. We list it here for transparency about where audio actually goes.Depends on your browserAudio of your voice prompts
GitHub, Inc.Independent controllerHosting our public repository at github.com/muxit-io/muxit and download distributionUnited StatesOnly what you choose to share with GitHub (issues, comments, stars)
Discord, Inc.Independent controller (platform)Community server. Discord operates the platform under its own terms; we do not control how it processes your data there.United StatesYour Discord handle and messages, if you join
Email service provider (Google)ProcessorSending transactional and waitlist emailsUnited StatesYour email address and message content

We do not sell your personal data. We do not share it for advertising. We only disclose it to others where:

  • the law requires us to (for example, a court order or a tax audit);
  • you have asked us to (for example, to your accountant);
  • it is needed to deliver Muxit to you, in which case it goes to the providers listed above.

5. International transfers

Some of the providers listed in §4 are based in the United States. When personal data leaves the European Economic Area, we rely, depending on the provider, on:

  • the EU-U.S. Data Privacy Framework (DPF) where the receiving company holds an active certification listed at https://www.dataprivacyframework.gov; or
  • Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision (EU) 2021/914), with supplementary technical and organisational measures where appropriate.

For Cloudflare specifically, our D1 database and Durable Objects are configured with --jurisdiction eu, so the bulk of the data we store physically remains within the European Union.

The transfer mechanism we rely on for each individual provider, and the current DPF certification status (where applicable), can be requested at any time by emailing info@muxit.io. We will respond with the up-to-date list, including links to each provider’s certification record where one exists.

6. What stays on your machine

Muxit is a local-first product. The following never leaves your computer unless you explicitly trigger a feature that sends it:

  • Your scripts, connector configurations, dashboards, and agent files.
  • The data your devices send to Muxit and the commands Muxit sends back.
  • Your workspace files, logs, and local cache.

If you enable an AI feature, only the specific prompt and tool calls relevant to that AI request are sent to our proxy. If you use MCP with your own AI provider key, even that does not pass through us.

If you enable remote access (LAN, VPN, or Tailscale), the data flows directly between your devices and the network you configured. We are not in the path.

7. AI-specific transparency

Because “AI controls hardware” is one of Muxit’s core features, we want to be explicit about what happens to AI data. There are three independent paths, and only one of them involves our servers:

  • Built-in Muxit AI (Maker tier and up). Your prompts and tool call results are sent to api.muxit.io, which forwards them to OpenRouter and from there to the model provider you (or we) selected. We do not store the content. OpenRouter and the model provider may retain it briefly for safety classification and abuse prevention, under their own policies. This is the only path where Muxit servers, OpenRouter, and downstream model providers are involved.
  • MCP with your own key (every tier, including Free). Requests go directly from your AI client (Claude Desktop, ChatGPT, Claude Code, etc.) to your provider using your API key. They never touch our servers, OpenRouter, or our managed model providers.
  • Local LLMs (Pro tier and up). Requests go to your local Ollama or LM Studio instance and never leave your machine.

Voice input is independent of all three of the above — it always goes through your browser’s Web Speech API (typically Google for Chromium browsers). See §3.5.

Tool call results may include device data. When an AI agent reads a sensor or calls a connector method, the value returned (a voltage, an image from a camera, a robot position) becomes part of the prompt to the next AI call. If your bench handles sensitive data, prefer the local LLM or MCP-with-your-own-key path.

Based on the general-purpose orchestration use described in our documentation, we do not design or market Muxit as a high-risk AI system within the meaning of Annex III of the EU AI Act. The classification of any concrete deployment can depend on the context, the integration, and the operator’s intended use. If you intend to use Muxit in a regulated, safety-critical, or high-risk context, please contact us before deployment so we can scope a separate assessment and agreement.

8. Cookies and similar technology

The Muxit website uses only strictly necessary cookies and tokens: a security token from our hosting provider, and a session indicator if you log in to a future customer portal.

We do not use advertising cookies, social media trackers, or analytics that identify you personally. If we ever add tools that require consent under the Dutch Telecommunications Act, we will ask you first through a cookie banner and update this policy.

The Muxit software you install does not set browser cookies; it uses local files in your workspace folder.

9. Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you and receive a copy.
  • Rectify data that is inaccurate or incomplete.
  • Erase data (“right to be forgotten”), subject to retention obligations such as the seven-year tax rule.
  • Restrict the processing of your data while a dispute is resolved.
  • Object to processing based on legitimate interest, including direct marketing.
  • Data portability — receive your data in a structured, machine-readable format.
  • Withdraw consent at any time, where consent is the legal basis. Withdrawal does not affect processing that already happened.
  • Not be subject to automated decisions with legal or similarly significant effect. We do not make such decisions about you.

To exercise any of these rights, email info@muxit.io. We will respond within one month, in line with Article 12(3) GDPR. We may ask you to confirm your identity before acting, particularly for access and erasure requests.

If you are unhappy with our response, you have the right to lodge a complaint with the Dutch supervisory authority:

Autoriteit Persoonsgegevens Postbus 93374, 2509 AJ Den Haag autoriteitpersoonsgegevens.nl

If you live in another EU country, you may also complain to your local supervisory authority.

10. Security

We take reasonable technical and organisational measures to protect your data, including:

  • TLS for all data in transit between your browser, the Muxit software, and our backend.
  • Encryption at rest in our database, hosted in the EU.
  • Strict access controls — only the people who need data to do their job can reach it.
  • Hashed (not plaintext) storage of license keys and machine fingerprints where feasible.
  • A documented security review before each major release.

No system is perfectly secure. If we ever detect a personal data breach that is likely to result in a risk to your rights, we will notify the Dutch supervisory authority within 72 hours and tell you directly when required by Article 34 GDPR.

To report a security issue, email info@muxit.io.

11. Children

Muxit is a tool for makers, engineers, and researchers. It is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has given us personal data, email info@muxit.io and we will remove it.

12. Changes to this policy

We may update this policy as Muxit evolves — for example, when we add a new sub-processor, launch a new feature, or change retention periods. When we do:

  • We update the “Last updated” date at the top.
  • For material changes, we will email everyone on our waitlist or with an active license, and post a notice on muxit.io at least 14 days before the change takes effect.

The current version is always at muxit.io/legal/privacy. Older versions are available on request.

13. Contact

For privacy questions, requests under §9, security issues, or anything else covered by this policy:

Email: info@muxit.io Postal: Keuper Ventures BV, Papenvoort 67, 5663 AE Geldrop, the Netherlands

This policy is governed by Dutch law. Any dispute about how we handle your personal data may also be brought before the Dutch supervisory authority (Autoriteit Persoonsgegevens) or the competent Dutch court.