Home/Legal/AI policy

Legal · last updated 28 May 2026

AI policy.

We build AI into client systems and ship AI products for a living. This page describes how we use AI across the CirqlWorks group, the human-oversight guardrails that apply to every output, and how we handle customer data when AI tooling is involved.

1. Where we use AI

We use AI to assist with tasks across our delivery practice and inside our products: code generation, integration design suggestions, documentation, support triage, data-mapping recommendations, internal productivity, and the end-user features in our SaaS products.

AI augments the engineering team; it does not replace the engineering decision-making in service work delivered through eCirql. Every output produced for a client engagement is reviewed by a qualified engineer before it reaches a client environment. PatchBuddy.ai is an AI agent that operates on Patchworks tenants; it runs under the same oversight rules described here when deployed against client work. PatchScript uses AI to suggest and review Patchworks scripts; the developer remains in control of what is committed. CirqlCRM uses AI to draft follow-ups and triage the inbox; suggestions are surfaced for the operator to approve.

2. Human oversight

No AI-generated code, configuration or advice is deployed to a client system without human review. An engineer is accountable for every change made on behalf of a client, regardless of which tools produced it. AI output is treated as a draft, not a deliverable.

For agentic deployments (including PatchBuddy.ai), the agent surfaces decisions for human approval at every meaningful execution step. Read-only actions can run autonomously; anything that mutates a system requires explicit operator sign-off.

3. Customer data and privacy

We do not submit client production data, credentials or personally identifiable information (PII) into public AI tools. Where AI assistance is genuinely required on client-related material, we use enterprise-grade providers with data-processing agreements that prohibit training on submitted inputs.

For features in our products that involve AI processing of customer data, we document the AI step clearly, name the provider, and surface it to the operator at the point of use. PatchBuddy.ai replaces PII with locale-coherent fakes before any external inference call by default; the merchant can additionally select EU-hosted models on a per-turn basis where regulatory posture requires it.

4. Security

AI tools used internally and in client engagements are vetted against the same security criteria we apply elsewhere in our development environment: data residency, encryption in transit and at rest, access controls, audit logging and vendor-side compliance posture. Access is limited to authorised team members.

Where an engagement has bespoke security requirements (regulated industries, high-sensitivity data), we agree the AI toolchain explicitly at scoping rather than defaulting to the tools we use for general work.

5. Transparency

Customers can ask about AI involvement in any specific deliverable or product feature. We will tell you which tools were used, at what point in the work, and what an engineer reviewed before the output reached your environment. This is part of the audit trail we maintain on every engagement.

6. Continuous review

The AI tools and the policy that governs them are reviewed regularly. Where the model landscape, the regulatory landscape or the threat landscape moves, we update our posture and update this page. The date at the top of the policy reflects the most recent review.

7. Contact

Questions about how we use AI on your engagement, on your CirqlCRM tenant, or about this policy generally should be directed to the legal contact form.

See also: privacy policy, cookie policy, terms of agreement.