Transmuter.
PricingAboutLog inStart Plan Casting
Transmuter.

From plan to product.

v1.0 // acoustic-llama-962

Product

  • Pricing
  • Help Center

Company

  • About
  • Blog

Legal

  • Terms of Service
  • Privacy Policy

Connect

  • Vox
  • GitHub

© 2026 Transmuter • All rights reserved.

Privacy Policy

Effective date: March 13, 2026

ON THIS PAGE

  1. Introduction
  2. 1. Data We Collect
  3. 2. How We Use Your Data
  4. 3. Data Sharing
  5. 4. Cookies
  6. 5. Data Retention
  7. 6. Your Rights (GDPR)
  8. 7. Your Rights (CCPA)
  9. 8. Security
  10. 9. Children's Privacy
  11. 10. International Transfers
  12. 11. Changes
  13. 12. Contact Us

Introduction

Transmuter ("we," "us," or "our") operates the platform at transmuter.3mergen.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our AI-powered Plan Casting platform. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.

1. Data We Collect

1.1 Account Information

When you create an account, we collect your name, email address, and password (hashed). If you sign up through a third-party provider (e.g., Google, GitHub), we receive your name, email, and profile identifier from that provider.

1.2 Organization and Project Data

We collect organization names, project metadata, business plan content you upload, and generated artifacts (code, specifications, audit reports). This data is necessary to deliver the Plan Casting service.

1.3 Billing Information

Payment processing is handled by Stripe. We do not store your full credit card number. We receive and store your Stripe customer ID, subscription status, plan tier, and billing history.

1.4 Usage Data

We collect information about how you interact with the platform, including pages visited, features used, session duration, browser type, device type, and IP address. This data is collected via PostHog analytics and is subject to your cookie preferences.

1.5 Credentials You Provide

If you use Bring Your Own Key (BYOK) mode, you provide API keys for third-party services. These credentials are encrypted at rest and in transit and are used solely to execute Plan Cast operations on your behalf.

2. How We Use Your Data

  • Service delivery: To operate the Plan Casting pipeline, manage your account, and deliver generated products (lawful basis: performance of a contract).
  • Billing: To process payments, manage subscriptions, and prevent fraud (lawful basis: performance of a contract).
  • Product improvement: To analyze usage patterns, fix bugs, and improve features (lawful basis: legitimate interests).
  • Communications: To send transactional emails (account updates, billing confirmations, data export notifications) and, with your consent, marketing communications (lawful basis: consent).
  • Security and compliance: To detect and prevent unauthorized access, maintain audit logs, and comply with legal obligations (lawful basis: legal obligation / legitimate interests).

3. Data Sharing

We do not sell your personal information. We share data only with the following categories of third parties, solely to deliver and improve the service:

  • Infrastructure providers: Convex (database), Vercel (hosting), and cloud infrastructure necessary to operate the platform.
  • AI service providers: Anthropic (Claude API) for AI-powered code generation and analysis. Business plan content is sent to AI models as part of the Plan Casting pipeline.
  • Payment processor: Stripe for billing and subscription management.
  • Authentication provider: WorkOS for user authentication and single sign-on.
  • Analytics: PostHog for usage analytics and feature flags (subject to your cookie consent preferences).
  • Email delivery: Resend for transactional and notification emails.
  • Logging and monitoring: Axiom for application logs and error tracking.

All third-party processors are bound by data processing agreements that require them to protect your data in accordance with applicable laws.

4. Cookies and Tracking Technologies

We use the following categories of cookies:

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled as they are necessary for the platform to function.
  • Analytics cookies: Used by PostHog to understand usage patterns and improve the product. These are only set if you consent via the cookie banner.
  • Functional cookies: Used to remember your preferences (theme, language). These are only set if you consent.

You can manage your cookie preferences at any time using the cookie consent banner or by clearing your browser cookies. You may also use the Global Privacy Control (GPC) browser signal; when detected, analytics tracking is automatically disabled.

5. Data Retention

  • Account data: Retained for the duration of your account plus 30 days after account deletion (soft-delete grace period).
  • Project and business plan data: Retained while the associated project exists. Deleted 30 days after project soft-deletion.
  • Billing records: Retained for 7 years to comply with tax and financial reporting obligations.
  • Audit logs: Retained for 2 years for security and compliance purposes.
  • Analytics data: Anonymized after 26 months.

6. Your Rights (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights:

  • Right of access: Request a copy of all personal data we hold about you.
  • Right to rectification: Correct inaccurate personal data via your profile settings.
  • Right to erasure: Request deletion of your account and all associated data.
  • Right to data portability: Export your data in a machine-readable format.
  • Right to restrict processing: Request that we limit processing of your data in certain circumstances.
  • Right to object: Object to processing based on legitimate interests.

You can exercise your data export and account deletion rights directly from your Privacy Settings. For other requests, contact us at privacy@transmuter.com.

7. Your Rights (CCPA/CPRA)

If you are a California resident, you have the following additional rights:

  • Right to know: Request disclosure of the categories and specific pieces of personal information we have collected.
  • Right to delete: Request deletion of your personal information.
  • Right to opt-out: Transmuter does not sell your personal information. If our use of analytics providers constitutes "sharing" under CCPA, you can opt out via the cookie consent banner.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights.

8. Security Measures

We implement industry-standard security measures to protect your data:

  • All data is encrypted in transit (TLS 1.2+) and at rest.
  • API keys and credentials are encrypted using AES-256 before storage.
  • Webhook secrets are SHA-256 hashed; API key validation uses constant-time comparison to prevent timing attacks.
  • Authentication uses RS256 JWT tokens with JWKS-based verification.
  • Webhook URLs are validated against SSRF blocklists (private IPs, cloud metadata endpoints).
  • Comprehensive audit logging tracks all sensitive operations.
  • Code execution occurs in isolated E2B sandboxes with no access to platform infrastructure.

9. Children's Privacy

Transmuter is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

10. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, for any transfer of personal data outside the EEA.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised effective date and, where required, notifying you via email.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us at:

Email: privacy@transmuter.com

Website: transmuter.3mergen.com