PatchBuddy. Get started
Privacy by default

Your customer data, masked before any AI sees it.

Personally identifiable information is replaced with locale-coherent fakes inside PatchBuddy, before it ever reaches an AI server. EU-hosted models are available on a per-turn basis when an engagement requires the data to stay inside the EU.

Privacy by design. Privacy by default. The phrase comes straight out of GDPR Article 25; we built it into the product.

What gets swapped

Real data goes in. Synthetic data goes out.

A side-by-side of an example payload as the operator pastes it, and what the AI provider actually sees on the wire. The structural shape is identical so the model can reason about it. The personally identifiable parts are not what they were.

What the operator pastes Real data 
{
  "customer_name":  "Sarah Whitfield",
  "email":          "sarah@acmeretail.com",
  "phone":          "+44 7700 900482",
  "address":        "12 Cheltenham Rd, Bristol",
  "order_id":       "ORD-90218",
  "sku":            "SKU-LSK-K600",
  "country":        "GB",
  "amount_gbp":     1249.50,
  "ordered_at":     "2026-05-04T14:22:00Z"
}
What the AI provider receives Masked 
{
  "customer_name":  "Helena Brookes",
  "email":          "helena.brookes@example.org",
  "phone":          "+44 7700 900318",
  "address":        "47 Linden Way, Manchester",
  "order_id":       "ORD-90218",
  "sku":            "SKU-LSK-K600",
  "country":        "GB",
  "amount_gbp":     1249.50,
  "ordered_at":     "2026-05-04T14:22:00Z"
}
4 fields swapped: customer_name · email · phone · address
5 fields preserved: order_id · sku · country · amount_gbp · ordered_at
How it works

Five things you'd want a randomiser to do. It does all five.

On by default

Every new organisation has PII randomisation enabled out of the box. You don't have to read a setup guide to be safe. Toggle it off per organisation only when a specific support task genuinely needs raw data.

Locale-coherent fakes

UK customer names get replaced with UK-shaped names. French customers get French-shaped fakes. Phone numbers keep their country format. Addresses look like they belong where they're supposed to. The model's reasoning isn't thrown off by impossible data.

Consistent within the chat

The same real customer always maps to the same fake within this organisation. Helena Brookes stays Helena Brookes for the entire chat, project, and every task in between. Multi-turn reasoning still works. The model isn't confused by a moving target.

System identifiers preserved

Order IDs, SKUs, country codes, prices, currencies, timestamps. None of it is touched. The agent still has the structural anchors it needs to debug a flow, write a mapping, or trace an order through your systems.

Toggleable per organisation

For the rare support task that genuinely needs raw PII (debugging an exact email-format mismatch, say), the org admin can disable randomisation in the org settings. The change is logged. Default behaviour returns the moment you toggle it back.

Never stored. Never cached.

The randomisation map (real → fake) lives in the runtime scope of the chat session and is destroyed when the chat ends. PatchBuddy does not keep a master table on disk. PII does not appear in logs, in the database, or in backups. There is nothing on our infrastructure to leak.

EU-hosted AI

GDPR-compliant routing on tap.

For engagements where the data needs to stay inside the EU, route the chat through Mistral. Three model sizes, different cost-and-capability profiles. Selectable per turn, so you can switch a single sensitive chat to EU routing without changing your default for everything else.

Mistral models are routed via La Plateforme, Mistral's API hosted in EU data centres. Combined with the PII randomisation above, this gives you two independent layers of GDPR posture for the same chat.

See live model rates

Mistral Small 4

EU-hosted
32K context

High-volume short turns. Cheapest EU option.

Mistral Medium 3.5

EU-hosted
128K context

Balanced reasoning and speed for most chat work.

Mistral Large 3

EU-hosted
262K context

Slower, deeper reasoning. Long inputs and complex tasks.

Defence in depth

Five layers between the operator and the model.

No single control is asked to do all the work. Each layer exists whether or not the others are in place.

  1. Layer 01
    Operator types or pastes content

    The starting point. Always a human action; nothing runs in the background.

  2. Layer 02
    PII randomiser masks the payload

    Names, emails, phones, addresses swapped for locale-coherent fakes. System IDs preserved.

  3. Layer 03
    Operator picks the model

    Per-turn choice between US-hosted (Anthropic / OpenAI / DeepSeek / Moonshot) and EU-hosted (Mistral).

  4. Layer 04
    Provider's commercial / ZDR endpoint

    Routed through the provider's commercial API with zero-data-retention mode where supported. Never used to train.

  5. Layer 05
    Audit log written back

    Model, timestamp, operator, token cost. Defensible to compliance, useful in retros.

Privacy by design. Privacy by default. Built in, not added on.

The full operational detail is in our policies. Both pages are written to be readable.

AI policy Privacy policy See it in real builds