Data Privacy & Safety

Last updated:
May 28, 2026

Maxi sits between your WordPress data and the AI agent. Two features form a safety layer in that gap — one redacts personal data from everything the agent sees, the other guards raw database reads. This section covers both.

Maxi AI Core gives operators full control over their anonymization policy by letting them mask, block, and restrict personal data before it reaches agents. When configured correctly for the site’s actual data model and workflows, it can be used to keep recognizable personal information from being exposed to agents.

When an agent works on your site, it sees the data your abilities return — orders, customer details, user records. For privacy and GDPR reasons, you don’t always want the agent (and the AI provider behind it) to see raw personal data. Maxi includes two complementary safeguards for this:

  • Data masking — automatically redacts the values of personal-data fields in every response before it reaches the agent. A customer’s name comes through as “**** ***“, not “John Doe.” This is on by default.
  • The database query blocklist — a second, narrower guard that applies only if you’ve enabled raw database reads. It blocks queries that touch sensitive columns like password hashes. Most sites never need to touch it.

The two work at different levels. Masking operates on the structured data abilities return, redacting field values wherever they appear. The query blocklist operates on raw SQL, and only matters when an administrator has deliberately turned on direct database access. Together they reduce how much personal data ever reaches the agent.

Both are administrator-managed. Changing the masking list or the query blocklist requires an administrator. There’s no separate settings screen for either — they’re managed through the agent itself, and every change is recorded in the audit log.

In this section

  1. GDPR Data Masking — how personal data is redacted before the agent sees it, and how to manage the list.
  2. Database Query Blocklist — the extra guard on raw database reads, for sites that enable them.

On this page