Vol 26, No 13 · May 27, 2026
ComfyUI: The Pixels Are Yours, The Recipe Isn't
AI news is noisy, it's difficult to separate reality from marketing hype and click-farming. Especially in the media & entertainment space.
This project attempts to filter the noise by watching the following signals: tracking exactly what companies tell us through their terms of service, and how their outputs look side by side.
The Ledger is just starting, and kinks are getting worked out – your feedback is wanted.
What changed in AI platform agreements this week
We are tracking over 50 companies and 235+ policy documents daily. Things that govern how your data is handled, who owns what and who’s on the hook when something goes wrong. These are things you should be reading, but don't have the time for - plus they are super confusing.
If something truly concerns you, reach out to a lawyer - there are no guarantees we catch all changes, something vital to you may be missed or misinterpreted. Docs are diff'ed and summarized by multiple LLMs, then researched, edited and published by a non-lawyer human.
Three weeks after closing a $30 million round at a $500 million valuation led by Craft Ventures, ComfyUI published a new Terms of Service on May 13. It carries a creator-friendly headline pledge, plus one sentence directly underneath it that quietly reserves the right to do something the pledge was supposed to prevent.
The pledge: “Comfy will not use Input or Output to train generative AI or diffusion models. Comfy may, however, collect and use limited metadata derived from Customer’s use of the Comfy Products, such as prompt classifications, workflow structures, and node configurations, to improve the performance, functionality, and user experience of the Comfy Products.”
The first sentence protects your content. The second carves out a third category, the behavior around your content, and gives it none of the same protection. And it names that category plainly: prompt classifications, workflow structures, node configurations. The structure of the workflow you spent months refining is exactly what Comfy reserves the right to collect and use.
In human terms: A VFX freelancer has spent two years on her workstation building texture-synthesis workflows for ad clients: the node sequence she refined by trial and error, the sampler choices, the ControlNet she chained to her inpainting pass. That craft lives in JSON files on her drive. This week a brief requires the job to run on hosted infrastructure, so she clicks “Launch Cloud.” The interface looks the same; the workflows transfer cleanly. What’s changed is that her workflow structure, the thing she actually got paid for understanding, is now metadata Comfy is permitted to use to improve its products. Her prompts get classified before they ever reach a training corpus, but the classification carries her intent forward. The pixels she generates are protected. The recipe that produced them is not.
Why this matters: ComfyUI sits underneath a large share of professional VFX, ad-studio, and game-studio AI pipelines. This is the cleanest example this quarter of a Tier-1 venture round reshaping the legal scaffolding around an open-source tool. The no-training pledge is real, but it has two holes the headline doesn’t reach: Partner Nodes downstream and the metadata carve-out upstream. If workflow intelligence becomes the next competitive layer in creative AI, that carve-out is the sentence the contract was built to enable, while still saying never.
The affiliates clause in ElevenLabs’ privacy policy is the list of legal entities authorized to process user voice data. Last quarter it had three names on it. This week it has five.
The prior list named “Eleven Labs Ltd., Eleven Labs Poland sp. z o.o., and Eleven Labs Japan Godo Kaisha.” The May 20 update inserts two more: “Eleven Labs Auto India Private Limited, Eleven Labs Technology Middle East Limited.”
“Eleven Labs Technology Middle East Limited” is a reasonably standard regional-operations entity. “Eleven Labs Auto India Private Limited” is more interesting.
The Seedance 2.0 video model is a ByteDance product. The official ByteDance Seedance project page lives at seed.bytedance.com. The model is available to creators through ByteDance’s Jimeng AI app (in China), Dreamina, and CapCut.
None of those is the site we tracked this week.
The site we spotted change in is seedance2.ai. It markets itself as offering Seedance 2.0 video generation. Its newly-updated privacy policy contains an unambiguous no-training pledge:
Your data is never used to train AI models. We do not use your prompts, uploaded content, or generated videos to train, fine-tune, or otherwise improve any AI model. Content you submit is processed solely to deliver the requested generation result back to you.
It is also the kind of pledge that rewards a closer read. The policy names no corporate operator — only “Seedance2.ai” and “we.” There is no company name,
LangChain’s May 20 ToS update is the kind of revision that reads as routine until you look at what each change does.
Three substantive moves. First: the training opt-out language in Section 4.2 picked up four new words. The prior clause read “LangChain agrees that it will not use Customer Data to train on, develop, or otherwise improve its products.” The updated clause adds: “…including any large language models.” On its face, the addition just closes a possible loophole — but those four words are a meaningful concession in an industry where “our products” and “models we train” have spent two years being negotiated as separate categories.
OpenAI added one new opt-out path inside its cross-context behavioral advertising disclosure paragraph this week. Logged-out users can now opt out “within Settings > Data Controls on ChatGPT or using the Your Privacy Choices link on our website.” The “Settings > Data Controls on ChatGPT” path is new — meaning OpenAI has now built an in-product opt-out mechanism inside ChatGPT itself and surfaced it in the same paragraph where the ad-data sharing is disclosed. This is the third consecutive month that paragraph has been touched, and the third consecutive month the touch has been protective scaffolding around the ad infrastructure rather than the infrastructure itself.
The contract’s reference to the ChatGPT Pricing Page changed domains: prior version pointed to openai.com/chatgpt/pricing; updated version points to chatgpt.com/pricing (with referral and tracking parameters appended). Small as a diff, but the domain change is a beat in OpenAI’s ongoing migration of the ChatGPT consumer surface off the openai.com domain. Worth tracking as a thread
Now in tracking for the first time after several silent scraper failures. The document carries a release date of April 29, 2025 — so this is a baseline being established, not a new agreement. Notable provisions for the audience: a $1,000 minimum liability cap, an explicit “Meta will not use your Content to train any artificial intelligence models” commitment, a 700-million-monthly-active-users commercial restriction, an EU prohibition on accessing multimodal AI models via the API, and explicit Illinois BIPA / Texas CUBI warranties in the user representations. Will be tracked normally from this issue forward.
One row in the Claude 3.7 Sonnet model card changed from a list of access surfaces to “Claude 3.7 Sonnet is retired and no longer available for use.” Operational rather than contractual.
Pond5 License Agreement, Shutterstock License Agreement, Shutterstock Privacy Policy, Shutterstock Terms of Service. All four returned the identical 43-byte anti-bot challenge string — “Please enable JS and disable any ad blocker.” The JS-rendering bypass flagged in the Vol. 26 No. 20 handoff has not yet shipped. Until it does, four of the most heavily-used licensing documents in the stock-media supply chain are currently invisible to this newsletter.
Anthropic (Privacy Policy and Consumer Health Data Policy — URL redirect token rotation in both); Autodesk (page chrome footer text change); Cascadeur (language picker and reCAPTCHA scrape artifacts reshuffled); Google Gemini API (language picker URLs stripped to plain text, “On this page” TOC removed); Hugging Face (StripeM-Inner footer artifact added); LangChain Shared Responsibility Model (Interrupt conference banner removed, LLM Gateway promoted from inline tag to subsection); LightTricks (four blank lines added at end of a 1.3 MB document); Meta (Privacy Policy and Terms of Service — URL &h= tracking token rotation in both); N8N (entire Cloudflare Turnstile UI captured as scrape artifact); Synthesia (author byline expanded from “Meg” to “Meg Farley” — last week’s flag resolved). Same pattern, different documents, no policy text changed.
