Privacy Policy

This policy applies to the Slashpack marketing website, Slack installation and sign-in flows, support requests, payment flows, and the Slashpack Slack app. It covers data you provide directly, data created when your workspace uses Slashpack, and data needed to operate source indexing, slash commands, AI tagging, semantic search, billing, deletion, and support.

• Slack installation data: workspace ID and name, installing Slack user ID, app and bot IDs, granted scopes, OAuth tokens, and slash command payload fields needed to respond to /brand.
• Owner contact data: the workspace owner email saved during onboarding for trial, payment, support, reconnect, and deletion notices.
• Source integration data: encrypted Google Drive or Notion OAuth tokens, selected folder or source IDs, asset names, MIME types, file sizes, timestamps, source links, and preview or thumbnail links exposed by the connected provider.
• AI processing data: for image assets, Slashpack may fetch a preview or source image and send the image plus filename to Anthropic for tagging; asset metadata and search queries may be sent to Anthropic and OpenAI to parse queries and generate embeddings.
• Billing and operations data: Stripe customer/subscription IDs, plan status, audit events, rate-limit and replay-protection keys, error metadata, and support correspondence. Slashpack does not store payment card numbers.
• Optional marketing data: if you allow marketing tracking on the website, X Ads may receive conversion events for campaign measurement, including page and install conversion events.

• To install the Slack app, authenticate Slack requests, and return private search results through the /brand slash command.
• To index approved brand assets from Google Drive and Notion without migrating the original source files into Slashpack.
• To generate tags, descriptions, and embeddings that make brand asset search work in natural language.
• To enforce plan limits, prevent abuse, troubleshoot errors, send transactional emails, and provide customer support.
• To process subscription billing through Stripe and manage trial, cancellation, and customer portal flows.

• Performance of a contract when a workspace installs Slashpack, uses connected source indexing, starts a trial, or uses paid access flows.
• Legitimate interests in securing and improving Slashpack, preventing abuse, operating support, and keeping audit records.
• Consent where you voluntarily provide information for support, optional communications, or optional connected-provider access.
• Consent for optional marketing conversion tracking. Slashpack does not load the X Ads tag unless website marketing consent is accepted.
• Compliance with legal obligations, including accounting, tax, anti-fraud, regulatory, and security duties.

Slashpack uses Slack for app installation and slash command delivery, Google Drive and Notion for source access when authorized by a workspace admin, Anthropic and OpenAI for AI processing, Supabase for application data storage, Stripe for billing, Resend for transactional email, Vercel for hosting, and X Ads for optional marketing conversion tracking only when website marketing consent is accepted. Rate limiting, replay protection, and background jobs are stored in Slashpack's Supabase project.

Slashpack does not sell personal data and does not use Slack data or customer assets to train Slashpack-owned large language models. Data sent to third-party AI providers is used to provide tagging, query parsing, and search for the workspace that authorized the integration.

• Slack, billing, integration, and asset metadata is kept while a workspace uses Slashpack, unless a workspace owner deletes an integration or the whole workspace.
• When an integration is deleted, Slashpack revokes the provider token where the provider supports revocation, removes stored tokens, marks related assets deleted, and schedules final deletion after 7 days.
• When a workspace is deleted, Slashpack revokes connected provider tokens where supported, removes stored tokens, marks workspace data deleted, and schedules final deletion after 7 days.
• Operational logs and backups may remain for a limited period for security, fraud prevention, and recovery, then expire under normal retention practices.
• Workspace owners can request access, correction, export, or deletion by emailing support@slashpack.app.

• OAuth tokens are encrypted at rest before storage.
• Slack requests are verified with Slack signing secrets and timestamp checks.
• OAuth install state uses a signed, short-lived state value and an HttpOnly cookie.
• Slashpack uses HTTPS/TLS in production and does not expose customer tokens in the browser.
• Access to workspace administration is limited to the installing or recorded owner Slack user.

• Request access to personal data Slashpack holds about you or your workspace.
• Request correction of inaccurate or incomplete data.
• Request deletion where retention is no longer required.
• Object to or restrict certain processing where the law allows.
• Request portability of data you provided to Slashpack.
• Lodge a complaint with a competent supervisory authority.

Privacy, export, correction, and deletion requests can be sent to support@slashpack.app.

Slashpack is not directed to children under 13, and APPSYSTUDIOS OÜ does not knowingly collect personal data from children under 13 through Slashpack. If you believe a child has provided personal data, contact Slashpack support and the data will be reviewed and removed where appropriate.

This policy may be updated when Slashpack features, legal obligations, or processor relationships change. Material changes will be reflected on this page.

For privacy requests or security concerns, email support@slashpack.app. Support requests are reviewed within 2 business days.