Privacy Policy
Effective date: 25 March 2025 · Last updated: 25 March 2025
1. Introduction
Privizee (“we”, “us”, “our”) provides an AI-powered privacy compliance assistant that operates inside Slack (the “Service”). This Privacy Policy explains what data we collect, how we use it, and what rights you have. It applies to all users who install or interact with the Privizee Slack application.
2. Data Controller
For the purposes of the UK GDPR and EU GDPR, the data controller is Privizee. You can reach us at tamas@urbsai.com.
3. Data We Collect
We collect the minimum data necessary to operate the Service:
3.1 Slack Workspace Data
- Workspace ID and name (received during OAuth installation).
- Bot token and related OAuth credentials (encrypted at rest).
- Installing user's Slack user ID.
3.2 Messages & Documents
- Messages sent directly to the Privizee bot or in channels where the bot is mentioned.
- Documents uploaded to the bot for review (privacy policies, contracts, etc.).
We do not read messages in channels where the bot is not explicitly mentioned or invoked. We do not access your workspace's full message history.
3.3 Usage & Analytics
- Feature usage events (e.g. which commands are run, error counts).
- Performance metrics (response times, uptime).
Analytics are collected via Vercel Analytics and PostHog. No message content is included in analytics events.
3.4 Account Data
- Email address (if you sign in to the web dashboard).
- Tenant and team membership information.
4. How We Use Your Data
- To provide and improve the Service (answering questions, reviewing documents, running DPIAs, assessing vendors).
- To authenticate your workspace and manage per-tenant access.
- To generate audit logs you have opted into.
- To monitor performance, diagnose issues, and prevent abuse.
- To communicate service updates or changes to these policies.
No LLM training on your data
We do not use Slack workspace data, messages, or documents submitted to Privizee to train, fine-tune, or otherwise improve any large language model.
5. Legal Basis for Processing
We process personal data under the following bases (UK/EU GDPR Art. 6):
- Contract: Processing necessary to provide the Service you requested.
- Legitimate interest: Performance monitoring, security, and fraud prevention.
- Consent: Where you opt into optional features (e.g. persistent DPIA records).
6. Data Retention
- Messages & documents: Processed in real time and discarded after the response is delivered, unless you explicitly save results (e.g. DPIA forms, audit logs).
- DPIA records & audit logs: Retained for the duration of your subscription plus 30 days, then deleted.
- OAuth tokens: Retained until you uninstall the app or revoke access, then deleted within 24 hours.
- Account data: Retained while your account is active. Deleted within 30 days of account closure.
7. Sub-processors & Third Parties
We use the following sub-processors to deliver the Service:
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Hosting & edge functions | US / EU |
| Supabase | Database & authentication | EU |
| Upstash | Redis (rate limiting, state) | EU |
| Anthropic | AI language model (Claude) | US |
| OpenAI | Text embeddings | US |
| Gemini (vendor checks) | US | |
| Stripe | Payment processing | US / EU |
| PostHog | Product analytics | EU |
| Slack (Salesforce) | Messaging platform | US |
We do not sell your data to third parties. Data shared with sub-processors is limited to what is necessary for them to perform their function.
AI Model Disclosure
Privizee uses the following AI models to process your requests. The table below describes what data is sent to each provider, whether the provider retains it, and where it is processed.
| Provider | Model | Data sent | Provider retention | Tenancy |
|---|---|---|---|---|
| Anthropic | Claude | Message text submitted to the bot | Governed by Anthropic's API data terms — see policy | US |
| OpenAI | text-embedding-3-small | Text chunks for semantic search | Governed by OpenAI's API data terms — see policy | US |
| Gemini | Vendor assessment queries; voice interview transcription | Governed by Google's Gemini API terms — see policy | US |
Privizee does not share raw Slack message history with any AI provider — only the specific message or document you actively submit to the bot is forwarded for processing. Each provider's data handling practices are governed by their respective API terms, linked above.
8. International Transfers
Some sub-processors are located in the United States. Where data is transferred outside the UK/EEA, we rely on Standard Contractual Clauses (SCCs) or the provider's participation in an approved transfer mechanism to ensure adequate protection.
9. Security
We protect your data with:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 for tokens).
- Row-level security (RLS) in the database to enforce tenant isolation.
- Webhook signature verification on all incoming Slack events.
- CSRF protection on OAuth flows.
- Rate limiting and request deduplication to prevent abuse.
10. Your Rights
Under the UK/EU GDPR you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your data (“right to be forgotten”).
- Restrict processing in certain circumstances.
- Port your data in a structured, machine-readable format.
- Object to processing based on legitimate interest.
- Withdraw consent at any time where processing is consent-based.
To exercise any of these rights, email tamas@urbsai.com. We will respond within 30 days.
11. Cookies
The Service sets a minimal number of cookies: a session cookie for web dashboard authentication and a short-lived CSRF state cookie during the OAuth install flow. We do not use advertising or tracking cookies.
12. Children's Privacy
The Service is not directed at individuals under 18. We do not knowingly collect data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the Service or by other reasonable means at least 14 days before they take effect. The “Last updated” date at the top reflects the most recent revision.
14. Supervisory Authority
If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.
15. Contact
For any questions about this Privacy Policy or our data practices, contact us at tamas@urbsai.com.