Privacy Policy

1. What Data We Collect

Personal Information

We collect information you provide directly:

• Name and email address - From your Slack profile when you install our app
• Role and company - Your job title and workspace name from Slack
• Account preferences - Settings and configurations you choose

Slack Workspace Data

With your permission, we access:

• Team information - Workspace name, team names, and member count
• Messages in OKR channels - Only conversations where OKR Agent is mentioned or added
• User interactions - Your questions and commands sent to OKR Agent

Important: We cannot access private DMs or channels where OKR Agent has not been added.

Data Warehouse Connection Metadata

When you connect a data warehouse (Snowflake, BigQuery, PostgreSQL, DuckDB):

• Connection details - Host, port, database name (encrypted)
• Schema information - Table and column names to understand your data structure
• Sample queries - Test queries to verify the connection works

Read-Only Access: We never modify, delete, or write data to your warehouse. Our access is strictly read-only for metric retrieval.

Usage Data

We collect information about how you use the service:

• Feature usage - Which coaching features you use most
• Query patterns - Types of OKR questions you ask
• Performance data - Response times and error rates (to improve reliability)

2. How We Use Your Data

We use your data for these specific purposes:

Providing the Service

• OKR Coaching - Analyze your goals and suggest measurable key results
• Metric Retrieval - Query your data warehouse to get current metric values
• Slack Integration - Deliver responses and updates in your workspace
• Account Management - Handle subscriptions, billing, and account settings

Improving the Service

• Quality Assurance - Monitor accuracy of coaching suggestions
• Feature Development - Understand how customers use OKR Agent to build better features
• Performance Optimization - Improve response times and reliability

Security and Safety

• Fraud Prevention - Detect and prevent misuse of the service
• Security Monitoring - Identify suspicious activity patterns

Communication

• Service Updates - Notify you about important changes to OKR Agent
• Support - Respond to your questions and requests
• Marketing (Optional) - With your consent, send product updates and offers

We never sell your data to third parties.

3. Data Storage & Security

Where We Store Your Data

• Primary Storage: [EU region] - Your data is stored within the European Union
• Database: Encrypted PostgreSQL database with row-level security
• Backups: Daily encrypted backups retained for 30 days

How We Protect Your Data

• Encryption in Transit: All data transferred using HTTPS/TLS 1.3
• Encryption at Rest: AES-256 encryption for stored data
• Read-Only Warehouse Access: Database connections use read-only credentials only
• Sandboxed Code Execution: Generated queries run in isolated environments (will be replaced with container-based sandboxing)
• Access Controls: Only authorized personnel can access data, and only for specific purposes
• Regular Audits: Security audits and penetration testing conducted regularly

Data Retention

• Active Accounts: Data retained while your account is active
• Deleted Accounts: Personal data anonymized within 30 days of deletion request
• Audit Logs: Security logs retained for 1 year for compliance

4. AI/LLM Processing

What Data Is Sent to AI Providers

We use [OpenAI] to power OKR coaching features. When you interact with OKR Agent, the following may be shared with OpenAI:

• Your questions - The text of your OKR-related questions
• Context - Relevant goal names and descriptions (to provide better coaching)
• Schema information - Table and column names (to suggest relevant metrics)

How We Use AI Services

• Human Approval Required: All suggested Key Results require your approval before being saved
• No Training on Your Data: OpenAI does not use your data to train their models (see OpenAI's data usage policy)
• Ephemeral Processing: Conversations are not stored by OpenAI beyond the immediate processing

Example: When you ask "How can I measure user engagement?", OKR Agent sends your question and relevant schema information to OpenAI. The AI suggests metrics like "Daily Active Users" or "Session Duration", but you decide which to use.

5. Third-Party Services

We work with trusted third-party services to operate OKR Agent:

For a complete list of subprocessors, see our Data Processing Agreement.

6. Analytics (Future)

Current Status: OKR Agent does not currently use analytics or tracking cookies.

Planned: We may implement website analytics (e.g., Google Analytics) to understand how visitors use our website. If we do:

• You will be asked for consent before any analytics cookies are set
• Data will be anonymized and aggregated
• Individual users cannot be identified
• You can withdraw consent at any time via the "Privacy Settings" button in the footer

See our Cookie Policy for more information.

7. Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

Right to Access (Article 15)

You can request a copy of all personal data we hold about you. We'll provide it in a commonly used format (JSON or CSV) within 30 days.

To exercise this right: Contact [SUPPORT_EMAIL]

Right to Rectification (Article 16)

You can correct inaccurate or incomplete personal data.

To exercise this right: Update your profile in Slack, or contact [SUPPORT_EMAIL]

Right to Erasure (Article 17)

You can request deletion of your personal data. We'll delete it within 30 days, except where we're legally required to retain it (e.g., tax records).

To exercise this right: Contact [SUPPORT_EMAIL] or uninstall the Slack app

Right to Portability (Article 20)

You can request your data in a structured, machine-readable format to transfer to another service.

To exercise this right: Contact [SUPPORT_EMAIL]

Right to Object (Article 21)

You can object to certain data processing activities, such as marketing communications.

To exercise this right: Contact [SUPPORT_EMAIL]

Right to Restrict Processing (Article 18)

You can request that we limit how we use your data.

To exercise this right: Contact [SUPPORT_EMAIL]

Right to Lodge a Complaint

You have the right to complain to a data protection authority about our data processing practices.

• German Authority: Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
• Your Local Authority: See European Data Protection Board members

8. Data Retention

• Active Accounts: Personal data retained while your account exists
• Deleted Accounts: Personal data permanently deleted within 30 days
• Cancellations: Data retained for 30 days after subscription ends (for reactivation purposes)
• Legal Requirements: Some data (e.g., invoices) retained longer as required by law
• Audit Logs: Security logs retained for 1 year

9. International Data Transfers

Primary Storage: Your data is stored within the European Union.

Some of our subprocessors (e.g., Slack in the USA) may process data outside the EU. We ensure:

• Adequacy Decisions: Using countries with EU adequacy decisions where possible
• Standard Contractual Clauses (SCCs):strong> Legally binding agreements approved by the European Commission for data transfers to countries without adequacy decisions
• Your Consent: You consent to these transfers when using OKR Agent