Privacy Policy

Smithy is committed to protecting your privacy. We collect only the information necessary to deliver and improve our service, use cookies in a limited capacity, and never sell your data to third parties. Your trust is fundamental to our business, and we take appropriate measures to safeguard the data you entrust to us. This policy describes our practices in detail.

Your use of the Smithy website and all associated services ("Smithy") is subject to your agreement to all of the following terms. If you disagree with any of the terms below, do not use Smithy.

What we collect and why

Name and URL of your Slack workspace

We use this to personalise your experience in Smithy and to enable easy redirects back to the Slack app after adding Smithy to your workspace, respectively.

The number of people in your Slack workspace

We use this for internal reporting. We don't mass-gather details of members of any workspace.

Your name and/or display name

To identify you in the product and to reference you in a personalised manner.

Your avatar

This is the same picture that you use on Slack and we use it to personalise your experience in Smithy.

Email address

We collect your email address through Slack's OpenID Connect authentication when you sign in to the Smithy website. We use your email address to communicate important billing and product notifications, to identify your account, and to associate you with a customer record for billing purposes. We aim to send you as little email as possible.

Workspace messages

Core Smithy functionality relies on processing messages in your Slack workspace. We respect the seriousness of having access to potentially sensitive information, and store only the bare minimum required for Smithy to function.

We don't see messages at all from channels that Smithy has not been intentionally added to.
We don't store all message content that reaches Smithy.
From the messages that we do store, we only store subjects and decisions, not general replies to threads.
All stored thread subjects, content, and decisions are encrypted at rest using industry-standard encryption.
We store the following additional metadata about Smithy-generated threads: the number of replies and Slack-specific thread, team, user, and message identifiers.

Usage Data

Usage data is collected automatically when using Smithy. Usage data may include information such as your device's IP address, browser type, browser version, the pages on Smithy that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data. We may also collect information that your browser sends whenever you visit Smithy.

Cookies

Cookies are small files a site stores on your device through your browser that enables the site to recognise your browser and remember certain information.

Here is how cookies are used on Smithy:

Keeping you logged in on the Smithy website.
Maintaining session state and security tokens (CSRF protection).

We do not use third-party tracking cookies or advertising cookies.

You have the right to accept or reject our use of cookies. If you wish to exercise your right to reject our cookies, do not use Smithy or configure your browser to reject cookies.

Data storage and security

We host Smithy on secure, professionally managed servers. All sensitive data, including Slack bot tokens and workspace message content, is encrypted at rest using Laravel's built-in encryption (AES-256-CBC).

Your data is encrypted when transmitted to Smithy via TLS/HTTPS. We additionally implement a variety of security measures to maintain the safety of your data, including content security policies, secure authentication flows, and regular security reviews.

If we discover that your data has been exposed to unknown third parties, we will notify you within 72 hours of discovery.

Remember that no method of transmission over the internet nor any method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security.

Data retention

Data from your Slack workspace is retained for as long as sufficient to continue providing Smithy's services to your Slack workspace.

When Smithy is uninstalled from your Slack workspace, we schedule data removal after a 30-day grace period. This allows you to reinstall Smithy without losing your data if the uninstallation was accidental. After 30 days, all workspace-specific data (threads, decisions, channel records, and user records) is permanently deleted.

Aggregated and anonymised data may be retained for internal reporting and business planning purposes.

We may retain certain data beyond the grace period where required to comply with applicable laws, resolve disputes, or enforce our legal agreements and policies.

Data disclosure

Trusted third parties

As part of the day-to-day operations, Smithy inevitably shares data with third party partners that are integral to Smithy's business.

Paddle (https://paddle.com)
Billing and payment processor (Merchant of Record). Data shared: name, email, and other billing details for invoicing and subscription management. Paddle acts as the seller of record for all transactions.
Umami (self-hosted)
Privacy-focused, self-hosted analytics that we use to track and analyze service usage. All analytics data stays on our own servers. No personal or workspace data is shared with third parties for analytics.

Business transactions

If Smithy is involved in a merger, acquisition or asset sale, your data may be transferred. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

Law enforcement

Under certain circumstances, Smithy may be required to disclose your data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other legal requirements

Smithy may disclose your data in the good faith belief that such action is necessary to:

Comply with a legal obligation
Protect and defend the rights or property of Smithy
Prevent or investigate possible wrongdoing in connection with Smithy's service
Protect the personal safety of Smithy users or the public
Protect against legal liability

Children's privacy

Smithy does not knowingly collect data from children under the age of 13, and children under 13 are prohibited from using Smithy. If you learn that a child has provided us with personal data in violation of this privacy policy, you can alert us at hello@smithy.app.

Links to other websites

Smithy may contain links to other websites that are not operated by us. If you click on a third party link, you will be directed to that third party's site. We advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

GDPR and managing your data

The purpose of the European General Data Protection Regulation (GDPR) is to help protect the privacy of European Union (EU) citizens, by requiring people who process and control data about EU citizens to adhere to a set of rules and guidelines.

If you have a Smithy account and are an EU citizen, then you are subject to GDPR. We take reasonable steps to allow you to correct, amend, delete or limit the use of your personal data.

If necessary, you may complete and sign a Data Processing Addendum (DPA). The DPA contains European Union Model Clauses, known as Standard Contractual Clauses, to meet the requirements for GDPR. You can request one by emailing us at hello@smithy.app or if you have your own DPA document, we are happy to review and sign it instead.

To get access to the personal data that we hold about you or to request correction or removal of your personal data, please contact us by email at hello@smithy.app. Where possible, we provide the means to do so directly within your account settings on the Smithy website. Where not possible or not sufficient, get in touch with us.

Sub-processors

We use Paddle as our billing sub-processor. Customer billing details are provided directly to Paddle when choosing to subscribe to a paid plan. You can review their compliance documentation below.
Paddle: Buyers Privacy Policy, GDPR.

In certain circumstances, you have the following data protection rights:

Right to object

You can oppose the processing of your personal data. This right to object exists only if there are sufficient legitimate and weighty grounds relating to your particular situation.

Right to access

Each Smithy user who proves their identity has a right of access to all information regarding the processing of their personal data by Smithy. This includes information on the purposes of the processing, the categories of data processed and the categories of recipients to whom the data are provided.

Right to rectification

You have the right to have your personal data rectified if that data is inaccurate or incomplete.

Right to erasure

You can ask us to delete all data related to your account & activity from our system. Only the data we need to keep for legal & tax reasons will be kept.

Right to withdraw consent

You also have the right to withdraw your consent at any time where Smithy relied on your consent to process your personal data.

Right to data portability

You have the right to be provided with a copy of the data we have on you in a structured, machine-readable and commonly used format.

Right to restriction

You have the right to request that we restrict the processing of your personal data.

Complaints

As an EU citizen, you can report GDPR violations to your Data Protection Authority. You can find a list of Data Protection Authorities by clicking here or searching on the internet. However, we aim to never let things escalate to the point where you need to file a complaint. Please contact us if you ever feel like we are not complying with your rights under GDPR and we will do our best to rectify the situation.

Contact us

If you have any questions about this privacy policy, you can contact us by email: hello@smithy.app.

Changes to this privacy policy

We may update our privacy policy from time to time and will post the updated version on this page. You are advised to review this page periodically for any changes.