The short version: we collect just enough information to provide a great
service to you. Our business depends on our customers' trust, so we
don't want to destroy that trust by taking privacy-violating actions.
to third parties. Yes, we take precautions to safeguard your data.
Read on for more details, if you are interested.
Your use of the Smithy website and all associated services ("Smithy") is
subject to your agreement to all of the following terms. If you disagree
with any of the terms below, do not use Smithy.
What we collect and why
Name and URL of your Slack workspace
We use this to personalise your experience in Smithy and to enable easy redirects
back to the Slack app after adding Smithy to your workspace, respectively.
The number of people in your Slack workspace
We use this for internal reporting. We don't mass-gather details of members of any workspace.
Your name and/or display name
To identify you in the product and to reference you in a personalised manner.
This is the same picture that you use on Slack and we use it to personalise
your experience in Smithy.
We don't automatically gather your email from your Slack account. You have to
explicitly provide it. We use your email address to communicate important billing and
product notifications. We aim to send you as little email as possible.
Core Smithy functionality relies on processing messages in your Slack workspace.
We respect the seriousness of having access to potentially sensitive information,
and store only the bare minimum required for Smithy to function.
We don't see messages at all from channels that Smithy has not been intentionally
We don't store all message content that reaches Smithy.
From the messages that we do store, we only store subjects and decisions,
not general replies to threads.
We store the following additional metadata about Smithy-generated threads:
the number of replies and Slack-specific thread, team, user, and message identifiers.
Usage data is collected automatically when using Smithy. Usage data may include information such
as your device's IP address, browser type, browser version, the pages on Smithy that you visit,
the time and date of your visit, the time spent on those pages, unique device identifiers and other
diagnostic data. We may also collect information that your browser sends whenever you visit Smithy.
Cookies are small files a site stores on your device through your browser that enables the site to
recognise your browser and remember certain information.
Here is how cookies are used on Smithy:
Keeping you logged in on the Smithy website.
Our embedded video is provided by Loom, which uses its own cookies.
Our link to schedule a demo is provided by Calendly, which uses its own cookies.
your right to reject our cookies, do not use Smithy or configure your browser to
Data storage and security
We use Linode servers to store and process your data. Linode is a popular, respected,
and secure hosting provider. You can read their own legal and compliance documentation
on their website
Your data is encrypted when transmitted to Smithy. We additionally implement a variety
of security measures to maintain the safety of your data.
If we discover that your data has been exposed to unknown third parties, we will
notify you within 24 hours of discovery.
Remember that no method of transmission over the internet nor any method of electronic storage
is 100% secure. While we strive to use commercially acceptable means to protect your data,
we cannot guarantee its absolute security.
Data from your Slack workspace is retained for as long as sufficient to continue providing Smithy's
services to your Slack workspace.
Aggregated and anonymised data may be retained for internal reporting and business planning purposes.
We remove your personal data after you explicitly delete your own account on Smithy and when
an administrator removes Smithy entirely from your Slack workspace, and sufficient time has passed
to warrant data removal, subject to any legal obligations such as complying to applicable laws,
resolving disputes, and enforcing our legal agreements and policies.
Trusted third parties
As part of the day-to-day operations, Smithy inevitably shares data with third party
partners that are integral to Smithy's business.
Billing and payment processor. Data shared: name, email, and other billing details for invoicing.
Hosting provider for all app and data storage.
Privacy-focused analytics provider that we use to track and analyze service usage. No personal or
workspace data reaches Fathom.
If Smithy is involved in a merger, acquisition or asset sale, your data may be transferred.
We will provide notice before your data is transferred and becomes subject to a different
Under certain circumstances, Smithy may be required to disclose your data if required
to do so by law or in response to valid requests by public authorities (e.g. a court or a
Other legal requirements
Smithy may disclose your data in the good faith belief that such action is necessary to:
Comply with a legal obligation
Protect and defend the rights or property of Smithy
Prevent or investigate possible wrongdoing in connection with Smithy's service
Protect the personal safety of Smithy users or the public
Protect against legal liability
Smithy does not knowingly collect data from children under the age of 13, and
children under 13 are prohibited from using Smithy. If you learn that a child has
alert us at
Links to other websites
Smithy may contain links to other websites that are not operated by us. If you click on a third party link,
you visit. We have no control over and assume no responsibility for the content, privacy policies or
practices of any third party sites or services.
GDPR and managing your data
The purpose of the European General Data Protection Regulation (GDPR) is to help protect the
privacy of European Union (EU) citizens, by requiring people who process and control data
about EU citizens to adhere to a set of rules and guidelines.
If you have a Smithy account and are an EU citizen, then you are subject to GDPR. We take
reasonable steps to allow you to correct, amend, delete or limit the use of your personal data.
If necessary, you may complete and sign a Data Processing Addendum (DPA). The DPA contains
European Union Model Clauses, known as Standard Contractual Clauses, to meet the requirements
for GDPR. You can request one by emailing us at or if you have
your own DPA document, we are happy to review and sign it instead.
To get access to the personal data that we hold about you or to request correct or removal of your
personal data, please contact us by email at . Where possible, we provide
the means to do so directly within your account settings on the Smithy website. Where not possible
or not sufficient, get in touch with us.
We currently have two data sub-processors, whose relevant compliance links you can find below. In
the case of Paddle, customer details are not automatically shared, but rather are provided directly
to Paddle when choosing to subscribe to a paid plan.
EU Model Contract
In certain circumstances, you have the following data protection rights:
Right to object
You can oppose the processing of your personal data. This right to object exists only if there
are sufficient legitimate and weighty grounds relating to your particular situation.
Right to access
Each Smithy user who proves their identity has a right of access to all information regarding
the processing of their personal data by Smithy, as defined in the Privacy Act. This includes
information on the purposes of the processing, the categories of data processed and
relate the categories of recipients to whom the data are provided.
Right to rectification
You have the right to have your personal data rectified if that data is inaccurate or
Right to forget
You can ask us to delete all data related to your account & activity from our
system. Only the data we need to keep for legal & tax reasons will be kept.
Right to withdraw consent
You also have the right to withdraw your consent at any time where Smithy relied on your
consent to process your personal data.
Right to data portability
You have the right to be provided with a copy of the data we have on you in a structured,
machine-readable and commonly used format.
Right to restriction
You have the right to request that we restrict the processing of your personal data.
As an EU citizen, you can report GDPR violations to your Data Protection Authority. You can find a list of Data Protection Authorities by clicking here
or searching on the internet. However, we aim to never let things escalate to the point where you need to file a complaint. Please contact us if you ever feel like we are not complying with your rights under GDPR and we will do our best to rectify the situation.
You are advised to review this page periodically for any changes.