Privacy Policy

Effective Date: 1 January 2025 Last Updated: 1 January 2025

At Gist, we respect your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, and safeguard your information when you use our Slack application and AI-powered summarisation services.

1. Information We Collect

1.1 Slack Message Content

When you use our Service, we process:

• Message Content: Text content from Slack conversations that you choose to summarise
• Thread Data: Message threads, replies, and conversation context
• Channel Information: Channel names and metadata (but not private channel content unless explicitly authorised)
• Timestamp Data: When messages were sent and received
• User Mentions: References to users within processed conversations

1.2 Slack Workspace Data

We collect and store the following information from your Slack workspace:

• Workspace Metadata: Workspace ID, workspace name, team domain
• User Profiles: Slack user IDs, display names, email addresses, time zones
• Bot Tokens: Encrypted bot access tokens for workspace-level operations
• User OAuth Tokens: Encrypted user OAuth tokens for individual user actions
• Authorisation Scopes: Specific permissions granted to our application

1.3 Payment and Subscription Data

We collect subscription information through Stripe:

• Stripe Customer Data: Customer IDs, subscription IDs, customer email addresses
• Billing Periods: Subscription start dates, renewal dates, billing cycles
• User Count: Number of users per subscription for billing purposes
• Payment Information: Payment data is processed and stored securely by Stripe (we do not store complete payment card details)

1.4 Notion Integration Data (Optional)

When you choose to connect Notion:

• OAuth Tokens: Notion OAuth access tokens encrypted with AES-256-GCM
• Workspace Information: Notion workspace IDs
• Database Information: Notion database IDs where summaries are saved

1.5 Usage and Analytics Data

• Token Usage: Monthly and lifetime AI token usage per user
• API Costs: Costs associated with API calls for billing and analytics
• Summary Counts: Number of summaries generated per user and workspace
• Error Rates: Technical errors and service performance metrics
• Feature Usage: How you use our features and frequency of summarisation requests
• OAuth States: Temporary single-use tokens for OAuth flows (expire immediately after use)
• Pending Exports: Temporary data exports with 1-hour time-to-live (TTL)

1.6 Website and Communication Data

• Contact Information: Email addresses for account management and support
• Website Usage: Pages visited, browser information, and interaction patterns

2. How We Use Your Information

2.1 Core Service Functionality

• AI Processing: We process your Slack message content using OpenAI's GPT models to generate summaries, extract action items, and identify key decisions
• Real-time Summaries: Continuously update summaries as new messages are added to threads
• Scheduled Summaries: Generate and deliver summaries based on your configured schedule
• Integration Services: Save summaries to your connected Notion databases or other authorised platforms

2.2 Service Improvement

• Feature Development: Analyse usage patterns to improve our AI models and user experience
• Performance Optimisation: Monitor service performance and reliability
• Security Monitoring: Detect and prevent unauthorised access or abuse

2.3 Communication

• Service Updates: Notify you of important changes to our service
• Account Management: Send billing notifications, security alerts, and subscription information
• Customer Support: Respond to your inquiries and provide technical assistance

3. Information Sharing and Third-Party Services

3.1 AI Processing Partners

• OpenAI: ALL Slack message content that you submit for summarisation is sent to OpenAI for processing using their GPT-4.1-mini model. Our agreement with OpenAI explicitly prohibits them from training their models using your data
• Data Processing: Message content is sent to OpenAI for analysis. OpenAI's data retention policies apply to your message content during processing
• OpenAI Privacy Policy: For full details on how OpenAI handles your data, please review their privacy policy at https://openai.com/privacy and their data processing terms at https://openai.com/enterprise-privacy
• Processing Location: OpenAI may process your data in the United States and other jurisdictions where they operate

3.2 Infrastructure and Security Providers

• Supabase: We use Supabase PostgreSQL database for primary data storage
• Google Cloud Platform: We use Google Cloud Run for application hosting and Google Secret Manager for secure credential storage
• Google Secret Manager: Sensitive credentials and tokens are encrypted and stored using Google's secure key management service
• Stripe: Payment processing is handled by Stripe; we do not store complete payment card information
• Nodemailer/SMTP: Email delivery services for transactional emails and notifications

3.3 User-Authorised Integrations

• Notion: When you authorise Notion integration, we share summaries with your Notion workspace according to your configuration
• Slack: We interact with Slack APIs to read authorised content and post summaries back to your workspace

3.4 We Do Not Sell Your Data

We never sell, rent, or trade your personal information or message content to third parties for marketing or advertising purposes.

4. Data Storage and Security

4.1 Data Storage Infrastructure

• Primary Database: Supabase PostgreSQL database for storing workspace, user, and subscription data
• Application Hosting: Google Cloud Run for secure application deployment
• Credential Storage: Google Secret Manager for encrypted storage of sensitive credentials
• Message Processing: Message content is processed temporarily to generate summaries and is not permanently stored
• Summary Storage: Generated summaries are NOT retained after processing. Once a summary is generated and delivered to you (via Slack or saved to your authorised integrations like Notion), we do not store the summary content

4.2 Security Measures

• Data Encryption in Transit: All data is transmitted using HTTPS/TLS 1.2+ encryption
• Data Encryption at Rest: Sensitive tokens (Slack bot tokens, user OAuth tokens, Notion OAuth tokens) are encrypted using AES-256-GCM encryption
• Access Controls: Strict access controls limit who can access your data within our organisation
• Regular Security Audits: We conduct regular security assessments and vulnerability testing
• Compliance: We follow industry best practices for data security and privacy

4.3 Data Location

• Primary Storage: Data is primarily stored in secure cloud infrastructure within the United States and European Union
• Cross-Border Transfers: Any international data transfers comply with applicable data protection regulations

5. Data Retention

5.1 Retention Periods

We retain different types of data for varying periods based on operational and legal requirements:

• Active Subscription Data: All workspace data, user profiles, and subscription information are retained whilst your subscription is active
• Message Content: Processed transiently for AI summarisation and not permanently stored
• Generated Summaries: NOT retained after processing. Summaries are generated, delivered to you, and then immediately discarded from our systems
• OAuth States: Single-use tokens that expire immediately after authentication is complete
• Pending Data Exports: Temporary data exports are automatically deleted after 1 hour
• Monthly Usage Metrics: Monthly token usage and summary counts are reset at the beginning of each month
• Lifetime Usage Metrics: Lifetime totals for token usage and costs are retained indefinitely for billing and analytics purposes
• Account Information: Retained for 7 years after account closure for legal and accounting purposes as required by law
• Post-Cancellation Data: After subscription cancellation, workspace data retention follows our data deletion process (see below)
• Usage Analytics: Aggregated and anonymised data may be retained indefinitely for service improvement

5.2 Data Deletion

IMPORTANT: Data deletion is not currently automated. To request data deletion:

• Manual Deletion Request: You may request complete deletion of your workspace data by contacting support@getthegist.app within 30 days of cancellation
• Deletion Timeframe: We will process data deletion requests within 30 days of receipt
• Legal Requirements: Some data may be retained longer if required by law, for security purposes, or to comply with our legal obligations
• Backup Systems: Data may persist in backup systems for up to 90 days after deletion from production systems

Note: We are committed to implementing automated data deletion tools in compliance with GDPR and other data protection regulations. Until automated tools are available, please contact our support team to exercise your data deletion rights.

6. Your Privacy Rights

6.1 Access and Control

You have the following rights regarding your personal data:

• Data Access: Request a copy of the personal information we hold about you
• Data Portability: Request your data in a machine-readable format
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to legal requirements)

IMPORTANT: Data export and deletion are not currently automated. To exercise these rights:

• Contact: Email support@getthegist.app with your request
• Response Time: We will respond to your request within 30 days
• Verification: We may require verification of your identity before processing requests
• No Fee: We do not charge a fee for reasonable requests, though we may charge for excessive or repetitive requests

6.2 Communication Preferences

• Opt-out: Unsubscribe from marketing communications at any time
• Notification Settings: Control which service notifications you receive
• Data Processing: Where legally required, you can object to certain data processing activities

6.3 Slack Workspace Control

• Authorisation Management: You can revoke Gist's access to your Slack workspace at any time through Slack's app management
• Data Scope: You control which channels and conversations Gist can access through Slack's permission system

7. Children's Privacy

Our Service is not intended for children under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information.

8. International Data Transfers

If you are located outside the United States, please note that your information may be transferred to, stored, and processed in the United States where our servers are located. We ensure appropriate safeguards are in place for any international data transfers.

9. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of personal information collected, used, disclosed, or sold
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt-out of the sale of personal information (note: we do not sell personal information)
• Non-Discrimination: We will not discriminate against you for exercising your privacy rights

10. European Data Protection Rights

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

• Lawful Basis: We process your data based on contract performance, legitimate interests, and consent
• Data Protection Officer: Contact our data protection team at privacy@getthegist.app
• Supervisory Authority: You have the right to lodge a complaint with your local data protection authority

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by:

• Posting the updated policy on our website
• Sending an email notification to your registered email address
• Providing notice through our Slack application

Your continued use of our Service after any changes indicates your acceptance of the updated Privacy Policy.

12. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a privacy concern, please contact us:

---

Note: This Privacy Policy applies to our Slack application and related services. For website-only interactions (such as waitlist signup), we collect only basic information necessary for communication and service delivery.