Security & Compliance

At Charts AI, we are committed to maintaining the security, privacy, and compliance of our customers’ data. This page outlines our practices, commitments, and the measures we take to protect your information.

GDPR Compliance

We are committed to compliance with the General Data Protection Regulation (GDPR). We process personal data lawfully, fairly, and transparently, and only for the specific purposes outlined in our Privacy Policy.

  • Right to Access: You can request a full export of all data associated with your workspace.
  • Right to Erasure: We provide a complete deletion procedure for your personal and workspace data.
  • Right to Portability: We can provide your data in a structured, machine-readable format.
  • Data Minimization: We only collect data strictly necessary to provide the Service.
  • Lawful Basis: We process data under contract performance, legitimate interest, consent, or legal obligation as applicable (see our Privacy Policy Section 3).
  • Sub-processor Agreements: Data processing agreements are in place with all sub-processors.

CCPA Compliance

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, request its deletion, and opt out of any sale of personal information. We do not sell personal information. To exercise your CCPA rights, contact us at [email protected].

Technical Security Measures

  • Encryption in Transit: All traffic between your browser, Slack, and our servers is encrypted using TLS/HTTPS. SSL certificates are managed via Let’s Encrypt with automated renewal.
  • Database Security: Our PostgreSQL database is not exposed to the public internet and is accessible only by the application backend. Database credentials are managed via environment variables, never hardcoded.
  • Authentication & Verification: All incoming Slack requests are verified using Slack’s signing secret. Billing webhooks are authenticated via API key signature verification.
  • Token Security: Slack OAuth tokens are stored securely in our database and are never exposed to end users or in client-side code.
  • Atomic Billing Transactions: Token deductions use atomic database transactions to prevent race conditions or double-spending.
  • Content Filtering: The Service includes filtering for NSFW and sensitive content, returning safe error messages instead of problematic output.
  • Input Validation: File uploads are restricted to whitelisted MIME types and a maximum of 10 files per request.

Data Deletion Procedure

To request permanent deletion of your workspace or personal data:

  1. Email [email protected] with the subject “Data Deletion Request.”
  2. Include your Slack Workspace URL and your role in the workspace (owner, admin, or member).
  3. We will verify your identity and authorization within 3 business days.
  4. Full removal of workspace records (teams, users, generations, and associated metadata) will be completed within 30 days.

Note: Invoice and billing records may be retained for up to 7 years as required by financial record-keeping regulations. These records contain only transaction metadata (amounts, dates, plan codes) and do not include personal content such as prompts or files.

Infrastructure & Sub-processor Security

Charts AI relies on established providers for infrastructure and data processing:

  • Application Hosting (Webdock): Our backend and database run in isolated containerized environments with restricted network access.
  • AI Processing (Google Cloud — Gemini API): Google Cloud maintains SOC 1/2/3, ISO 27001, ISO 27017, and ISO 27018 certifications. Data sent via the Gemini API is not used for model training and is deleted from Google servers immediately after processing.
  • Payment Processing (Lava.top / Unlimit): Unlimit is PCI-DSS compliant. We never store, process, or transmit credit card numbers on our infrastructure.
  • Slack Platform (Salesforce): Slack maintains SOC 2, ISO 27001, and other certifications. OAuth integration follows Slack’s security best practices.

For a complete list of sub-processors, see our Subprocessors page.

Incident Response

In the event of a data breach or security incident, we will:

  • Investigate and contain the incident promptly.
  • Notify affected users and relevant supervisory authorities within 72 hours of becoming aware of a breach, as required by GDPR.
  • Provide a written incident report including scope, impact, and remediation steps.
  • Take corrective action to prevent recurrence.

To report a security vulnerability or concern, contact [email protected].

← Back to Home Privacy Policy Terms of Service Subprocessors