Privacy Policy

Last Updated: April 9, 2026

This privacy policy explains how Charts AI for Slack ("we," "us," or "our"), operated at chartsai.pro, collects, uses, shares, and protects your information when you install and use our Slack application (the "Service"). By using the Service, you consent to the practices described in this policy.

1. Information We Collect

When you install and use our app, we collect the following categories of information:

1.1 Workspace & Account Data

• Slack Workspace Information: Workspace (Team) ID, workspace name, and OAuth installation data (including bot tokens) necessary for the app to function within your Slack workspace.
• Slack User Information: Slack User ID and team association for each user who interacts with the app. We do not collect your Slack display name or profile picture.
• Billing Email: An optional email address you may provide during the checkout process, used solely for payment processing and billing correspondence.

1.2 User-Generated Content

• Text Prompts: The text descriptions you send to generate charts are stored in our database alongside the generation record.
• Uploaded Files: Images (PNG, JPEG, WebP, GIF, HEIC), audio files (MP3, WAV, OGG, FLAC, AAC, M4A, Opus, WebM), and PDF documents you attach to generation requests. These files are downloaded from Slack temporarily for AI processing and are not stored permanently on our servers.
• Generated Charts: Chart images produced by the Service. For ephemeral (preview) messages, chart images are stored on our server for up to 24 hours. For regular messages, charts are uploaded directly to Slack and stored on Slack’s infrastructure.

1.3 Usage & Operational Data

• Generation History: We record metadata about each chart generation, including status (processing, succeeded, failed), token cost, Slack channel and thread identifiers (for delivering results), timestamps, and error messages (if any).
• Billing & Invoice Records: Plan selections, payment amounts, currency, token balances, subscription status, and payment provider transaction IDs.
• Server Logs: Standard web server logs (IP addresses, request timestamps, HTTP methods) collected by our Nginx reverse proxy for operational and security purposes.

1.4 Information We Do NOT Collect

• We do not use cookies, tracking pixels, or analytics services on our website or within the Slack app.
• We do not read or store Slack messages beyond those explicitly sent to the Charts AI bot (via DM, @mention, or slash command).
• We do not collect personal information about workspace members who do not interact with the app.

2. How We Use Your Information

We use the collected information for the following purposes:

• Providing the Service: Processing your prompts and files through AI models to generate charts and delivering results to your Slack workspace.
• Billing & Subscription Management: Managing your token balance, processing payments, and enforcing plan limits.
• Service Improvement: Diagnosing errors, debugging issues, and improving the reliability and quality of chart generation.
• Support: Responding to your inquiries and resolving issues reported via the /support command or email.

We do not sell, rent, or trade your personal data to any third party. We do not use your data for advertising. Your prompts and files are not used to train AI models.

3. Lawful Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• Contract Performance: Processing necessary to provide the Service you requested (generating charts, managing your account and subscription).
• Legitimate Interest: Server logging for security and fraud prevention, and service debugging.
• Consent: Where you voluntarily provide optional information such as your billing email.
• Legal Obligation: Retaining billing and invoice records as required by applicable tax and financial regulations.

4. Data Sharing & Third-Party Services

To provide the Service, we share data with the following trusted third-party processors. Each operates under a data processing agreement or equivalent contractual protections:

• Slack (Salesforce): Your workspace and user identifiers, messages sent to the bot, and generated chart images are transmitted through Slack’s APIs. Slack’s own Privacy Policy governs their handling of this data.
• Google Gemini API (Google Cloud): Your text prompts and uploaded files (images, audio, PDFs) are sent to the Google Gemini API for AI-powered chart code generation. Files uploaded via the Gemini File API are deleted from Google’s servers immediately after chart generation completes. Google does not use data sent via API for model training. See Google Cloud Data Processing Addendum.
• Lava.top (with Unlimit): When you purchase a subscription or token pack, your billing email and plan selection are transmitted to Lava.top, which uses Unlimit as its payment backend. We do not store or have access to your credit card details.

We do not share your data with any other third parties except as required by law.

5. Data Retention

We retain data only for as long as necessary to provide the Service or comply with legal obligations:

• Uploaded Files (images, audio, PDFs): Processed in memory and not stored permanently. Deleted from Google’s servers immediately after chart generation. Never written to our database.
• Ephemeral Chart Images: Stored on our server for up to 24 hours, then automatically and permanently deleted by a recurring cleanup process.
• Direct Chart Uploads: Charts uploaded to Slack are stored on Slack’s servers and subject to your workspace’s own retention policies.
• Prompts & Generation Metadata: Retained in our database for the duration of your app installation to support generation history and debugging. Deleted upon uninstallation or upon your written request.
• Workspace & User Records: Retained while the app is installed. All associated data (users, generations) is cascade-deleted when the workspace record is removed.
• Invoice & Billing Records: Retained for a minimum of 7 years to comply with financial record-keeping regulations, even after workspace deletion.
• Server Logs: Rotated and deleted after 14 days.

6. International Data Transfers

Your data may be transferred to and processed in countries outside of your jurisdiction. Specifically:

• Our application servers are hosted by Webdock.
• AI processing occurs on Google Cloud (Gemini API) infrastructure, which may be located in the United States or other regions.
• Payment processing via Lava.top/Unlimit may involve cross-border data transfers.

Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards provided by our sub-processors to protect your data.

7. Data Security

We implement reasonable technical and organizational measures to protect your data, including:

• HTTPS/TLS encryption for all data in transit.
• Database access restricted to the application backend only (not exposed to the public internet).
• OAuth tokens stored securely in our database and never exposed to end users.
• Slack request signature verification to prevent forged requests.
• Webhook signature verification for payment callbacks.
• Atomic database transactions for billing operations to prevent race conditions.

No method of transmission or storage is 100% secure. If you become aware of a security vulnerability, please report it immediately to [email protected].

8. Your Data Rights

Depending on your jurisdiction (including under GDPR, CCPA, UK GDPR, and similar laws), you may have the following rights:

• Right of Access: Request a copy of all personal data we hold about you or your workspace.
• Right to Rectification: Request correction of inaccurate data.
• Right to Erasure: Request deletion of your personal data and workspace records.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Restrict Processing: Request that we limit how we use your data.
• Right to Object: Object to processing based on legitimate interest.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email us at [email protected] with the subject line “Data Rights Request” and include your Slack Workspace URL. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

9. Children’s Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

10. Automated Decision-Making

The Service uses AI (large language models) to interpret your prompts and generate chart code. This constitutes automated processing, but it does not involve profiling or automated decision-making that produces legal or similarly significant effects on you. The AI output is a visualization tool, and you are responsible for verifying the accuracy of all generated charts.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date at the top and, where feasible, notify affected workspaces via Slack message. Your continued use of the Service after changes constitutes acceptance of the revised policy.

12. Contact Us

If you have any questions, concerns, or data requests, please contact us:

Email: [email protected]

In Slack: Use the /support command.