Privacy Policy

1. Introduction

Welcome to AI Guru. We take the protection of your personal data very seriously. This Privacy Policy explains what information we collect, how we use it, and what rights you have regarding your data.

AI Guru is a Slack app that provides EU AI Act compliance training through Slack workspaces. Our app is operated by AI Catalyst.

2. What Data We Collect

2.1 Data We Receive Directly from Slack

When you install or use AI Guru in your Slack workspace, we collect:

• Workspace Information: Workspace ID, workspace name, installation timestamp
• User Information: Slack user ID, display name, real name (if available)
• Installer Account Information: User ID of the person who installed the app
• Channel Information: Channel IDs where the app is used (for message delivery only)

2.2 Data We Collect Through Your Use of the App

• Training Progress: Which modules and lessons you have completed
• Quiz Responses: Your answers to quiz questions and test scores
• Certificate Data: Generated certificates with your name, completion date, and score
• Language Preference: Your chosen language (German or English)
• Interaction Data: Timestamps of app usage, progress updates
• Feedback: Voluntary feedback you submit via the `/aiguru feedback` command

2.3 Data We DO NOT Collect

We do NOT collect:

• Messages or content from your Slack conversations
• Files or attachments from your workspace
• Private channel content you have access to
• Financial data or payment information (payments are handled through separate secure channels)
• Health data or other specially sensitive personal information

3. How We Use Your Data

We use your data solely for the following purposes:

3.1 Providing the Service

• Delivering training content and lessons to you
• Tracking your training progress
• Generating completion certificates
• Sending reminders and notifications
• Responding to your support requests

3.2 Improving the Service

• Analyzing aggregated usage data to improve content
• Identifying and fixing technical issues
• Understanding which modules are most useful

3.3 Administrative Purposes

• Providing admin analytics for workspace administrators
• Managing subscriptions and trial periods
• Ensuring security and preventing abuse

3.4 Legal Bases (GDPR)

We process your data on the following legal bases:

• Contract Performance (Art. 6(1)(b) GDPR): To provide our training services
• Legitimate Interest (Art. 6(1)(f) GDPR): To improve our service and ensure security
• Consent (Art. 6(1)(a) GDPR): For optional features like email notifications (if enabled)

4. Data Storage and Security

4.1 Where We Store Data

All data is stored within the European Union:

• Database: Supabase (EU region: Frankfurt, Germany)
• App Hosting: Fly.io (EU region: Frankfurt, Germany)

Your data never leaves the EU except as required for Slack API communication (Slack Inc., USA), which is protected by Standard Contractual Clauses.

4.2 How We Protect Data

We implement industry-standard security measures:

• Encryption in Transit: All data is transmitted over HTTPS (TLS 1.2+)
• Access Control: Strict access restrictions on production databases
• Request Verification: All Slack requests are validated with signatures
• Regular Security Updates: Timely application of security patches
• Row-Level Security: Database isolation per workspace

4.3 Data Backup

We perform regular backups to prevent data loss. Backups are treated with the same care as production data.

5. Data Retention and Deletion

5.1 How Long We Keep Data

• Active Accounts: As long as your workspace has AI Guru installed
• Training Progress: Until uninstallation or deleted upon request
• Certificates: 7 years (legal compliance requirements)
• Deleted Accounts: Completely purged within 14 business days after uninstallation

5.2 Automatic Deletion

When a workspace uninstalls AI Guru:

1. The workspace is immediately marked as inactive
2. Bot tokens are revoked
3. All associated data is deleted within 14 business days
4. Certificates are archived per legal requirements (if applicable)

6. Your Rights (GDPR)

Under GDPR, you have the following rights:

6.1 Right of Access (Art. 15 GDPR)

You have the right to know what data we store about you.

6.2 Right to Rectification (Art. 16 GDPR)

You can request correction of inaccurate data.

6.3 Right to Erasure (Art. 17 GDPR)

You can request deletion of your data ("Right to be Forgotten").

6.4 Right to Data Portability (Art. 20 GDPR)

You can request an export of your data in a machine-readable format.

6.5 Right to Object (Art. 21 GDPR)

You can object to processing of your data based on your particular situation.

6.6 Right to Restriction of Processing (Art. 18 GDPR)

You can request restriction of processing under certain circumstances.

6.7 Exercising Your Rights

To exercise any of these rights, please contact us at:

• Email: support@ai-catalyst.de
• Subject: "GDPR Request - [Your Request]"

We will respond to your request within 30 days.

Workspace administrators can also use the CSV export in the app to export data.

6.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority:

• Germany: Federal Commissioner for Data Protection and Freedom of Information (BfDI)
• Your local EU data protection authority

7. Third-Party Services

We use the following trusted third-party services:

7.1 Slack (Slack Technologies LLC)

• Purpose: Platform for the app, message delivery
• Data Location: USA (protected by Standard Contractual Clauses)
• Privacy Policy: https://slack.com/privacy-policy

7.2 Supabase

• Purpose: Database hosting
• Data Location: EU (Frankfurt, Germany)
• Privacy Policy: https://supabase.com/privacy

7.3 Fly.io

• Purpose: App hosting
• Data Location: EU (Frankfurt, Germany)
• Privacy Policy: https://fly.io/legal/privacy-policy

We do not share your data with any other third parties. We never sell your data.

8. International Data Transfers

Your data is primarily processed within the EU. The only exception is Slack API communication:

• Slack Inc. is based in the USA
• Transfers are protected by Standard Contractual Clauses (SCCs)
• Slack is certified under the EU-US Data Privacy Framework

9. Cookies and Tracking

AI Guru uses minimal session cookies solely for:

• OAuth authentication (state parameter for security)
• Session management during installation

We do NOT use tracking cookies, third-party analytics cookies, or advertising cookies.

10. Children and Minors

AI Guru is intended for business use by organizations and is not intentionally directed at children under 16. We do not knowingly collect data from children.

11. Changes to This Privacy Policy

We may update this Privacy Policy occasionally. When we make material changes, we will:

• Update the "Last Updated" date at the top
• Notify workspace administrators
• Retain the previous version for reference

Continued use of AI Guru after changes constitutes acceptance of the new Privacy Policy.

12. Business Transfers

In the event of a merger, acquisition, or asset sale, your data may be transferred. We will notify you beforehand and ensure the acquirer maintains the same privacy standards.

13. Contact

For questions about this Privacy Policy or our privacy practices, please contact us:

Data Protection Officer: For Data Protection Officer inquiries, please contact: support@ai-catalyst.de

Compliance Statement: This Privacy Policy complies with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and Slack App Directory requirements.

By installing or using AI Guru, you acknowledge that you have read and understood this Privacy Policy.