Privacy Policy

Slate ("we," "us," "our," or the "Company") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard your data when you interact with our services, including our website, mobile applications, booking platform, and messaging services across various communication channels.

By accessing or using our services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of our services immediately.

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: Name, email address, phone number, and password when you create an account or make a booking.
• Appointment Details: Service preferences, booking dates/times, staff preferences, and notes related to your appointments.
• Payment Information: Credit/debit card details, billing address, and transaction history. Payment card data is processed securely by our payment processors (Stripe, Helcim) and is not stored on our servers.
• Communication Content: Messages, inquiries, and feedback you send through our messaging channels (SMS, email, Facebook Messenger, Instagram Direct Messages, website chat widget).
• Profile Information: Photos, preferences, service history, and notes associated with your client profile.
• Forms & Documents: Information submitted through intake forms, consent forms, aftercare instructions, and other documents.

1.2 Information Collected Automatically

• Device Information: IP address, browser type, operating system, device identifiers, and screen resolution.
• Usage Data: Pages visited, features used, booking patterns, and interaction timestamps.
• Location Data: General geographic location derived from your IP address (we do not collect precise GPS location).
• Communication Metadata: Message timestamps, delivery status, and channel information (but not message content for analytics).

1.3 Information from Third Parties

• Social Media Platforms: When you interact with us through Facebook Messenger or Instagram, we receive your public profile information and message content as provided by Meta Platforms, Inc.
• Payment Processors: Transaction confirmations and payment status from Stripe and Helcim.
• Communication Providers: Message delivery status from Twilio (SMS) and SendGrid (email).

2. How We Use Your Information

• Service Delivery: To process bookings, manage appointments, send confirmations and reminders, and provide the services you request.
• Communication: To respond to your inquiries, provide customer support, and send service-related notifications across your preferred communication channels.
• AI-Assisted Services: To power our automated booking assistant, which helps you schedule appointments, answer questions about our services, and manage your bookings through natural conversation.
• Payment Processing: To process payments, issue receipts, manage refunds, and handle membership/subscription billing.
• Personalization: To remember your preferences, recommend services, and provide a personalized experience.
• Loyalty & Rewards: To manage rewards points, tier status, and promotional offers you've opted into.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.
• Safety & Security: To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.

3. Messaging Services & Communication Channels

3.1 Facebook Messenger

When you message us through Facebook Messenger, we receive and process your messages through Meta's Messenger Platform API. This includes your Facebook Page-Scoped ID (PSID), message content (text, images, attachments you send), and message timestamps and delivery/read status.

We do not access your Facebook friends list, photos, or any other Facebook data beyond what you send us through Messenger. Our use of Messenger data complies with Meta's Platform Terms and Developer Policies.

3.2 Instagram Direct Messages

When you send us a Direct Message on Instagram, we process your messages through Meta's Instagram Messaging API. This includes your Instagram-Scoped ID, message content, and story reply context when applicable. The same data protections that apply to Messenger apply to Instagram Direct Messages.

3.3 SMS (Text Messages)

SMS communications are processed through Twilio. We collect your phone number and message content. Standard messaging rates from your carrier may apply. You may opt out of SMS communications at any time by replying STOP.

3.4 Email

Email communications may be processed through SendGrid (for transactional emails) or Gmail API (for conversation-based email threads). We collect your email address, message content, and email threading metadata. You may unsubscribe from marketing emails at any time using the unsubscribe link in each email.

3.5 Website Chat Widget

Our website features an AI-powered chat widget. Conversations are processed in real-time and associated with a temporary session. No personally identifiable information is collected through the chat widget unless you voluntarily provide it during the conversation.

4. AI-Powered Features

• Automated Responses: Our AI assistant reads your messages to understand your intent ((e as Record).g., booking, asking about services) and generates contextually appropriate responses.
• Conversation Context: The AI maintains context within a conversation session. This context is cleared when conversations are closed.
• No Training on Your Data: Your messages are not used to train or improve AI models. They are processed in real-time for response generation only.
• Human Oversight: Staff members can review and take over AI conversations at any time.
• Data Minimization: The AI only accesses information necessary to assist you — your conversation history, booking details, and relevant business information.

5. Third-Party Service Providers

Provider	Purpose	Data Processed
Stripe	Payment processing	Payment card details, billing info
Helcim	In-person payment terminals	Payment card details
Meta Platforms	Facebook & Instagram messaging	Messages, user IDs
Twilio	SMS messaging	Phone numbers, message content
SendGrid	Transactional email	Email addresses, email content
Google (Gmail API)	Conversational email	Email addresses, email content
Anthropic (Claude)	AI conversation processing	Message content (not used for training)
Cloudflare R2	File & image storage	Uploaded files, photos
Neon (PostgreSQL)	Database hosting	All application data (encrypted at rest)
Render	Application hosting	Application logs, request data
Sentry	Error monitoring	Error details, stack traces (no PII)

6. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information to third parties. We may share your information only in these circumstances:

• Service Providers: With the third-party providers listed in Section 5, solely for delivering our services.
• Business Operations: With staff members of the salon/spa you are a client of, to provide your requested services.
• Legal Requirements: When required by law, regulation, legal process, or governmental request.
• Safety: To protect the rights, property, or safety of our company, our clients, or the public.
• Business Transfers: In connection with a merger, acquisition, or sale of assets.
• With Your Consent: When you explicitly authorize us to share your information.

7. Data Retention

7.1 While Your Account Is Active

• Client Profiles & Appointment History: Retained for the duration of your business relationship with us. Appointment and service records are maintained indefinitely to ensure continuity of service.
• Payment Records: Retained for a minimum of 7 years as required by tax and financial regulations, even after a deletion request.
• Conversation History: AI conversation threads are automatically closed after 24 hours of inactivity. Messages retained for up to 24 months, then automatically purged.
• Voice Call Recordings: Audio recordings retained for 6 months. Transcripts retained for up to 24 months.
• Security & Audit Logs: Retained for up to 24 months, then automatically purged.
• Marketing Communications: Until you unsubscribe or request deletion.

7.2 After a Deletion Request

When you request deletion, we anonymize your personal information within 30 days. Payment records are retained with PII stripped for 7 years per tax law. Backup systems purge within 30 days (our rotation cycle).

7.3 After Account Termination

Data remains available for export for 90 days. After 90 days, data may be permanently deleted except where retention is required by law.

You may request deletion of your data at any time by contacting us (see Section 15) or visiting our Data Deletion page.

8. Data Security

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
• Encryption at Rest: Database contents are encrypted at rest using AES-256 encryption.
• Access Controls: Role-based access controls limit staff access to only the data necessary for their role.
• Payment Security: Payment card data is handled exclusively by PCI DSS-compliant processors. We never store full card numbers.
• Webhook Verification: All incoming webhooks from third-party providers are cryptographically verified.
• Regular Backups: Automated daily database backups ensure data recovery capability.

9. Your Rights & Choices

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Portability: Request your data in a structured, machine-readable format.
• Opt-Out of Marketing: Unsubscribe from marketing emails or reply STOP to SMS.
• AI Opt-Out: Request that your conversations be handled by a human staff member instead of our AI assistant.

To exercise any of these rights, please contact us using the information in Section 15. We will respond within 30 days.

10. Cookies & Tracking Technologies

• Essential Cookies: Secure, httpOnly session cookies for authentication, password resets, and payment processing (Stripe, Helcim). These cannot be disabled.
• Analytics (optional): With your consent, we use Sentry session replay and performance monitoring to diagnose issues and improve our service.
• Marketing (optional): With your consent, we use the Meta (Facebook) Pixel to measure advertising effectiveness. This may set third-party cookies such as _fbp and _fbc.

You can manage your cookie preferences at any time using the cookie consent banner. Optional cookies are only loaded after you grant consent.

11. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights:

• Right to Know: Request information about the categories and specific pieces of personal information we have collected.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out of Sale: We do not sell your personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to Correct: Request correction of inaccurate personal information.

13. International Data Transfers

Our services are primarily operated in the United States. If you access our services from outside the United States, your information may be transferred to, stored, and processed in the United States. By using our services, you consent to the transfer of your information to countries that may have different data protection laws than your country of residence.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on this page with a revised "Last Updated" date. Your continued use of our services after any changes constitutes acceptance of the updated policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices: