Slate ("we," "us," "our," or the "Company") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard your data when you interact with our services, including our website, mobile applications, booking platform, and messaging services across various communication channels.
By accessing or using our services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of our services immediately.
Table of Contents
- Information We Collect
- How We Use Your Information
- Messaging Services & Communication Channels
- AI-Powered Features
- Third-Party Service Providers
- Data Sharing & Disclosure
- Data Retention
- Data Security
- Your Rights & Choices
- Cookies & Tracking Technologies
- Children's Privacy
- California Privacy Rights (CCPA/CPRA)
- International Data Transfers
- Changes to This Policy
- Contact Us
1. Information We Collect
1.1 Information You Provide Directly
- Account Information: Name, email address, phone number, and password when you create an account or make a booking.
- Appointment Details: Service preferences, booking dates/times, staff preferences, and notes related to your appointments.
- Payment Information: Credit/debit card details, billing address, and transaction history. Payment card data is processed securely by our payment processors (Stripe, Helcim) and is not stored on our servers.
- Communication Content: Messages, inquiries, and feedback you send through our messaging channels (SMS, email, Facebook Messenger, Instagram Direct Messages, website chat widget).
- Profile Information: Photos, preferences, service history, and notes associated with your client profile.
- Forms & Documents: Information submitted through intake forms, consent forms, aftercare instructions, and other documents.
1.2 Information Collected Automatically
- Device Information: IP address, browser type, operating system, device identifiers, and screen resolution.
- Usage Data: Pages visited, features used, booking patterns, and interaction timestamps.
- Location Data: General geographic location derived from your IP address (we do not collect precise GPS location).
- Communication Metadata: Message timestamps, delivery status, and channel information (but not message content for analytics).
1.3 Information from Third Parties
- Social Media Platforms: When you interact with us through Facebook Messenger or Instagram, we receive your public profile information and message content as provided by Meta Platforms, Inc.
- Payment Processors: Transaction confirmations and payment status from Stripe and Helcim.
- Communication Providers: Message delivery status from Twilio (SMS) and SendGrid (email).
2. How We Use Your Information
- Service Delivery: To process bookings, manage appointments, send confirmations and reminders, and provide the services you request.
- Communication: To respond to your inquiries, provide customer support, and send service-related notifications across your preferred communication channels.
- AI-Assisted Services: To power our automated booking assistant, which helps you schedule appointments, answer questions about our services, and manage your bookings through natural conversation.
- Payment Processing: To process payments, issue receipts, manage refunds, and handle membership/subscription billing.
- Personalization: To remember your preferences, recommend services, and provide a personalized experience.
- Loyalty & Rewards: To manage rewards points, tier status, and promotional offers you have opted into.
- Legal Compliance: To comply with applicable laws, regulations, and legal processes.
- Safety & Security: To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.
3. Messaging Services & Communication Channels
3.1 Facebook Messenger
When you message us through Facebook Messenger, we receive and process your messages through Meta's Messenger Platform API. This includes your Facebook Page-Scoped ID (PSID), message content (text, images, attachments you send), and message timestamps and delivery/read status.
We do not access your Facebook friends list, photos, or any other Facebook data beyond what you send us through Messenger. Our use of Messenger data complies with Meta's Platform Terms and Developer Policies.
3.2 Instagram Direct Messages
When you send us a Direct Message on Instagram, we process your messages through Meta's Instagram Messaging API. This includes your Instagram-Scoped ID, message content, and story reply context when applicable.
3.3 SMS (Text Messages)
SMS communications are processed through Twilio. We collect your phone number and message content. Standard messaging rates from your carrier may apply. You may opt out of SMS communications at any time by replying STOP.
3.4 Email
Email communications may be processed through SendGrid (for transactional emails) or Gmail API (for conversation-based email threads). We collect your email address, message content, and email threading metadata. You may unsubscribe from marketing emails at any time using the unsubscribe link in each email.
3.5 Website Chat Widget
Our website features an AI-powered chat widget. Conversations are processed in real-time and associated with a temporary session. No personally identifiable information is collected through the chat widget unless you voluntarily provide it during the conversation.
4. AI-Powered Features
- Automated Responses: Our AI assistant reads your messages to understand your intent and generates contextually appropriate responses.
- Conversation Context: The AI maintains context within a conversation session. This context is cleared when conversations are closed.
- No Training on Your Data: Your messages are not used to train or improve AI models. They are processed in real-time for response generation only.
- Human Oversight: Staff members can review and take over AI conversations at any time.
- Data Minimization: The AI only accesses information necessary to assist you.
5. Third-Party Service Providers
| Provider | Purpose | Data Processed |
|---|---|---|
| Stripe | Payment processing | Payment card details, billing info |
| Helcim | In-person payment terminals | Payment card details |
| Meta Platforms | Facebook & Instagram messaging | Messages, user IDs |
| Twilio | SMS messaging | Phone numbers, message content |
| SendGrid | Transactional email | Email addresses, email content |
| Google (Gmail API) | Conversational email | Email addresses, email content |
| Anthropic (Claude) | AI conversation processing | Message content (not used for training) |
| Cloudflare R2 | File & image storage | Uploaded files, photos |
| Neon (PostgreSQL) | Database hosting | All application data (encrypted at rest) |
| Amazon Web Services, Inc. (AWS) | Application hosting | Application logs, request data |
| Sentry | Error monitoring | Error details, stack traces (no PII) |
6. Data Sharing & Disclosure
We do not sell, rent, or trade your personal information to third parties. We may share your information only in these circumstances:
- Service Providers: With the third-party providers listed in Section 5, solely for delivering our services.
- Business Operations: With staff members of the salon/spa you are a client of, to provide your requested services.
- Legal Requirements: When required by law, regulation, legal process, or governmental request.
- Safety: To protect the rights, property, or safety of our company, our clients, or the public.
- Business Transfers: In connection with a merger, acquisition, or sale of assets.
- With Your Consent: When you explicitly authorize us to share your information.
7. Data Retention
- Client Profiles & Appointment History: Retained for the duration of your business relationship with us.
- Payment Records: Retained for a minimum of 7 years as required by tax and financial regulations.
- Conversation History: Retained for up to 24 months, then automatically purged.
- Voice Call Recordings: Audio recordings retained for 6 months. Transcripts retained for up to 24 months.
- Security & Audit Logs: Retained for up to 24 months, then automatically purged.
When you request deletion, we anonymize your personal information within 30 days. You may request deletion of your data at any time by contacting us (see Section 15) or visiting our Data Deletion page.
8. Data Security
- Encryption in Transit: All data is encrypted using TLS 1.2 or higher.
- Encryption at Rest: Database contents are encrypted using AES-256.
- Access Controls: Role-based access controls limit staff access to only the data necessary for their role.
- Payment Security: Payment card data is handled exclusively by PCI DSS-compliant processors. We never store full card numbers.
- Webhook Verification: All incoming webhooks from third-party providers are cryptographically verified.
9. Your Rights & Choices
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data, subject to legal retention requirements.
- Portability: Request your data in a structured, machine-readable format.
- Opt-Out of Marketing: Unsubscribe from marketing emails or reply STOP to SMS.
- AI Opt-Out: Request that your conversations be handled by a human staff member instead of our AI assistant.
10. Cookies & Tracking Technologies
- Essential Cookies: Secure, httpOnly session cookies for authentication and payment processing. These cannot be disabled.
- Analytics (optional): With your consent, we use Sentry session replay and performance monitoring.
- Marketing (optional): With your consent, we use the Meta (Facebook) Pixel to measure advertising effectiveness.
11. Children's Privacy
Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children.
12. California Privacy Rights (CCPA/CPRA)
- Right to Know: Request information about the categories and specific pieces of personal information we have collected.
- Right to Delete: Request deletion of your personal information, subject to certain exceptions.
- Right to Opt-Out of Sale: We do not sell your personal information.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
- Right to Correct: Request correction of inaccurate personal information.
13. International Data Transfers
Our services are primarily operated in the United States. By using our services, you consent to the transfer of your information to countries that may have different data protection laws than your country of residence.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on this page with a revised "Last Updated" date.
15. Contact Us
Slate
Privacy Inquiries
Email: [email protected]
We will acknowledge your request within 5 business days and aim to resolve all inquiries within 30 days.