Icon for Slack

Slack

Slack is an American cloud-based chat app designed for teams and workplaces.


Handling

Does the service allow third-party access to private personal data? Yes, not all parties specified

0/10

Decided Sept. 16, 2019 (revision history). This question accounts for 12% of the final score.

The policy allows sharing personal data with third-parties (not just critical service providers), and does not explicitly list the third-parties.

This may come in the form of outright data sharing or by using local third-party analytics software (such as Google Analytics, which collects a plethora of user information).

Note that whether the policy allows sharing aggregated user data does not affect this question.

If the personal data is encrypted when it passes through the third-party, it does not count as third-party access (as the data is inaccessible to that party).

If personal data has been made public by, for example, posting it to a blog, it does not count as private personal information (and is therefore not considered by this question).

Possible Options

Yes, not all parties specified0/10
Yes, all parties specified (including non-critical service providers such as advertisers)3/10
Yes, not all parties specified (but only to critical service providers)7/10
Yes, all parties specified (only to critical service providers)8/10
No10/10

Note

Slack also uses cookies from third-party providers like Google Analytics, Facebook, LinkedIn, Convertro, Quantcast, Drift, and Optimizely to track usage of their products and provide social media share buttons/advertising. From linked document https://slack.com/cookie-policy: "We may use cookies to help us deliver marketing campaigns and track their performance (e.g., a user visited our Help Center and then made a purchase). Similarly, our partners may use cookies to provide us with information about your interactions with their services, but use of those third-party cookies would be subject to the service provider’s policies.

"Cookies help us learn how well our Sites and Services perform. We also use cookies to understand, improve, and research products, features, and services, including to create logs and record when you access our Sites and Services from different devices, such as your work computer or your mobile device."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy allow personally-targeted or behavioral marketing? Yes, but you can opt-out

3.5/10

Decided Sept. 13, 2019 (revision history). This question accounts for 12% of the final score.

Possible Options

Yes0/10
Yes, but you can opt-out3.5/10
Yes, but you must opt-in7/10
No10/10

Citation

Slack may also process Other Information that constitutes your Personal Data for direct marketing purposes and you have a right to object to Slack’s use of your Personal Data for this purpose at any time.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow you to permanently delete your personal data? Yes, by contacting someone

3/5

Decided Sept. 13, 2019 (revision history). This question accounts for 6% of the final score.

Even if there is a reasonable delay before the data is fully deleted (as is common), the data still counts as "permanently deleted" and satisfies the parameters for this question.

Possible Options

No0/5
Yes, by contacting someone3/5
Yes, using an automated mechanism5/5
N/A (no personal information collected)5/5

Citation

Individuals located in certain countries, including the European Economic Area, have certain statutory rights in relation to their personal data. Subject to any exemptions provided by law, you may have the right to request access to Information, as well as to seek to update, delete or correct this Information. You can usually do this using the settings and tools provided in your Services account. If you cannot use the settings and tools, contact Customer for additional access and assistance. Please check https://slack.com/account/settings for Customer contact information.

Note

Slack requires a Workspace's Primary Owner to contact them to request deletion of a user's profile information. "A Primary Owner is responsible for determining whether profile information requires deletion. Slack will only delete profile information at this person's request."

More information on deleting account data here: https://get.slack.help/hc/en-us/articles/360000360443-Delete-profile-information-from-Slack

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


When does the policy allow law enforcement access to personal data? When reasonably requested

3/5

Decided Sept. 13, 2019 (revision history). This question accounts for 6% of the final score.

Possible Options

Always0/5
Not specified0/5
When reasonably requested3/5
Only when required by a court order or subpoena4/5
N/A (no personal data to share)5/5
Never (special legal jurisdiction)5/5

Citation

If we receive a request for information, we may disclose Other Information if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation or legal process.

Note

"Other Information," which may be shared with law enforcement, includes all data Slack has on its users outside of customer-visible data in their Workspaces ("such as" everything users interact with, device information, approximate locations, IP addresses, third-party and first-party cookie information, contact information, and more).

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Collection

Does the policy list the personal data it collects? Yes, generally

7/10

Decided Sept. 13, 2019 (revision history). This question accounts for 12% of the final score.

All general categories of collected personal data are listed, though not all types of personal data are explicitly mentioned (for example, the list might use a phrase like 'such as' when listing types of personal data).

Possible Options

No0/10
Only summarily3/10
Yes, generally7/10
Yes, exhaustively10/10
N/A (no personal information is collected)10/10

Citation

Slack may collect and receive Customer Data and other information and data (“Other Information”) in a variety of ways:

Customer Data. Customers or individuals granted access to a Workspace by a Customer (“Authorized Users”) routinely submit Customer Data to Slack when using the Services. Other Information. Slack also collects, generates and/or receives Other Information:

  1. Workspace and Account Information. To create or update a Workspace account, you or your Customer (e.g., your employer) supply Slack with an email address, phone number, password, domain and/or similar account details. For details on Workspace creation, click here. In addition, Customers that purchase a paid version of the Services provide Slack (or its payment processors) with billing details such as credit card information, banking information and/or a billing address.

  2. Usage Information.

    • Services Metadata. When an Authorized User interacts with the Services, metadata is generated that provides additional context about the way Authorized Users work. For example, Slack logs the Workspaces, channels, people, features, content and links you interact with, the types of files shared and what Third Party Services are used (if any).

    • Log data. As with most websites and technology services delivered over the Internet, our servers automatically collect information when you access or use our Websites or Services and record it in log files. This log data may include the Internet Protocol (IP) address, the address of the web page visited before using the Website or Services, browser type and settings, the date and time the Services were used, information about browser configuration and plugins, language preferences and cookie data.

    • Device information. Slack collects information about devices accessing the Services, including type of device, what operating system is used, device settings, application IDs, unique device identifiers and crash data. Whether we collect some or all of this Other Information often depends on the type of device used and its settings.

    • Location information. We receive information from you, your Customer and other third-parties that helps us approximate your location. We may, for example, use a business address submitted by your employer, or an IP address received from your browser or device to determine approximate location. Slack may also collect location information from devices in accordance with the consent process provided by your device.

  3. Cookie Information. Slack uses cookies and similar technologies in our Websites and Services that help us collect Other Information. The Websites and Services may also include cookies and similar tracking technologies of third parties, which may collect Other Information about you via the Websites and Services and across other websites and online services. For more details about how we use these technologies, please see our Cookie Policy.

  4. Third Party Services. Customer can choose to permit or restrict Third Party Services for their Workspace. Typically, Third Party Services are software that integrate with our Services, and Customer can permit its Authorized Users to enable and disable these integrations for their Workspace. Once enabled, the provider of a Third Party Service may share certain information with Slack. For example, if a cloud storage application is enabled to permit files to be imported to a Workspace, we may receive user name and email address of Authorized Users, along with additional information that the application has elected to make available to Slack to facilitate the integration. Authorized Users should check the privacy settings and notices in these Third Party Services to understand what data may be disclosed to Slack. When a Third Party Service is enabled, Slack is authorized to connect and access Other Information made available to Slack in accordance with our agreement with the Third Party Provider. We do not, however, receive or store passwords for any of these Third Party Services when connecting them to the Services. For more information on Third Party Services, click here.

  5. Contact Information. In accordance with the consent process provided by your device, any contact information that an Authorized User chooses to import (such as an address book from a device) is collected when using the Services.

  6. Third Party Data. Slack may receive data about organizations, industries, Website visitors, marketing campaigns and other matters related to our business from parent corporation(s), affiliates and subsidiaries, our partners or others that we use to make our own information better or more useful. This data may be combined with Other Information we collect and might include aggregate level data, such as which IP addresses correspond to zip codes or countries. Or it might be more specific: for example, how well an online marketing or email campaign performed.

  7. Additional Information Provided to Slack. We receive Other Information when submitted to our Websites or if you participate in a focus group, contest, activity or event, apply for a job, request support, interact with our social media accounts or otherwise communicate with Slack.

Generally, no one is under a statutory or contractual obligation to provide any Customer Data or Other Information (collectively, “Information”). However, certain Information is collected automatically and, if some Information, such as Workspace setup details, is not provided, we may be unable to provide the Services.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service collect personal data from third parties? Yes

0/10

Decided Sept. 13, 2019 (revision history). This question accounts for 12% of the final score.

This includes the use of data brokers and independent verification authorities (such as background check providers).

Possible Options

Yes0/10
Only for critical data7/10
No10/10

Citation

Location information. We receive information from you, your Customer and other third-parties that helps us approximate your location. We may, for example, use a business address submitted by your employer, or an IP address received from your browser or device to determine approximate location. Slack may also collect location information from devices in accordance with the consent process provided by your device.

Third Party Data. Slack may receive data about organizations, industries, Website visitors, marketing campaigns and other matters related to our business from parent corporation(s), affiliates and subsidiaries, our partners or others that we use to make our own information better or more useful. This data may be combined with Other Information we collect and might include aggregate level data, such as which IP addresses correspond to zip codes or countries. Or it might be more specific: for example, how well an online marketing or email campaign performed.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Is it clear why the service collects the personal data that it does? Mostly

7/10

Decided Sept. 13, 2019 (revision history). This question accounts for 12% of the final score.

This question deals with transparency. Even if the service uses data for reasons that aren't ideal for privacy, provided they list all of those uses, the service can still receive full credit for this question. However, if they are not explicit about their uses (by employing language like "such as"), a lower score is assigned.

Possible Options

No0/10
Somewhat4/10
Mostly7/10
Yes10/10
No personal data is collected10/10

Citation

Slack uses Other Information in furtherance of our legitimate interests in operating our Services, Websites and business. More specifically, Slack uses Other Information:

  • To provide, update, maintain and protect our Services, Websites and business. This includes use of Other Information to support delivery of the Services under a Customer Agreement, prevent or address service errors, security or technical issues, analyze and monitor usage, trends and other activities or at an Authorized User’s request.

  • As required by applicable law, legal process or regulation.

  • To communicate with you by responding to your requests, comments and questions. If you contact us, we may use your Other Information to respond.

  • To develop and provide search, learning and productivity tools and additional features. Slack tries to make the Services as useful as possible for specific Workspaces and Authorized Users. For example, we may improve search functionality by using Other Information to help determine and rank the relevance of content, channels or expertise to an Authorized User, make Services suggestions based on historical use and predictive models, identify organizational trends and insights, to customize a Services experience or create new productivity features and products.

  • To send emails and other communications. We may send you service, technical and other administrative emails, messages and other types of communications. We may also contact you to inform you about changes in our Services, our Services offerings, and important Services-related notices, such as security and fraud notices. These communications are considered part of the Services and you may not opt out of them. In addition, we sometimes send emails about new product features, promotional communications or other news about Slack. These are marketing messages so you can control whether you receive them.

  • For billing, account management and other administrative matters. Slack may need to contact you for invoicing, account management and similar reasons and we use account data to administer accounts and keep track of billing and payments.

  • To investigate and help prevent security issues and abuse.

If Information is aggregated or de-identified so it is no longer reasonably associated with an identified or identifiable natural person, Slack may use it for any business purpose. To the extent Information is associated with an identified or identifiable natural person and is protected as personal data under applicable data protection law, it is referred to in this Privacy Policy as “Personal Data.”

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow the user to control whether personal data is used or collected for non-critical purposes? No

0/5

Decided Sept. 13, 2019 (revision history). This question accounts for 6% of the final score.

Some services allow users to opt-out or opt-in to of non-critical collection or use of personal data, such as collecting data for personalized advertisements.

Possible Options

No0/5
On an opt-out basis, but only for some non-critical data/uses1.5/5
On an opt-out basis, for all non-critical data/uses3/5
N/A (no data used for non-critical purposes)5/5
On an opt-in basis5/5

Note

There is no mention of users having the ability to opt-out/opt-in of anything in Slack's privacy policy.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Transparency

Does the policy require users to be notified in case of a data breach? Yes, eventually

5/7

Decided Sept. 13, 2019 (revision history). This question accounts for 8% of the final score.

Users will be notified in case of a data breach, but within an unspecified amount of time.

Note that all companies operating in the EU are subject to Art. 33 of the GDPR, which requires companies to notify their data protection authority of a data breach within 72 hours of discovering it.

Possible Options

No0/7
Yes, eventually5/7
Yes, within 72 hours7/7
N/A (the service collects so little personal data that notification would not be possible)7/7

Note

From linked document https://slack.com/security-practices: "In the event of a security breach, Slack will promptly notify you of any unauthorized access to your Customer Data. Slack has incident management policies and procedures in place to handle such an event."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Will the affected users be notified when the policy is meaningfully changed? Yes

5/5

Decided Sept. 13, 2019 (revision history). This question accounts for 6% of the final score.

Possible Options

No0/5
Yes5/5
N/A (no personal data—or contact information—collected)5/5

Citation

Slack may change this Privacy Policy from time to time. Laws, regulations and industry standards evolve, which may make those changes necessary, or we may make changes to our business. We will post the changes to this page and encourage you to review our Privacy Policy to stay informed. If we make changes that materially alter your privacy rights, Slack will provide additional notice, such as via email or through the Services. If you disagree with the changes to this Privacy Policy, you should deactivate your Services account. Contact the Customer if you wish to request the removal of Personal Data under their control.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Is the policy's history made available? Only the date it was last modified

3/5

Decided Sept. 13, 2019 (revision history). This question accounts for 6% of the final score.

Possible Options

No0/5
Only the date it was last modified3/5
Yes, with revisions or a change-log5/5

Citation

Effective: April 20, 2018

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy outline the service's general security practices? Yes, including independent audits

3/3

Decided Sept. 13, 2019 (revision history). This question accounts for 4% of the final score.

Independent "reviews," "monitoring," etc. also count as independent audits.

Possible Options

No0/3
Somewhat1/3
Yes2/3
Yes, including audits2.5/3
N/A (no personal data collected)3/3
Yes, including independent audits3/3

Citation

Slack takes security of data very seriously. Slack works hard to protect Other Information you provide from loss, misuse, and unauthorized access or disclosure. These steps take into account the sensitivity of the Other Information we collect, process and store, and the current state of technology. Slack has received internationally recognized security certifications for ISO 27001 (information security management system) and ISO 27018 (for protecting personal data in the cloud). To learn more about current practices and policies regarding security and confidentiality of the Services, please see our Security Practices. Given the nature of communications and information processing technology, Slack cannot guarantee that Information, during transmission through the Internet or while stored on our systems or otherwise in our care, will be absolutely safe from intrusion by others.

Note

More security-related information, including a security whitepaper and SOC 2 Type II + SOC 3 certification, available on https://slack.com/security and https://slack.com/security-practices

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.



Warnings

Slack has no warnings published on PrivacySpy. PrivacySpy publishes warnings when it learns a service has announced a data breach or is found misusing user data. If you believe a warning should be published for Slack, submit one here.


Highlighted Policy Snapshot ALPHA

Highlighted policy snapshots are a highly experimental feature that provide an annotated version of the privacy policy (displayed in a simplified 'reader view') with automatically-generated highlights. This feature is still in its early stages, so apologies if things don't look right!

4.6/10

How we calculate ratings →


Version Added

Sept. 13, 2019

Ratings Updated

Sept. 16, 2019

Warnings

0

Maintained by

owlswipe

Original Location
Open in New Tab
Other Versions