Privacy Policy

• Account data you provide at signup: email address, name, and password (stored hashed by Supabase Auth). Optional profile info you add later: bio, avatar image, and portfolio media.
• Business data you create on Slaat: invoices, clients you save, projects, bookings, contracts, expenses, and any files you attach to those records.
• Payment metadata from Stripe: transaction amounts, statuses, payout details, and Stripe-issued IDs. We do not see, receive, or store card numbers, bank account numbers, CVV codes, or KYC documents — those are collected and stored by Stripe directly.
• Connection data from your linked calendars (optional): when you connect Google Calendar, Microsoft Outlook, or Apple iCloud, we store your account email and an encrypted copy of the OAuth credentials or app-specific password needed to read your busy times.
• Usage and security data: server logs (IP address, request timestamps, user agent), authentication events (sign-in successes and failures), and rate-limit counters. Used to operate the service, detect abuse, and meet legal logging requirements.
• Diagnostics from the mobile app: crash reports, performance traces, and session counts via Sentry. Includes device model, OS version, and app version. Does not include the contents of your business records.

• Full card numbers, CVVs, bank account credentials, SSNs, or KYC documents — Stripe handles these.
• Third-party advertising or marketing trackers. We do not run advertising networks, ad pixels, or behavioral profiling.
• Your browsing history outside Slaat, your contacts, your microphone audio, or your precise location.
• We do not sell or rent your data.

• To run the platform — process invoices and payments, deliver bookings, send signed contracts, and show you your numbers.
• To send transactional email — account confirmations, payment receipts, dispute and contract notifications, and (for the annual Slaat Pro plan) the renewal reminders required by Florida § 501.165 for auto-renewing 12-month-or-longer service contracts. We may also send occasional product nudges (e.g., a Pro-tier suggestion if your invoice volume crosses a threshold). All emails include a one-click unsubscribe header for non-essential mail.
• To detect fraud and abuse — using IP addresses, request rate patterns, and authentication audit logs.
• To meet legal obligations — including tax recordkeeping (Stripe handles 1099-K thresholds; you may receive tax forms from Stripe directly) and security incident response.

Slaat uses the following service providers (sub-processors). Each one only sees the data needed for the function they perform.

• Stripe — payment processing, payouts, KYC verification, dispute handling. Merchant of record for client payment data.
• Supabase — authentication and database hosting. All data encrypted at rest by Supabase; calendar OAuth tokens additionally encrypted at the application level.
• Vercel — application hosting, edge logs, and scheduled jobs.
• Resend — transactional email delivery.
• Sentry — error tracking and performance monitoring (web and mobile). Sentry sees stack traces, URL paths (with query strings stripped), HTTP status codes, and mobile device/OS metadata.
• Upstash — Redis-based rate limiting. Sees IP address keys and counter values; no personal data.
• BoldSign — e-signature provider for contracts. Sees the contract PDF and the names + emails of the signers.
• Google, Microsoft, and Apple — only when you opt in to calendar sync. Slaat reads busy times from the provider you connect; we do not read event content.
• Cloudflare — DNS, email routing, and (where configured) edge proxying.
• VirusTotal — file uploads (avatars, invoice attachments, portfolio media) are scanned for malware. Files that VirusTotal has not seen before may be uploaded to their service for analysis.
• Law enforcement — only when required by valid legal process.

• Your public profile page (slaat.app/p/<your-slug>) — name, bio, avatar, and portfolio media you choose to display.
• Invoice pay links (slaat.app/pay/<invoice-id>) — accessible to anyone with the link, including any attachments you add.
• Booking pages and contract review links — accessible to anyone with the link.

Files you upload as profile media or invoice attachments are stored in publicly addressable cloud storage. Treat them as if they will be world-readable; do not upload anything you would not share publicly.

• Active account data: kept while your account is open.
• Tax-relevant records (invoices, contracts, disputes, payouts): retained for 7 years from the date of the transaction, as required by U.S. tax-record retention windows. Even after you delete your account, these records persist in anonymized form (no name, no email, no avatar) until the 7-year window expires.
• Security and audit logs: sign-in events, contract events, and webhook payloads are retained for incident-response purposes. We are working toward a documented purge schedule for these logs.
• Stripe-side records: governed by Stripe’s retention policy (typically 7 years for transaction records).

Access and export. You can download a JSON export of your account data while signed in via /api/account/export. For a request that includes your audit logs or other operational records, email support@slaat.app.

Deletion. You can delete your account at any time from Settings (in-app) or by submitting a request at slaat.app/delete-account. Deletion does the following:

• Closes your auth account and signs you out everywhere.
• Cancels any active Slaat Pro subscription.
• Anonymizes your name, email, and contact details on Slaat-side records (replaced with non-identifying placeholders).
• Removes your avatar, portfolio media, and uploaded attachments from public surfaces.
• Rejects the Stripe Connect account associated with Slaat (no new payments accepted; any pending balance pays out per Stripe’s standard policy). Stripe retains transaction records on its side per their retention policy.
• Tax-relevant records (invoices, contracts, disputes, payouts) are retained in anonymized form for 7 years per U.S. tax-record retention windows, then permanently purged.

Correction. You can edit your profile, clients, invoices, and other records from inside the app. For corrections we cannot make in-app, email support.