Privacy Policy

Slothbox is the controller of the personal data described in this notice. You can contact us about privacy, or to exercise any of your rights, at support@slothbox.dev. You can obtain our full business name and an address for service by contacting us at that address.

Depending on how you use the Service, we may collect:

• Account and identity data — your name, email address, organisation and role, authentication details (passwords are stored only in hashed form by our identity provider), and multi-factor-authentication status.
• Billing data — your plan, billing contact, and limited payment metadata. Card details are collected and processed directly by our payment processor (Stripe); we do not store full card numbers.
• Connected-service data — identifiers and access tokens for third-party services you choose to link (for example, your cloud account, GitHub, or Linear), to the extent needed to operate that integration.
• Usage and technical data — log data, IP address, device and browser information, the actions you take in the Service, environment ("box") metrics, usage counts, and audit records.
• Communications — messages you send us (for example, support requests) and records of emails we send you.
• Cookies and similar technologies — see Section 10.

We do not intentionally collect special-category personal data, and we ask that you do not provide it through the Service except as strictly necessary.

We collect personal data directly from you (for example, when you create an account or contact us), automatically as you use the Service and website (for example, log and usage data), and from third parties you connect (for example, OAuth identifiers from a connected service) or that act for us (for example, our payment processor).

We use personal data for the following purposes, relying on the lawful bases in Article 6 of the UK GDPR shown in brackets:

• To provide, operate, and maintain the Service, manage your account, and provision and manage your environments (performance of our contract with you).
• To take payment, manage subscriptions, and prevent fraud (performance of our contract; compliance with a legal obligation; and our legitimate interests in being paid and preventing fraud).
• To secure, monitor, troubleshoot, and improve the Service, including the lightweight usage instrumentation described in our documentation (our legitimate interests in a secure, reliable, and improving Service; this usage data is not used to bill you).
• To send you service and transactional messages (performance of our contract; our legitimate interests in communicating about the Service).
• To send you marketing about Slothbox, where you have not opted out or where you have consented (our legitimate interests, or your consent where required); you can opt out at any time.
• To comply with law and respond to lawful requests (compliance with a legal obligation).

Where we rely on legitimate interests, we have considered and balanced those interests against your rights. You can ask us for more information about that balancing, and you can object (see Section 8).

We share personal data with service providers who process it on our behalf under contract (our "sub-processors"), including: cloud hosting and identity services (Amazon Web Services, including Amazon Cognito); payment processing (Stripe); and transactional email (Resend). Where you connect a third-party integration (for example, GitHub or Linear), we exchange data with that service as needed to operate the integration you have enabled. A current list of our sub-processors is available on request at support@slothbox.dev.

Where we process personal data within your content on your behalf, our Data Processing Agreement (available on request at support@slothbox.dev) governs that processing and identifies the relevant sub-processors.

We do not sell your personal data. We may disclose personal data where required by law, to enforce our terms, or to protect the rights, property, or safety of Slothbox, our customers, or others. If we are involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction, subject to this notice.

We offer the Service internationally. Depending on your location and the cloud regions in use, your personal data may be processed in the United Kingdom, the European Economic Area, the United States, or other countries. Where we offer the Service to individuals in the European Economic Area, the EU General Data Protection Regulation may also apply to that processing.

Some of our providers are located outside the United Kingdom (for example, in the United States). Where we transfer personal data outside the UK, we rely on an appropriate safeguard — for example, UK "adequacy" regulations, the UK International Data Transfer Agreement or the International Data Transfer Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism. You can ask us for more detail using the contact in Section 1.

We keep personal data for as long as your account is active and as needed to provide the Service. After your account is closed, we delete or anonymise personal data within 30 days, except where we need to retain it to comply with a legal obligation, resolve disputes, prevent fraud or abuse, or enforce our agreements (for example, billing records retained for tax purposes).

Subject to conditions and exemptions under UK data protection law, you have the right to: access your personal data; have it corrected; have it erased; restrict or object to our processing; data portability; and, where we rely on consent, to withdraw that consent at any time. Withdrawing consent does not affect processing carried out before withdrawal.

To exercise any of these rights, contact us at support@slothbox.dev. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk, though we would appreciate the chance to address your concern first.

We use appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or misuse. No method of transmission or storage is completely secure, however, and you are responsible for safeguarding your own credentials and access (see the Terms of Service).

We use cookies and similar technologies that are strictly necessary to operate the Service — for example, to keep you signed in. We do not currently use non-essential or analytics cookies. If that changes, we will update this policy and, where required, ask for your consent.

The Service is intended for business users and is not directed to children. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it.

We may update this Privacy Policy from time to time. We will post the updated policy with a new "last updated" date and, where changes are material, take reasonable steps to notify you. Your continued use of the Service after the changes take effect indicates your awareness of the updated policy.