Privacy Policy

ShakaFlow is operated by ShakaCode LLC. The Service is delivered as a Slack application and a companion web dashboard at app.shakaflow.com. ShakaCode is the data controller for personal data processed through the Service.

You can contact us at support@shakaflow.com for any questions about this policy or your data.

ShakaFlow collects information from the integrations you choose to connect. We only collect what is necessary to provide the features described on our landing page. The categories below describe the data we receive from each source, even if a particular feature does not actively use all of it.

2.1 Account information

• Your name, email address, and profile picture as provided by Google OAuth when you sign in to the web dashboard.
• Workspace and tenant identifiers used to scope your access to the Service.

2.2 Slack workspace data

• Workspace metadata (team ID, name, icon).
• Channel metadata for channels the bot has been added to (ID, name, topic, members).
• User profiles for members of installed workspaces (Slack ID, display name, real name, email, timezone, role, avatar).
• Messages, threads, reactions, and files in channels and direct messages where the bot has been explicitly invited and that are needed to deliver requested features (e.g. 1:1 summaries, check-ins).
• Slack OAuth bot tokens, encrypted at rest, used to make API calls on the workspace's behalf.
• Custom emoji metadata when the emoji read scope is granted.

2.3 Source control data (GitHub)

• Repository metadata (name, default branch, visibility) for repositories the GitHub App is installed on.
• Pull request data (title, description, status, reviewers, comments, labels, files changed, line counts).
• Commit metadata (SHA, author, message, timestamp).
• Code review data (approvals, comments, change requests).
• GitHub user information for members of connected organizations (login, name, email if public, avatar).

2.4 Project management data (Shortcut, Jira, Linear)

• Story, issue, epic, and project metadata (titles, descriptions, statuses, assignees, labels, custom fields).
• User information for members of connected projects.
• Comments and activity history needed for status tracking.
• API tokens for the connected workspace, encrypted at rest.

2.5 Time tracking data (Toggl, Jira)

• Time entries (start, stop, duration, description, project, tags, billable status).
• Project and client metadata.
• User information for members of the connected workspace.
• API tokens for the connected workspace, encrypted at rest.

2.6 Engagement data (15Five)

• Pulse survey questions and answers.
• High-five recognition records.
• User information for members of the connected company.
• API tokens for the connected workspace, encrypted at rest.

2.7 Calendar data (Google Calendar, Microsoft Calendar)

• Calendar metadata (calendar IDs, names, time zones).
• Event titles, attendees, start and end times, and meeting links for events relevant to scheduling and 1:1 features.
• OAuth tokens for the connected calendar account, encrypted at rest.

2.8 AI provider configuration

• If you choose to bring your own AI provider key (Anthropic, OpenAI, or Gemini), the key is stored encrypted at rest on your tenant record. ShakaCode does not log or share API keys you provide.
• Prompts sent on your behalf may include workspace data described above. We send those prompts to the provider you have configured. We do not train any model on your data.

2.9 Technical and usage data

• IP address, user agent, and request metadata in server logs (retained up to 30 days for debugging and abuse prevention).
• Error reports including stack traces and request context, sent to our error monitoring provider (Honeybadger).
• A session cookie used to keep you signed in to the web dashboard.

We use the data above to:

• Provide the features described on our landing page (summaries, check-ins, metrics, recognition, AI workflows).
• Send notifications and reminders in Slack on behalf of your workspace.
• Generate AI responses using the provider you have configured.
• Investigate and fix bugs, prevent abuse, and ensure security.
• Communicate with workspace administrators about Service changes and incidents.

We do not sell your data. We do not use your data for advertising. We do not train any AI model on your data.

We share your data only with the following service providers ("subprocessors"), each of which is bound by a data processing agreement and processes data on our behalf to deliver the Service:

• Control Plane — application hosting, database, and infrastructure.
• Honeybadger — error monitoring and exception tracking.
• Anthropic, OpenAI, Google (Gemini) — AI model providers. Prompts are sent to whichever provider you have configured. If you have provided your own API key, requests are billed to your account and subject to that provider's terms. If you have not provided a key, requests use a ShakaCode-managed key as a fallback.
• Google — Google OAuth for sign-in and Google Calendar API access (only when connected).
• Microsoft — Microsoft Calendar API access (only when connected).
• Slack, GitHub, Toggl, Jira, Shortcut, Linear, 15Five — third-party platforms whose data you have explicitly connected to ShakaFlow. We act as a processor of the data they hold on your behalf.

We may add or replace subprocessors over time. Material changes will be reflected in this policy.

Several ShakaFlow features use large language models (LLMs) to generate summaries, coaching guidance, risk briefings, and other text. These prompts may include data drawn from the integrations you have connected: pull request titles and descriptions, Slack messages, check-in answers, time entries, calendar events, and similar context.

ShakaFlow supports three AI providers: Anthropic (Claude), OpenAI, and Google (Gemini). We strongly encourage you to provide your own API key ("BYOK") so that prompts are sent directly under your account and subject to your contractual relationship with the provider. When BYOK is configured, ShakaCode does not retain prompt content beyond what is needed to deliver the response back to your Slack workspace.

If no BYOK key is configured, ShakaFlow falls back to a ShakaCode-managed API key. In that case, prompts pass through ShakaCode infrastructure and the chosen provider's infrastructure under the provider's standard terms. We recommend BYOK for any data-sensitive deployment.

We do not train any model on your data, and our subprocessor agreements with AI providers prohibit them from using your prompts to train their models.

• Your data is stored in PostgreSQL databases hosted by Control Plane.
• All API tokens, OAuth tokens, and AI provider keys are encrypted at rest using ActiveRecord Encryption with keys managed by ShakaCode.
• All traffic to and from the Service uses TLS 1.2 or higher.
• Access to production systems is restricted to authorized ShakaCode personnel and protected by multi-factor authentication.
• We log access to production systems and review access regularly.

No system is perfectly secure. If we discover a security incident affecting your data, we will notify affected workspace administrators promptly.

We retain workspace data for as long as the Service is installed in your Slack workspace. When you uninstall ShakaFlow from Slack, we mark your workspace as inactive but do not automatically delete the data, so that you can reinstall without losing history.

You can request permanent deletion of all data associated with your workspace at any time by emailing support@shakaflow.com from a workspace administrator address. We will permanently delete your data within seven (7) business days of receiving the request and confirm in writing once complete.

Server logs containing technical metadata (IP address, user agent) are retained for up to 30 days. Error reports retained by our error monitoring provider follow that provider's retention policy (currently 30 days).

Depending on where you live, you may have rights under data protection laws such as the GDPR (European Economic Area, United Kingdom) and the CCPA (California). These rights may include:

• The right to access the personal data we hold about you.
• The right to receive a portable copy of your data.
• The right to correct inaccurate data.
• The right to request deletion of your data.
• The right to object to or restrict certain processing.
• The right to lodge a complaint with a data protection authority.

To exercise any of these rights, email support@shakaflow.com. We will respond within 30 days. If we cannot verify your identity (for example, because you are not the workspace administrator), we may need additional information before processing your request.

ShakaFlow uses a single first-party session cookie on the web dashboard at app.shakaflow.com to keep you signed in. We do not use advertising cookies, third-party tracking cookies, or analytics cookies. Our marketing pages (shakaflow.com) do not set any cookies and do not load any third-party resources: fonts, scripts, and images are all served from our own domain.

ShakaCode is based in the United States. Our infrastructure and subprocessors may process data in the United States, the European Union, or other regions where they operate. By using the Service, you consent to your data being transferred to and processed in these regions. Where required by law, we rely on Standard Contractual Clauses or other approved transfer mechanisms.

ShakaFlow is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at support@shakaflow.com and we will delete it.

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and notify workspace administrators by email or in-Slack message at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

For any questions, requests, or complaints regarding this Privacy Policy or your data, please contact:

ShakaCode LLC
Email: support@shakaflow.com