Privacy Policy

What we are

TOMS PROGRAM (Top of Mind Security) is a Slack application operated by dontgetgot. We deliver weekly security awareness stories to your Slack workspace.

What we collect

We collect the minimum data necessary to operate the service:

• Workspace information: Your Slack workspace ID and team name (provided during OAuth installation)
• Bot token: A Slack bot token scoped to post messages and read reactions in channels you select
• Channel selections: The channel IDs you choose for stories and reports
• Emoji reactions: Aggregate emoji reaction counts on stories we post (e.g., "thumbsup: 12")
• Payment information: Stripe customer and subscription IDs (payment details are handled entirely by Stripe)

What we do NOT collect

Privacy is central to how we built this product:

• No individual user data. We do not store, track, or log which users react to stories.
• No message content. We do not read, store, or process any messages in your workspace.
• No user profiles. We do not access names, emails, or profile information of your team members.
• No browsing or usage tracking. We do not track individual user behavior within Slack.

How reactions work

When someone reacts to a story we posted, we record only the story ID, the emoji name, and the company ID. We explicitly discard the user ID. This means we can report "this story got 15 thumbsup reactions" but we have no way of knowing who reacted.

Data storage

• Data is stored in a PostgreSQL database hosted on Supabase
• All connections use SSL/TLS encryption in transit
• Database access is restricted to the application only

Data retention

We retain your data for as long as your subscription is active. If you uninstall the app or cancel your subscription, your data will remain inactive. Contact us at privacy@dontgetgot.co to request full deletion.

Third parties

• Slack: We interact with the Slack API to post messages and receive reaction events
• Stripe: Payment processing is handled entirely by Stripe. We never see your credit card number.
• Supabase: Database hosting

We do not sell, share, or provide your data to any other third parties.

Your rights

You can request to:

• Know what data we store about your workspace
• Delete all data associated with your workspace
• Export your data

Contact privacy@dontgetgot.co for any privacy-related requests.

Changes

We may update this policy from time to time. Material changes will be communicated through the app or by email.