Cookie Jar
Add

Privacy Policy

Last updated: [DATE]

Cookie Jar (“we”, “our”, “us”) provides a Slack-based access management tool for teams. This Privacy Policy explains what information we collect, how we use it, and your rights.

1. Information We Collect

When you install and use Cookie Jar, we collect limited information necessary to provide the service.

Slack data

We access and store:

  • Slack user IDs and display names
  • Email addresses (via the Slack API, when your workspace permits)
  • Workspace and team identifiers
  • Names of Slack channels you connect to Cookie Jar as “teams”

We may temporarily query (without persistent storage):

  • Channel membership, checked at request time to apply team-based access rules

Usage data

We store:

  • Access requests (who requested what, and when)
  • Approval decisions (who approved or denied access, and any reason given)
  • Tool assignments (who has access to which tools)
  • Audit log entries for grant, revoke, approve, and deny actions
  • Feedback you submit through the in-app feedback widget — your message, email, name, and the page you submitted from

Technical data

  • IP addresses, briefly collected from request headers for abuse prevention and rate limiting. Stored only for the duration of the rate-limit window.
  • Operational logs (errors, performance metrics) used to maintain service reliability. These may include workspace and user identifiers but never message content or credentials.

We do not access or store:

  • Private messages between users
  • Message content outside of direct interactions with Cookie Jar
  • Files or attachments

Cookie Jar is not intended for users under 16. We do not knowingly collect data from children.

2. How We Use Information

We use the information above to:

  • Route access requests to the correct approver
  • Show users which tools they have access to
  • Provide admins with visibility into access across the organization
  • Support onboarding and offboarding workflows
  • Maintain an audit trail of access changes
  • Prevent abuse through rate limiting and anti-spam controls
  • Respond to support requests

3. Data Storage and Retention

  • Data is stored using Google Cloud infrastructure in the United States.
  • We use industry-standard encryption to protect sensitive data at rest and in transit.
  • While Cookie Jar is installed in your workspace, we retain data necessary to provide the service.
  • When you uninstall Cookie Jar, your Slack credentials are deleted immediately. Other data (access records, audit logs, member profiles) is retained until you request deletion.
  • You can request deletion of your workspace data at any time (see Section 5).

4. Sub-Processors and Data Sharing

We do not sell or share your data for advertising or marketing purposes.

We use the following sub-processor to operate the service:

  • Google LLC — cloud hosting, database, authentication, and logging services. Data is processed in Google Cloud, in the United States.

Cookie Jar integrates with Slack and relies on Slack APIs to function. Your use of Slack is subject to Slack’s own Privacy Policy.

5. User Control and Deletion

Workspace admins can:

  • Remove members and revoke their access at any time from the dashboard or via Slack commands
  • Uninstall Cookie Jar from Slack at any time. This immediately removes credentials.
  • Request deletion of all workspace data at any time

To request deletion of your data, contact:

[SUPPORT EMAIL]

6. Security

We take reasonable measures to protect your data, including:

  • Encrypting credentials and sensitive tokens at rest
  • Encrypting all data in transit using TLS
  • Authentication via trusted providers (Google Sign-In)
  • Verifying webhook signatures to prevent request forgery
  • Workspace-level isolation enforced at the database layer
  • Role-based access checks on every administrative operation
  • Rate limiting on public-facing endpoints
  • Limiting data collection to what is necessary to provide the service

7. Cookies and Local Storage

Cookie Jar uses browser local storage (managed by our authentication provider) to keep you signed in to the dashboard. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

8. International Data Transfers

Cookie Jar processes data in the United States. If you are located in the European Economic Area, the United Kingdom, or another region with data-protection laws, your data may be transferred to and processed in the United States. We rely on the standard contractual clauses provided by our infrastructure provider where required.

9. Your Rights

Under data-protection laws such as the GDPR (EU/UK) and CCPA (California), you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request erasure of your data
  • Restrict or object to certain processing
  • Receive a copy of your data in a portable format

To exercise any of these rights, contact [SUPPORT EMAIL].

10. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. For material changes, we will notify workspace admins via the dashboard or email before the change takes effect.

11. Contact

For any questions about this policy or your data:

[SUPPORT EMAIL]