privacy, slackbot, bots, karma bot, team management,

Everything you’ve ever wanted to know about Karma bot GDPR compliance

Vlad Sadovenko
Vlad Sadovenko Follow
Sep 11, 2018 · 3 mins read
Share this

According to your data privacy policy, Karma bot collects information that may include but is not limited to Email address, First name and last name, Cookies and Usage Data. What other data do you collect?

We collect the admin’s email (a person who aded Karma bot) — consensually at the beginning of the on-boarding tour. We also get Slack display names, which are not necessarily the users’ actual names. Usage Data — we track that with the usual Google Analytics and Mixpanel: the data is anonymous and indicates general activity within the app. Karma bot does not read any of your channel content. It is not aware of their existence unless you’ve added the bot to a channel via /invite @karmabot command. We do not use Cookies on the landing page. Displaying notice on the internal pages. Generally, all data gets completely wiped out after 90 days after the bot deletion (unless it got added back and re-activated during that period of time).

How does that work?

Slack’s policies are really strict about sharing access to user’s emails. The bot went through the compliance process and got an approval.

How can the users use their rights given by GDPR?

At any moment a user can choose to reset Karma bot account to its original state (deleting all data) or deleting it altogether. All karma requests that Karma bot recorded can be edited, deleted and exported at any moment.

Who is the data Controller?

Karma bot is not a legal entity itself, it is one of the products of Sliday Limited company, established in 2009.

Do you use Cookies on the landing page?

We do not use Cookies on the landing page, however, there is a cookies consent popup message on the pages where we use Cookies.

Can we set data retention rules in the Account or the data retention rules that we apply to Slack are automatically applied to Karma bot as well?

We don’t have an access to Slack’s settings, however, once the user is deleted from Slack, we delete her or his data (user pic, display name, reasons for karma requests etc). This also applies to Slack’s guest users or users with limited-time access to Slack.

If we have an employee who is leaving the company, can we proceed with data erasure on his/her behalf?

If someone leaves the company or in other words is deleted from Slack, Karma bot deletes all personal data for this user. The only thing that remains in our records is the anonymised numbers of karma points for the user. This is made to keep the statistics for the team in order (karma shares, leaderboard). And it looks like this:

Deleted user1 has 17% of karma shares in Q2 2018

Do we have to sign any DPA with Karma bot since we will be disclosing personal data of the users to Karma bot?

We comply with strict Slacks rules for personal data disclosure (otherwise there’s no way to be listed in Slack App Store) and have never signed additional DPA’s with our customers, however, if it is required by your company’s policies, we’re more than happy to do so.

How will you let us know about data breach is there is any?

There’s a Security Contact feature for security issues. Please head over to Settings add your security contact email and Save the changes.

Try Karma bot today! 30-days free trial is available. Already with us? Book a free 1-on-1 Karma bot demo to get the most out of it for your team.

Vlad Sadovenko
Vlad Sadovenko
Written by Vlad Sadovenko
Karma bot CX, PM at Sliday. Drums & surf.