DentroChat logo
Try free

slack.com privacy policy — score 72/100 (medium risk)

Last analyzed

Run a new analysis on another policy

Slack Technologies, LLC · slack.com

Report details

medium risk

Slack collects a wide range of personal and usage data, relying heavily on broad legitimate interests to process it and transfer it globally, though it does provide standard GDPR rights and safeguards like Standard Contractual Clauses.

The Slack Privacy Policy clearly distinguishes between Customer Data (where the employer/Customer is the controller) and Other Information (where Slack is the controller). While this dual-role structure is standard for enterprise SaaS, Slack's reliance on 'legitimate interests' for extensive processing—including predictive modeling, marketing, and international data transfers—raises compliance concerns under GDPR proportionality requirements. The policy is transparent about data sharing with affiliates and third parties, and utilizes Standard Contractual Clauses for EU data transfers, but lacks detail on supplementary transfer measures and specific retention timelines for non-customer data.

Last analyzed
SourceURL
Length50,704 chars

Category Assessment

Breakdown of the policy across key compliance areas. Good = strong, fair = mixed, poor = concerning.

Data Minimizationfair

Slack collects a broad array of 'Other Information' including metadata, device details, and third-party data, which goes beyond what is strictly necessary for basic messaging functionality.

Transparencygood

The policy clearly delineates between Customer Data and Other Information, and explicitly lists purposes and legal bases for processing, though some legitimate interest claims are quite broad.

Third-party Sharingfair

Data is shared with corporate affiliates, event sponsors, professional advisers, and subprocessors, with a reference to Salesforce's subprocessor list, but lacks granular control for the user over these specific shares.

International Transfersfair

Explicitly transfers data outside the EEA to the US and other countries using SCCs, but fails to detail supplementary measures required post-Schrems II to protect against US surveillance.

AI/Model Trainingpoor

The policy explicitly states Slack uses data to 'develop and provide search, learning and productivity tools' and 'predictive models' under legitimate interests, without providing a specific or easy opt-out mechanism for this AI training.

User Rightsgood

Clearly outlines GDPR rights including access, deletion, correction, and the right to object to legitimate interests, and provides contact information for the Data Protection Officer and Data Protection Authority.

Key Findings

Notable clauses, issues, or positive practices discovered (critical first)

Warning

Broad Reliance on Legitimate Interests for Core Processing

Slack relies heavily on 'legitimate interests' as the legal basis for processing Other Information, including developing predictive models, marketing, and international data transfers. Under GDPR, this requires a strict balancing test, and using it for global transfers or AI development may not withstand regulatory scrutiny if user rights are not adequately preserved.

Warning

AI and Predictive Modeling Without Specific Opt-Out

The policy states Slack uses Other Information to 'develop and provide search, learning and productivity tools and additional features' and to make suggestions 'based on historical use and predictive models'. There is no specific opt-out mechanism provided for this AI/model training, only a general right to object to legitimate interests.

Warning

Vague Retention Periods for Other Information

While Customer Data retention is controlled by the Customer, Slack states it retains Other Information 'for as long as necessary' or for the 'period of time needed for Slack to pursue legitimate business interests'. This vague timeframe conflicts with GDPR's requirement for strict storage limitation.

Info

Dual Controller/Processor Role Clarity

The policy clearly distinguishes that the Customer is the controller of Customer Data while Slack is the processor, and Slack is the controller of Other Information. This transparency helps users understand they must contact their employer for workspace data requests, and Slack for metadata/usage requests.

Consumer Takeaway

Your employer controls your workspace messages and files, but Slack controls your usage metadata, device info, and profile data, using it for broad purposes like developing AI features and marketing; you can object to some of this processing, but opting out of service communications is not allowed.

Compliance Posture

mixed

EU Transfers

Data is transferred outside the EEA to the US and other countries using Standard Contractual Clauses (SCCs), but the policy lacks explicit detail on supplementary technical measures to protect data from US surveillance, relying instead on a 'legitimate interest' justification for the transfer itself.

Detected Signals

Specific data points and practices identified in the text

Data Collected
Messages and filesEmail addressPhone numberPasswordBilling detailsServices metadataLog dataIP addressDevice informationLocation informationCookie informationContact informationAudio and video metadata
Processing Purposes
Providing and maintaining servicesCompliance with legal obligationsDeveloping search, learning and productivity toolsInvestigating and preventing security issues and abuseAggregating or de-identifying informationResponding to legal requestsInternational data transfersCommunicating with usersSending service emailsBilling and account managementSending marketing emails
Third-party Sharing
Corporate affiliatesThird-party service providers and partnersThird-Party Services integrationsProfessional advisersEvent sponsorsLaw enforcement and regulators
International Transfers
Transfers outside EEA to US, Australia, Canada, Japan, India, South KoreaStandard Contractual Clauses usedAPEC CBPR and PRP certifications
AI / Model Training
Used for predictive modelsUsed for learning and productivity toolsUsed to identify organizational trendsNo specific opt-out for AI training

Evidence Snippets

Direct quotes from the policy supporting these findings

We rely on our legitimate interests or the legitimate interests of a third party where they are not outweighed by your interests or fundamental rights and freedoms (‘legitimate interests’).

To develop and provide search, learning and productivity tools and additional features... make Services or Third-Party Service suggestions based on historical use and predictive models;

Slack may retain Other Information pertaining to you for as long as necessary for the purposes described in this Privacy Policy... This may include keeping your Other Information after you have deactivated your account for the period of time needed for Slack to pursue legitimate business interests...

Slack uses Standard Contractual Clauses approved by the European Commission... for transfers to, among others, Australia, Canada, India, Japan, South Korea and the United States.

Missing or Unclear

  • No specific supplementary measures detailed for US data transfers post-Schrems II
  • No specific retention timeframes for Other Information
  • No explicit opt-out mechanism for AI/predictive model training
  • No detail on automated decision-making or profiling logic beyond predictive models

Questions to Ask

  • How does Slack conduct and document the balancing test required for relying on legitimate interests, particularly for using personal data to develop predictive models and AI features?
  • What specific technical and organizational supplementary measures does Slack implement alongside Standard Contractual Clauses to protect EU personal data transferred to the United States?
  • What is the maximum retention period for 'Other Information' after a user deactivates their account, and how is 'legitimate business interest' strictly defined in this context?
  • Can users explicitly opt out of their Other Information being used for 'predictive models' and 'learning tools' without losing core service functionality?
This analysis is generated by AI and is not legal advice. Always consult a qualified legal professional for compliance decisions.

Share this analysis

Anyone with this link can view the result above.

Built by DentroChat

100% European AI chat for everyone

Chat with AI, work with files, generate images, and search the web. Data stays in Europe.

EU-hosted infrastructureText, files, images & web searchFast, Thinking & Creative modesPrivacy-first by defaultNo data leaves Europe
Try free →