← Back to home

Privacy Policy

Effective date: May 23, 2026

1. Introduction

Nami ("Company," "we," "us," or "our") is the Slack-native performance management platform available at namihr.com. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you or your organization use the Nami web application, our Slack integration, our public website, and any related services (collectively, the "Service").

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with the practices described herein, you must not use the Service.

This Privacy Policy should be read together with our Terms of Service and our Security overview.

2. Controller, Processor, and Roles

For data submitted to the Service through your Slack workspace (such as performance reviews, feedback, goals, survey responses, and directory information), your organization is the data controller and Nami acts as the data processor processing that information solely on your instructions and as described in this Privacy Policy and our Data Processing Agreement.

Because performance reviews, ratings, calibration grades, and feedback messages relate to employment, your organization (as the employer) is the controller responsible for determining the lawful basis for processing, providing transparency to its employees, and responding to employee data-subject requests in the first instance. Nami will support you in fulfilling those obligations.

For information collected directly by Nami in our role as a business — for example, billing contact details, marketing-website analytics, or correspondence sent to hello@namihr.com — Nami acts as an independent controller.

3. Information We Collect

3.1 Information from Slack

When you install the Nami Slack application or sign in with Slack, Slack provides us with the following information through the OAuth 2.0 authorization flow:

  • Slack workspace ID, name, and domain
  • Slack user IDs, display names, real names, and email addresses
  • Limited profile information such as job title, time zone, and avatar URL
  • Bot and user access tokens necessary to operate the Nami bot
  • Workspace channel list (channel ID, name, and visibility), so that admins can pick channels for announcements or kudos

We request the following Slack OAuth scopes. We have aligned this list with the exact scopes implemented in our codebase so it is accurate, not aspirational.

Bot-token scopes

  • app_mentions:read — receive events when someone @-mentions the Nami bot
  • channels:read — list public channels so admins can pick one for announcements or kudos. We do not read channel messages.
  • chat:write — send review prompts, survey questions, kudos posts, and reminders as the Nami bot
  • commands — register and handle Nami's slash commands (e.g. /kudos)
  • im:history / im:read / im:write — open, read, and send messages in direct-message conversations between the user and the Nami bot. Used exclusively to deliver review/survey prompts and accept the user's replies. We do not read DMs between two human users.
  • reactions:read — detect emoji reactions on Nami's own messages (used for one-tap survey responses)
  • team:read — retrieve workspace name, icon, and domain so we can display them in the dashboard
  • users:read / users:read.email — read the directory of workspace members (name, email, title, avatar, deactivated status) to build the org directory and assign reviews

User-token scopes (sign-in only)

  • identity.basic — confirm the signing-in user's Slack identity and workspace
  • identity.email — retrieve the signing-in user's email address to match them to a directory entry

We do not request, read, or store the content of your workspace's public channels, private channels, group messages, or direct messages between human users. The only Slack messages we read are those sent to the Nami bot in a direct-message conversation, as part of the review or feedback workflow.

3.2 Information You Provide Through the Service

Through your use of the Service, you and your workspace members may submit the following types of information, all of which constitute Customer Data:

  • Performance review data: competency ratings, written comments, overall ratings, calibration grades, and 9-box positions, including private calibration notes visible only to HR and Admins
  • Survey responses: answers to 360 surveys, pulse surveys, and eNPS scores, including responses you choose to submit anonymously
  • Continuous feedback: peer-to-peer kudos, private feedback, and anonymous feedback messages
  • Goals and OKRs: goal titles, descriptions, metrics, key results, progress updates, status, and goal-level audit entries
  • Organizational data: reporting structures, departments, functions, job families, career levels, and competency frameworks
  • Workspace configuration: company name, logo URL, rating scale preferences, template configurations, and onboarding choices
  • Audit-log entries: records of cycle status transitions, calibration grade changes, grade releases, user role changes, and review assignment changes
  • Billing contact information: the admin email associated with your Stripe subscription
  • Roadmap voting and suggestions: if you use the public roadmap page, we store a random browser identifier for vote deduplication, and any feature suggestion text or optional email you submit

The Service is not intended to store special categories of data, including data concerning health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, sex life, sexual orientation, criminal convictions, government-issued identifiers, or financial account numbers. If your users choose to type such information into free-text fields, you do so at your own risk and assume responsibility under applicable law.

3.3 Information Collected Automatically

When you access the Service we automatically collect limited technical information:

  • Authentication state: session tokens and cookies issued by Supabase Auth to keep you signed in
  • Application logs: server-side request logs containing timestamps, request paths, response status codes, error messages, workspace and user identifiers, and minimal context needed to diagnose issues. Logs are retained for up to 30 days unless required for security investigation.
  • Performance metrics: Core Web Vitals and page-load timing collected by Vercel Speed Insights (no personal identifiers; sampled)
  • Site analytics: page-view counts and referrer information collected by Vercel Analytics. Vercel Analytics is cookieless by design and does not build cross-site profiles or track individual users.
  • Conversion tracking on marketing pages: our public marketing pages (homepage, pricing, roadmap) load Google Ads gtag.js (account ID AW-18179782629) so we can measure which advertising campaigns drive sign-ups. This loads on the marketing surface only; it does not run on the authenticated dashboard. You can opt out of Google's personalized advertising via Google Ads Settings or by using a browser tracking-protection setting.

3.4 Information We Do Not Collect

  • We do not use third-party behavioural analytics (no Meta Pixel, no TikTok pixel, no LinkedIn Insight Tag, no Mixpanel, Amplitude, Segment, PostHog, FullStory, or Hotjar)
  • We do not collect IP addresses for profiling or for building user-level behavioural records
  • We do not collect biometric data, precise geolocation, or device fingerprints
  • We do not read messages from your Slack channels, private channels, or direct messages between human users
  • We do not accept file uploads. Avatars are URLs supplied by Slack; CSV team imports are parsed in your browser and only the parsed rows are submitted

4. How We Use Information

4.1 To Provide and Operate the Service

  • Authenticate users and manage workspace access via Slack OAuth
  • Store and display reviews, feedback, goals, and survey data
  • Generate analytics dashboards, competency heatmaps, and ranking reports
  • Deliver review prompts, survey questions, kudos posts, and reminders via Slack direct messages and slash commands
  • Process subscription payments through Stripe
  • Enable CSV exports for reviews, goals, and analytics
  • Enforce role-based access control (Admin, HR, Manager, Employee)

4.2 To Maintain, Secure, and Improve the Service

  • Monitor application health, performance, and error rates
  • Detect, investigate, and respond to abuse, fraud, or security incidents
  • Debug and fix issues reported by customers or surfaced by our logs
  • Analyze aggregated and de-identified usage patterns to improve features and inform our product roadmap

4.3 To Communicate With You

  • Respond to support, sales, billing, privacy, and security inquiries
  • Send transactional notices about your account, our terms, or material changes to our subprocessor list
  • Send billing communications via Stripe
  • Reply to feature suggestions submitted through the public roadmap page

4.4 To Meet Legal Obligations

  • Comply with applicable laws, regulations, court orders, valid legal process, and lawful requests from public authorities
  • Enforce our Terms of Service, prevent abuse, and protect the rights, property, and safety of Nami, our customers, and third parties

4.5 How We Do Not Use Your Information

  • We never sell, rent, lease, or trade Customer Data or personal information to any third party, for any reason, under any circumstances
  • We never use Customer Data for advertising, behavioral retargeting, or marketing to your employees
  • We never share identifiable Customer Data with other Nami customers
  • We never use Customer Data to train artificial intelligence or machine-learning models without the workspace administrator's explicit prior written consent. The Service does not currently include any AI features that process Customer Data.
  • We never make employment decisions on your behalf. The Service is a tool that presents information for your decision-makers to use

5. Legal Bases for Processing (EEA, UK, Switzerland)

Where the GDPR, UK GDPR, or Swiss FADP applies, we rely on the following legal bases:

  • Performance of a contract — to deliver the Service to your organization under our Terms of Service
  • Legitimate interests — to secure the Service, prevent fraud, operate billing and support, communicate about the Service, and improve features in ways consistent with users' reasonable expectations
  • Legal obligation — to comply with tax, accounting, and legal requests
  • Consent — where required, for example, for non-essential cookies on our marketing pages where consent is mandatory; you can withdraw consent at any time without affecting prior lawful processing

6. Sharing and Disclosure

We do not sell personal information. We share information only in the limited circumstances described below.

6.1 Subprocessors

We share information with the following third-party service providers ("subprocessors") who perform services on our behalf. Each is contractually bound to protect your information and may only use it to provide their services to us.

SubprocessorPurposeRegionData shared
Supabase (on AWS)Database hosting, authentication, edge functionsEuropean Union (eu-west-1, Ireland)All Customer Data (encrypted at rest)
VercelApplication hosting, edge delivery, web analytics, performance monitoringGlobal edge; control plane in the United StatesRequest metadata, anonymized analytics, server logs
Slack (Salesforce)OAuth, bot messaging, slash commands, modal deliveryUnited StatesSlack user IDs, bot tokens, DM content with the Nami bot, review/survey prompt text
StripeSubscription billing, payment method storage, invoice deliveryUnited States, with regional data centersBilling email, subscription plan, seat count, payment status. We do not see or store card numbers.
Google (Google Ads)Advertising conversion measurement on marketing pages only (not on the authenticated dashboard)United StatesBrowser identifiers, page URL, IP address as required by Google's tag

6.2 Subprocessor Changes

We will maintain the subprocessor list above. If we add or replace a subprocessor that processes Customer Data, we will notify workspace administrators at least thirty (30) days before the new subprocessor begins processing Customer Data, via email to the workspace admin and an update to this page. You may object to a proposed subprocessor by terminating your subscription before that subprocessor begins processing your data; no other remedy is available for subprocessor changes unless agreed in a separate enterprise contract.

6.3 Within Your Workspace

By design, the Service shares information within your workspace according to role. Admins and HR users can view org-wide review and calibration data; managers can view their direct reports' data; employees see what is shared with them. Anonymous survey responses and anonymous feedback are aggregated; we do not surface the identity of the anonymous author in the dashboard or audit log. You are responsible for configuring roles appropriately and for the appropriateness of intra-workspace data flows.

6.4 Legal and Safety Disclosures

We may disclose information if we believe in good faith that disclosure is required by law or is necessary to: (a) comply with a legal obligation, court order, subpoena, or other legal process; (b) protect and defend our rights, property, or operations; (c) prevent or investigate fraud, abuse, or security incidents; (d) protect the personal safety of users or the public; or (e) respond to a lawful government request. Where permitted, we will use commercially reasonable efforts to notify the affected workspace administrator before disclosing Customer Data in response to a legal request.

6.5 Business Transfers

In connection with a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of all or substantially all of our assets, or transition of service to another provider, information may be transferred to the acquirer or successor. We will notify workspace administrators via email or a prominent in-app notice before any such transfer that would change how personal information is processed, and will require any acquirer to honor the commitments in this Privacy Policy or seek your consent to changes.

7. Data Security

We implement administrative, technical, and organizational measures designed to protect Customer Data. A more detailed description is available on our Security page. In summary:

  • Encryption at rest: AES-256 at the storage layer for database contents and automated backups
  • Encryption in transit: TLS 1.2 or higher for all traffic; HTTP is redirected to HTTPS
  • Tenant isolation: PostgreSQL row-level security policies and cross-tenant validation triggers enforced inside the database engine
  • Authentication: Slack OAuth 2.0; no Nami-issued passwords; MFA inherited from your Slack workspace
  • Access controls: role-based access inside the workspace; least privilege for internal access to production systems
  • Audit log: sensitive state changes are recorded to an in-database audit log scoped to your workspace

No method of electronic transmission or storage is one hundred percent secure. We cannot guarantee absolute security. You are responsible for using strong Slack workspace controls (MFA, SSO where available, session length, idle timeout) and for promptly notifying us if you suspect compromise of your account.

8. Data Retention

8.1 Active Workspaces

We retain Customer Data for as long as your workspace is active and you maintain a subscription or free trial. Reviews, feedback, goals, surveys, and audit-log entries are stored for the life of the workspace so historical performance information remains available to authorized users.

8.2 After Termination

Upon cancellation or termination, we retain Customer Data for thirty (30) days to allow you to request an export or reactivate your subscription. After this thirty (30) day grace period, Customer Data will be permanently and irreversibly deleted from our production systems, except for the limited information described in sections 8.4 and 8.5.

8.3 Backups

Automated backups taken for disaster recovery purposes are retained for up to thirty (30) additional days from the date the backup was taken, then permanently deleted by our infrastructure provider's rolling deletion schedule.

8.4 Application Logs

Server-side request and error logs that may incidentally contain identifiers (workspace ID, user ID, request path) are retained for up to thirty (30) days for operations and security purposes, then deleted on a rolling basis.

8.5 Billing and Compliance Records

We retain billing records, contracts, tax-related documents, and other records required by applicable law (such as anti-fraud, tax, accounting, or anti-money laundering laws) for the period required by those laws, typically up to seven (7) years.

9. International Data Transfers

Our primary database is hosted in the European Union (Ireland) on Supabase infrastructure running on AWS. Some of our subprocessors — including Vercel, Slack, Stripe, and Google — operate globally and may process limited categories of personal information in the United States or other jurisdictions.

Where we transfer personal information of EEA, UK, or Swiss residents outside the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum or Swiss equivalents, where applicable) as the transfer mechanism. Copies of the relevant clauses are available on request via hello@namihr.com.

Some destination countries may have data-protection laws that differ from those in your country. We use Standard Contractual Clauses and supplementary technical measures (such as encryption in transit and at rest) intended to provide a level of protection essentially equivalent to that required under EU law.

10. Your Rights

Depending on where you live, you may have the rights described below regarding your personal information. Because your organization is the controller of Customer Data processed in the Service, we will typically forward employee-level requests to your workspace administrator and support them in fulfilling the request.

10.1 General Rights

  • Access: request a copy of the personal information we hold about you
  • Correction: request correction of inaccurate or incomplete personal information
  • Deletion: request deletion, subject to our legal retention obligations
  • Export: export reviews, goals, and analytics data in CSV format from the dashboard, or request a broader export via email
  • Withdraw consent: withdraw consent at any time by uninstalling the Nami Slack application or cancelling your subscription, without affecting the lawfulness of processing carried out before withdrawal

10.2 EEA, UK, and Swiss Residents

If you are in the EEA, UK, or Switzerland, you have additional rights under the GDPR, UK GDPR, and Swiss FADP, including: the right to restrict processing, the right to object to processing based on legitimate interests, the right to data portability, the right not to be subject to a decision based solely on automated processing (Nami does not make solely-automated decisions about individuals), and the right to lodge a complaint with your local data protection authority.

10.3 California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to know: what personal information we collect, the sources, purposes, and categories of third parties with whom we share it
  • Right to delete: request deletion of personal information, subject to legal exceptions
  • Right to correct: request correction of inaccurate personal information
  • Right to non-discrimination: we will not discriminate against you for exercising your privacy rights
  • Right to opt out of sale or sharing: we do not sell personal information and have never sold personal information in the prior 12 months. We do not "share" personal information for cross-context behavioral advertising as that term is defined under the CPRA.
  • Sensitive Personal Information (SPI): we do not knowingly collect SPI from California residents. If your users voluntarily submit SPI into free-text fields, we use it only as necessary to provide the Service and not for inferring characteristics, and we do not use or disclose it for purposes other than those permitted under Cal. Civ. Code § 1798.121(a).

10.4 Other Jurisdictions

Residents of jurisdictions with comparable laws — including Brazil (LGPD), Canada (PIPEDA and Quebec Law 25), Australia (Privacy Act), and certain U.S. states including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Texas (TDPSA) — may exercise rights similar to those described above by contacting us at hello@namihr.com.

10.5 Exercising Your Rights

To exercise any of these rights, contact us at hello@namihr.com. We will respond within thirty (30) days, or within the period required by the applicable law (we may extend this period where permitted, with notice). We may ask you to verify your identity before processing your request. If you submit a request about personal information that your employer controls, we may need to direct you to your employer or coordinate with them. You may also designate an authorized agent to act on your behalf as permitted by applicable law.

11. Cookies and Tracking

11.1 Strictly Necessary Cookies

The authenticated dashboard uses only strictly necessary cookies required for sign-in, session management, and security. These cookies are essential to provide the Service and cannot be disabled while using the dashboard.

11.2 Marketing-Page Cookies

Our public marketing pages may set cookies associated with Vercel Analytics (cookieless by design), Vercel Speed Insights, and Google Ads conversion tracking, as described in section 3.3. Where required by law, we will collect consent before loading non-essential cookies.

11.3 Do Not Track

Our Service does not respond to Do Not Track (DNT) signals, because there is no industry consensus on how DNT should be interpreted. We honor Global Privacy Control (GPC) signals where required by applicable law.

11.4 No Cross-Site Profiling

We do not participate in advertising networks that build cross-site behavioral profiles of our users. The only third-party tag we load is Google Ads conversion tracking, and only on our public marketing pages.

12. Children's Privacy

The Service is intended for use by businesses and is not directed to children. We do not knowingly collect personal information from individuals under sixteen (16) years of age (or the higher age required by your local law). If you believe a child has provided personal information to us, please contact hello@namihr.com and we will take steps to delete it.

13. Data Processing Agreement

For customers who require a Data Processing Agreement (DPA) — for GDPR, UK GDPR, Swiss FADP, LGPD, or comparable requirements — we offer a standard DPA incorporating the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum where relevant. To request a DPA, contact hello@namihr.com. Enterprise customers may negotiate custom data processing terms as part of an enterprise agreement.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes — for example, the addition of a new subprocessor that processes Customer Data, a new category of data collected, or a new permitted use — we will notify workspace administrators by email or through a prominent notice within the Service at least thirty (30) days before the changes take effect. Non-material clarifications may be made without advance notice.

The "Effective date" at the top of this page indicates when this Privacy Policy was last revised. Continued use of the Service after the effective date of any changes constitutes acceptance of the revised Policy.

Contact Us

For privacy questions, data-subject requests, DPA requests, or to escalate a concern that we have not addressed, please contact:

If you are not satisfied with our response, you may have the right to lodge a complaint with your local data protection authority.