Privacy Policy

1. Introduction

Nami ("Company," "we," "us," or "our") is committed to protecting the privacy and security of your information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Nami platform, including our web application, Slack integration, and all related services (collectively, the "Service").

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with the practices described herein, you should not use the Service.

This Privacy Policy should be read in conjunction with our Terms of Service.

2. Information We Collect

2.1 Information from Slack

When you install the Nami Slack application, we receive the following information from your Slack workspace through the OAuth 2.0 authorization flow:

• Slack workspace ID and workspace name
• Slack user IDs, display names, and email addresses
• Profile information such as job titles and avatar URLs
• Bot access tokens necessary to send messages on behalf of the Nami bot

We request the following Slack OAuth scopes: app_mentions:read, chat:write, commands, im:history, im:read, im:write, users:read, users:read.email.

We do not read the content of your Slack channels, group messages, or direct messages beyond those sent directly to the Nami bot as part of the review and feedback workflow.

2.2 Information You Provide

Through your use of the Service, you and your workspace members may submit:

• Performance review data: Competency ratings, written comments, overall ratings, and calibration grades
• Survey responses: Answers to 360 surveys, pulse surveys, and eNPS scores
• Feedback: Continuous peer-to-peer feedback messages, including praise, constructive feedback, and anonymous feedback
• Goals and OKRs: Goal titles, descriptions, metrics, progress updates, and tracking status
• Organizational data: Reporting structures, departments, job families, career levels, and competency frameworks
• Workspace configuration: Company name, logo, rating scale preferences, and template configurations

2.3 Information Collected Automatically

When you access the Service, we automatically collect limited technical information:

• Performance metrics: Page load times, Core Web Vitals, and interaction timing via Vercel Speed Insights (anonymized, no personal data)
• Authentication data: Session tokens and cookies necessary to maintain your authenticated session

2.4 Information We Do NOT Collect

• We do not use tracking cookies, advertising pixels, or behavioral analytics tools (no Google Analytics, no Meta Pixel, no ad trackers)
• We do not collect IP addresses for profiling or tracking purposes
• We do not access or read your general Slack messages, channels, or files
• We do not collect biometric data, geolocation data, or device fingerprints

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 To Provide and Operate the Service

• Authenticate users and manage workspace access via Slack OAuth
• Store and display performance reviews, feedback, goals, and survey data
• Generate analytics dashboards, competency heatmaps, and reports
• Deliver review prompts, reminders, and notifications via Slack direct messages
• Process subscription payments through Stripe
• Enable data exports (CSV) for your reporting needs

3.2 To Maintain and Improve the Service

• Monitor performance and fix bugs
• Analyze aggregated, anonymized usage patterns to improve features
• Ensure the security and integrity of the platform

3.3 To Communicate with You

• Respond to support inquiries
• Send important notices about your account or changes to our terms
• Provide billing-related communications via Stripe

3.4 How We Do NOT Use Your Information

• We never sell, rent, lease, or trade your personal information or Customer Data to any third party, for any reason, under any circumstances
• We never use your data for targeted advertising or marketing
• We never share your identifiable data with other Nami customers
• We never use your Customer Data to train artificial intelligence or machine learning models without your explicit prior written consent
• We never profile individual users for purposes unrelated to the Service

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following limited circumstances:

4.1 Service Providers

We share information with third-party service providers who perform services on our behalf. These providers are contractually obligated to protect your information and may only use it to provide their services to us:

4.2 Subprocessor Changes

We will maintain an up-to-date list of our subprocessors (third-party service providers who process Customer Data on our behalf) in this Privacy Policy. If we add or replace a subprocessor that processes Customer Data, we will notify workspace administrators via email at least thirty (30) days before the new subprocessor begins processing Customer Data. If you object to a new subprocessor, you may terminate your subscription before the subprocessor begins processing your data.

4.3 Legal Requirements

We may disclose your information if required to do so by law or in good faith belief that such action is necessary to: (a) comply with a legal obligation, court order, or legal process; (b) protect and defend our rights or property; (c) prevent fraud or abuse of the Service; or (d) protect the personal safety of users or the public.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on the Service before your information becomes subject to a different privacy policy.

5. Data Security

5.1 Technical Safeguards

We implement industry-standard security measures to protect your data:

• Encryption at rest: All data is encrypted using AES-256 encryption via our infrastructure provider (AWS)
• Encryption in transit: All data transmission uses TLS 1.2 or higher
• Tenant isolation: Each workspace's data is isolated at the database level using row-level security (RLS) policies and cross-tenant validation triggers. Users from one workspace cannot access data belonging to another workspace
• Authentication: Access is managed through Slack OAuth 2.0. JWT-based session tokens are used for request authentication. We do not store passwords
• Access controls: Role-based access control (Admin, HR, Manager, Employee) limits data visibility within each workspace

5.2 Organizational Safeguards

• Access to production systems is restricted to authorized personnel only
• We follow the principle of least privilege for internal access
• We conduct regular security reviews of our codebase and infrastructure

5.3 Limitations

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data. You acknowledge that the nature of the data stored in the Service (workplace performance assessments, feedback, and goals) does not include highly sensitive categories such as financial account numbers, government IDs, health records, or biometric data.

5.4 Security Incident Response

In the event of a confirmed security incident that results in unauthorized access to, or disclosure of, Customer Data, we will:

• Promptly investigate the nature and scope of the incident
• Take reasonable steps to contain and remediate the incident
• Notify affected workspace administrators without undue delay and, where required by GDPR, within seventy-two (72) hours of becoming aware of the incident
• Provide a description of the nature of the incident, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the incident
• Notify relevant data protection authorities and other regulators as required by applicable law
• Cooperate with affected customers in their own notification and remediation efforts

A security incident does not include unsuccessful attempts such as port scans, denied service attacks that do not result in a breach, unsuccessful login attempts, or similar events that do not compromise the confidentiality, integrity, or availability of Customer Data.

6. Data Retention

6.1 Active Accounts

We retain your Customer Data for as long as your account is active and you maintain an active subscription. Data is stored and accessible throughout the duration of your use of the Service.

6.2 After Termination

Upon cancellation or termination of your subscription, we retain your Customer Data for thirty (30) days to allow you to request an export or reactivate your account. After this 30-day grace period, your Customer Data will be permanently and irreversibly deleted from our production systems.

6.3 Backup Retention

Automated backups that may contain your data are retained for a limited period (up to 30 additional days) for disaster recovery purposes and are then permanently deleted.

6.4 Legal Requirements

We may retain certain information for longer periods where required by law, regulation, or legitimate business interests (such as resolving disputes or enforcing our agreements).

7. Cookies and Tracking

7.1 Essential Cookies Only

We use only strictly necessary cookies required for the Service to function. These include authentication session cookies managed by Supabase. These cookies are essential for maintaining your logged-in state and cannot be disabled while using the Service.

7.2 No Tracking Cookies

We do not use advertising cookies, third-party tracking cookies, social media tracking pixels, or any form of cross-site tracking. We do not participate in ad networks or cookie-based retargeting. We do not build behavioral profiles of our users.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

8.1 General Rights (All Users)

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete personal data
• Deletion: Request deletion of your personal data, subject to our legal retention obligations
• Export: Export your data in a portable, machine-readable format (CSV) through the Service dashboard
• Withdraw consent: Withdraw consent at any time by uninstalling the Slack application. This will not affect the lawfulness of processing based on consent before its withdrawal

8.2 European Economic Area (EEA) and UK Residents

If you are a resident of the EEA or UK, you have additional rights under the General Data Protection Regulation (GDPR) and UK GDPR, including:

• Legal basis for processing: We process your data on the basis of contractual necessity (to provide the Service you subscribed to) and legitimate interest (to maintain and improve the Service)
• Right to restrict processing: You may request we limit how we use your data in certain circumstances
• Right to object: You may object to processing based on legitimate interests
• Right to data portability: You may request your data in a structured, commonly used, machine-readable format
• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority

8.3 California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

• Right to know: You have the right to know what personal information we collect, use, and disclose
• Right to delete: You can request we delete your personal information
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights
• Sale of personal information: We do not sell your personal information and have never sold personal information. We do not share personal information for cross-context behavioral advertising

8.4 Exercising Your Rights

To exercise any of these rights, contact us at privacy@getperf.com. We will respond to your request within thirty (30) days. We may ask you to verify your identity before processing your request. Workspace administrators may also exercise rights on behalf of their organization's users.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our infrastructure providers operate. These countries may have data protection laws that differ from those in your country.

Where we transfer data outside the EEA or UK, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms to ensure your data is protected in accordance with applicable law.

10. Children's Privacy

The Service is not directed to individuals under the age of 16, and we do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take immediate steps to delete that information. If you believe we have collected information from a child under 16, please contact us at privacy@getperf.com.

11. Data Processing Agreement

For customers who require a Data Processing Agreement (DPA) for GDPR compliance or other regulatory requirements, we offer a standard DPA that covers our obligations as a data processor. To request a DPA, contact us at legal@getperf.com. Enterprise customers may negotiate custom data processing terms as part of their Enterprise agreement.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email or through a prominent notice within the Service at least thirty (30) days before the changes take effect.

The "Effective date" at the top of this page indicates when this Privacy Policy was last revised. Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.