Privacy Policy
Last updated: March 2026
Hear ("we," "us," or "our") provides an AI-powered team health platform that connects to Slack workspaces. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.
By using Hear, you agree to the practices described in this policy. If you are an administrator connecting your organization's Slack workspace, you represent that you have the authority to do so.
1. What Data We Collect
Slack Workspace Data
When you connect a Slack workspace, Hear accesses the following through the Slack API:
- Messages — channel messages in public and opted-in private channels. Messages are processed for pattern analysis (sentiment, energy, collaboration signals) and are not stored as raw text for surveillance or review.
- Reactions — emoji reactions on messages, used for recognition mapping and engagement signals.
- User profiles — display names, roles, and team membership, used to organize health metrics by team.
- Channel metadata — channel names and membership lists, used to scope analysis.
Account Data
- Email address and name (from Slack OAuth or manual registration)
- Organization name
- Billing information (processed by our payment provider; we do not store card numbers)
Usage Data
- Pages visited, features used, and session duration
- Browser type, device type, and IP address
2. How We Use Your Data
We process Slack data to provide the core Hear product:
- Sentiment analysis — detecting team mood trends over time
- Team health scoring — aggregated metrics on collaboration, energy, and engagement
- Burnout detection — identifying patterns that indicate risk (after-hours messaging, declining engagement, tone shifts)
- Recognition mapping — surfacing who is giving and receiving positive signals across the team
All analysis is performed on aggregated patterns, not individual message content. Hear is not a surveillance tool. Managers see team-level dashboards, not individual message logs.
3. Sub-Processors & Third-Party Services
Hear uses the following sub-processors to operate the service. Each is bound by a data processing agreement and handles customer data only for the purpose listed.
| Sub-processor | Purpose | Data |
|---|---|---|
| Cloudflare, Inc. (US) | Application hosting, database (D1, primary in EU), CDN, DDoS/WAF, captcha (Turnstile) | All customer data (encrypted) |
| OpenAI, L.L.C. | LLM inference for the Ask Hear Q&A feature | Aggregated team metrics only |
| OpenRouter Inc. | Secondary LLM routing (fallback and model selection) | Aggregated team metrics only |
| Resend | Transactional email (magic links, weekly digests, contact form) | Recipient email, subject, body |
| Polar Software Inc. | Merchant of record, subscription billing, invoicing, tax handling | Billing contact and subscription metadata |
| Stripe, Inc. | Payment processing on behalf of Polar (nested sub-processor) | Payment method; we do not store card numbers |
What we send to LLM providers
Hear uses large language models (via OpenAI and OpenRouter) to power the Ask Hear natural-language Q&A feature, which lets administrators ask questions about their own team's health metrics. When a question is submitted, Hear sends the LLM provider only aggregated team metrics — things like participation counts, reaction totals, sentiment scores averaged across teams or time windows, and derived signals such as burnout or recognition flags. Raw Slack messages are never sent to any LLM provider. Message content is processed on our servers to compute the aggregated signals, and only those aggregates leave our infrastructure.
We do not train models on Slack data
Hear does not use Slack data to train, fine-tune, or otherwise improve large language models — our own or anyone else's. API requests to OpenAI and OpenRouter are made with training opt-out enabled and are processed under their respective zero-retention API terms, which state that API inputs and outputs are not used to train their models and are not stored beyond the processing window.
Email contact — explicit opt-in
Hear reads your email address from your Slack profile via the users:read.email scope for two purposes: (1) to match your Slack account to your Hear account for login and billing, and (2) only if you explicitly opt in, to send you a weekly team-health digest. New users are opted out of email digests by default. When you first visit your dashboard, you will be prompted to opt in; digests are only sent after you click “Yes, send me digests”. Every digest email also includes a one-click unsubscribe link, and you can toggle digests on or off at any time from your dashboard. Hear never uses Slack email addresses for marketing, cold outreach, or any other purpose.
Slack API
Hear accesses Slack workspace data via the official Slack Web API under the permissions you grant during OAuth. Only the scopes you approve are used; you can revoke access at any time from your Slack workspace admin settings, which will immediately and irreversibly cut off Hear's ability to read any data from your workspace.
4. Data Retention
Hear operates on a rolling retention window:
- Processed analytics data is retained for 90 days by default
- Workspace administrators can configure a shorter or longer retention period
- Raw message content is not permanently stored — it is processed in-flight and discarded after analysis
- Account and billing data is retained for the duration of your subscription and as required by law
When you disconnect your Slack workspace or delete your account, all associated analytics data is deleted within 30 days.
5. Cookies
We use minimal cookies:
- Authentication — a JWT token stored as an HTTP-only cookie to keep you logged in
- Analytics — a simple visitor identifier for usage analytics (no third-party ad trackers)
We do not use advertising cookies or sell data to advertisers.
6. Your Rights
You have the right to:
- Export your data — request a copy of all analytics data associated with your workspace
- Delete your data — request full deletion of your account and all associated data
- Disconnect Slack — revoke Hear's access to your workspace at any time from your Slack admin settings or from within Hear
- Access and correction — view and correct your account information
- Object to processing — opt out of specific data processing activities
To exercise any of these rights, email support@hear.dev. We will respond within 30 days.
7. Security & Data Location
We take the security of your data seriously:
- All data is encrypted in transit using TLS 1.2+
- All data is encrypted at rest using AES-256
- Access to production systems is restricted and audit-logged
- We conduct regular security reviews of our infrastructure
Where your data is physically stored
Hear's primary database (Cloudflare D1) and application workers currently run from Cloudflare's European data centers, with the primary database replica located in Warsaw, Poland. Cached asset delivery may be served from any Cloudflare edge location globally to the nearest visitor.
Legal jurisdiction of our host
Our infrastructure provider, Cloudflare, Inc., is a United States corporation headquartered in San Francisco, California. Although your data is physically stored in the European Union, Cloudflare is subject to US law — including the CLOUD Act and FISA Section 702 — which means US authorities could, in principle, compel Cloudflare to produce customer data regardless of where it is physically located. We rely on Cloudflare's published transparency reports and legal process guidelines for any such requests.
For customers in the European Economic Area, we rely on the EU-U.S. Data Privacy Framework and Standard Contractual Clauses to provide a lawful basis for transfers of personal data to a US-headquartered processor. If you require data to be processed only by non-US-jurisdiction providers, Hear is not currently the right fit for your organization.
8. GDPR Compliance
For users in the European Economic Area (EEA), the following applies:
- Legal basis — we process data based on your organization's consent (when connecting Slack) and our legitimate interest in providing the service
- Data processor — Hear acts as a data processor on behalf of your organization (the data controller)
- Data transfers — see Section 7 ("Security & Data Location") for where your data is physically stored and the legal jurisdiction of our hosting provider. We rely on the EU-U.S. Data Privacy Framework and Standard Contractual Clauses as required
- DPA — we offer a Data Processing Agreement to enterprise customers upon request
- Right to lodge a complaint — you may contact your local data protection authority
9. Children's Privacy
Hear is a business product and is not directed at individuals under 16. We do not knowingly collect data from children.
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make significant changes, we will notify workspace administrators by email. Continued use of Hear after changes constitutes acceptance of the updated policy.
11. Contact Us
If you have questions about this Privacy Policy or how we handle your data:
- Email: support@hear.dev
- Web: hear.dev