SlabOS
Legal · Document 03
Revision 2026.05 · Public
How We Handle Your Data
Privacy
Policy.
What information we collect, how we use it, who we share it with, and your rights. Written to comply with PIPEDA (Canada), CCPA (California), and analogous US state laws. Plain English first, legal precision second.
This Privacy Policy is in force and governs how SlabOS Inc. collects, uses, and protects your data. © 2026 SlabOS Inc. All rights reserved.
SLBOS-LEGAL-03
1.Introduction and Scope
This Privacy Policy describes how SlabOS Inc. (“SlabOS,” “we,” “us”) collects, uses, and shares information when you visit slabos.org, use the Service, or interact with us. It covers personal information SlabOS controls. Personal information SlabOS processes on a Customer's behalf is governed primarily by the Customer's privacy policy and our Data Processing Agreement (DPA) with that Customer.
2.Information We Collect
2.1 · Account information
Name, business email, company, phone number, role, and any profile information you provide.
2.2 · Customer Data submitted to the Service
Quotes, jobs, accounts, drawings, price lists, slab inventory, contact records, and uploaded files. This is generally controlled by the Customer (the shop) under our DPA.
2.3 · Usage data
Login times, feature usage, IP address, browser type, device characteristics, and session identifiers. Used to operate and improve the Service.
2.4 · Cookies and similar technologies
Essential cookies (authentication, security), functional cookies (preferences), and limited first-party analytics. We do not run third-party advertising trackers on slabos.org.
2.5 · Information from integrations
When you connect Google Maps, QuickBooks, Stripe, or other integrations, we receive only the data necessary to operate the integration. Each integration follows the respective service's terms.
3.How We Use Information
- Provide, operate, secure, and improve the Service.
- Authenticate users and prevent fraud, abuse, and unauthorized access.
- Send transactional and service-related communications (account, billing, security, downtime).
- Provide customer support.
- Analyze aggregated, anonymized usage to improve product reliability and features.
- Comply with legal obligations and respond to lawful requests.
We do not use Customer Data (including pricing or commercial data) to train models or features visible to other customers.
4.Legal Bases for Processing
Where applicable law (such as PIPEDA) requires a legal basis, we process personal information based on: contractual necessity (to provide the Service), legitimate interests (security, fraud prevention, product improvement), consent (where required), and legal obligation.
5.Information Sharing
5.1 · Subprocessors
We share information with subprocessors strictly to deliver the Service. Approved subprocessors are listed in our DPA (Annex B): Railway (hosting), Supabase (database), Telnyx (SMS), Resend (email), Anthropic (AI), OpenAI (embeddings where used), Google Maps (mapping).
5.2 · Service providers
Professional services providers (accountants, lawyers, auditors) bound by written confidentiality obligations.
5.3 · Legal compliance
We may disclose information to comply with a lawful subpoena, court order, or government request, and to enforce our agreements. We push back on overbroad requests and notify Customers of legal process affecting their data where permitted.
5.4 · Business transfers
If SlabOS is involved in a merger, acquisition, or sale of assets, personal information may be transferred subject to the same protections described in this Policy.
5.5 · No sale of personal information
We do not sell personal information to any third party. We do not share personal information for cross-context behavioral advertising.
6.Data Retention
- Customer Data: retained while account is active, then 60 days post-termination for export, then permanent deletion within an additional 60 days (subject to legal-hold requirements).
- Account information: retained up to 7 years for tax, accounting, and legal record-keeping.
- Application logs: 90 days rolling.
- Backups: deleted in line with backup cycle, typically within 60 days of Customer Data deletion.
7.Data Security
We use TLS 1.2 or higher in transit, AES-256 (or equivalent) encryption at rest, bcrypt 12-round password hashing, multi-tenant isolation, role-based access controls, audit logging, encrypted backups, and a documented incident response plan. No security is perfect — if you discover a vulnerability, please report responsibly to security@slabos.org.
8.International Data Transfers
Data is primarily hosted in the United States and Canada. For any transfer outside North America (such as to a subprocessor's global infrastructure), we rely on Standard Contractual Clauses or equivalent safeguards.
9.Your Rights
9.1 · General rights
You may request to access, correct, delete, restrict, or port personal information we control about you, and to object to certain processing. To exercise rights, email privacy@slabos.org. We respond within statutory timelines.
9.2 · Canadian (PIPEDA) rights
Canadian users have the right to access and correct personal information, and to challenge our compliance by contacting our Privacy Officer at privacy@slabos.org. Unresolved complaints may be directed to the Office of the Privacy Commissioner of Canada at priv.gc.ca.
9.3 · California (CCPA) rights
California residents have the right to know what personal information is collected, to delete personal information, to opt out of any “sale” or “sharing” (we do neither), and to non-discrimination for exercising these rights. Submit requests to privacy@slabos.org.
9.4 · Customer-controlled data
For personal information processed on a Customer's behalf, requests should be directed first to the Customer (the shop). We will assist Customers in fulfilling Data Subject requests per our DPA.
10.Children's Privacy
The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe we have collected such information, please contact us and we will delete it.
11.Cookies and Tracking
We use only essential and functional first-party cookies. We do not use third-party advertising trackers, social-media pixels for ad targeting, or behavioral profilers. You may disable cookies in your browser, though some features may not function.
12.Changes to This Policy
We may update this Policy. Material changes will be notified via email (where you have an account) and in-app banner at least 30 days before they take effect. The effective date is shown at the bottom of this document.
13.Pricing & Commercial-Data Confidentiality
Customer Data of the highest sensitivity — including price lists, customer-specific pricing rules, margin data, and supplier discounts — is never shared with other Customers, prospects, partners, or any third party. We do not use Customer pricing data to train models or product features visible to anyone other than that Customer. Tenant isolation is enforced at every layer of the Service.
Plain English: Your prices stay yours. No other shop ever sees your rates, your margins, or your supplier deals. Not through the AI assistant, not through analytics, not through any benchmark, not ever.
14.Contact
Privacy inquiries: privacy@slabos.org
Security disclosure: security@slabos.org
General: David@slabos.org · +1 (778) 837-8834
Postal address: SlabOS Inc., c/o Registered Agent (Delaware Division of Corporations). The current registered agent's address is available on request.
15.Effective Date
This Privacy Policy is effective as of May 2026. The most current version is always available at slabos.org/legal/privacy-policy.html.