OpenSay's Privacy Policy

TL;DR

• We store the minimal user and team information required to operate our bot effectively.
• The identity of authors in anonymous interactions (such as messages, replies, whispers, upvotes, polls, or votes) is not stored, ensuring we cannot identify who sent what. For more details, read our blog post.
• We collect per-team usage statistics to better understand and improve bot usage.

Your privacy is important to us. It is OpenSay's policy to respect your privacy regarding any information we may collect from you across our website, https://opensay.co, and other sites we own and operate.

This privacy policy is based on the premise of keeping most of the user experience within Chat Platforms (Slack, Google Chat, Microsoft Teams), and as such, we aim to store the minimum amount of data required to run our service and to collect analytics to improve it.

OpenSay is operated by Heterodox Ltd., incorporated in Israel.

1. Information we collect

Log data

When you visit our website, our servers may automatically log the standard data provided by your web browser. It may include your computer’s Internet Protocol (IP) address, your browser type and version, the pages you visit, the time and date of your visit, the time spent on each page, and other details.

Personal information

Personal information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may ask for, or receive from a Chat Platform after your approval, the following personal information:

• Name (first name and last name)
• Email
• Username

When using one of our paid offerings, we may also ask for:

• Credit card information (processed directly by our payments provider in a PCI Data Security Standard compliant manner)
• Billing address
• VAT identification number

Retention Policy

Data that is required for the functioning of the app is stored as long as you continue to use our services. Two weeks after the app is uninstalled, all your remaining team data is deleted. Data collected as part of Google Analytics is automatically deleted within 38 months of collection. Your user account (including an email address we may store directly) is automatically deleted within 24 months of inactivity.

Business data

Business data refers to data that accumulates over the normal course of operation on our platform. This may include transaction records, stored files, user profiles, analytics data and other metrics, as well as other types of information, created or generated, as users interact with our services. We may receive information about you through the Chat Platform and from third parties such as our business partners, suppliers, sub-contractors, analytics providers and search information providers.

Special Categories of Data

We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

Children’s Privacy

Our services are not intended for children under the age of 13 (or 16 in certain jurisdictions where higher age limits apply under applicable law). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will delete such information from our records.

2. Legal bases for processing

We will only collect and use your personal information when we have a legal basis for doing so. In which case, we will collect personal information from you lawfully, fairly and in a transparent manner. If you consent to our use of information about you for a specific purpose, you have the right to change your mind at any time (but this will not affect any processing that has already taken place). Where required, we enter into a Data Processing Addendum (DPA) with our customers to ensure compliance with data protection laws.

3. Confidentiality and Ownership of Your Data

All content and personal information you provide to us or that we collect is confidential and will be used only for the purpose of providing you with our services. We will not sell, lease or share your personal information with any third parties, without your consent, unless this is required by law or as stated in this Privacy Policy. You retain ownership of all content you submit to us. We will not use your content for any purpose other than to provide the services to you, without your consent.

4. Collection and use of information

We may collect, hold, use and disclose information for the following purposes:

• to provide you with our platform's core features;
• to process any transactional or ongoing payments;
• to contact and communicate with you;
• for internal record keeping and administrative purposes.

Data from Chat Platforms

We integrate tightly with Chat Platforms (Slack, Google Chat, Microsoft Teams), and almost all data collected by us originates from the Chat Platform. The data that you instruct Chat Platform to pass to OpenSay is stored. For Slack, the specific OAuth permission scopes we request are detailed on our Permission Scopes page.

Anonymous Interactions

The identity of an author of an Anonymous Interaction (anonymous message, reply, poll or vote) is not stored. In cases where a per-user state needs to be saved, such as an Anonymous Vote (the act of responding to an Anonymous Poll), the identity of the anonymous interaction author is irreversibly cryptographically blinded per such Anonymous Interaction. These measures are used to protect identities even in the (highly unlikely) event of a database breach. The identity of an author of any anonymous interaction (message, reply, whisper, upvote, poll or vote) is not stored, and therefore we simply don't know who sent what.

Access to Chat Platform Data

By design, we have very little access to the data in your Chat Platform workspace. Specifically, we cannot view any messages or activities in any of your channels or conversations, nor do we have access to any of your files. In addition to team/workspace, channel and user metadata, we only receive data when a user on your workspace actively engages or interacts with us, which could be in the form of authoring an anonymous message, reply, poll or a vote.

5. Disclosure of personal information to third parties

We may disclose personal information to third party service providers for the purpose of enabling them to provide their services, including IT service providers, data storage, hosting and server providers, ad networks, analytics, error loggers, debt collectors, maintenance or problem-solving providers, marketing or advertising providers, professional advisors and payment systems operators. As part of our vendor due diligence, we verify that our key U.S. sub-processors are certified under the EU-U.S. Data Privacy Framework (DPF). We maintain a dedicated page that lists sub-processors that may access personal information.

6. International transfers of personal information

The personal information we collect is stored and processed in Israel and the United States, or where we or our partners, affiliates, and third-party providers maintain facilities.

We are committed to ensuring that any transfer of personal information from the European Economic Area (EEA) to countries outside the EEA is protected by robust, legally-recognized safeguards under the General Data Protection Regulation (GDPR).

Transfers to Israel

The transfer of personal data from the EEA to OpenSay in Israel is based on a European Commission Adequacy Decision. This decision confirms that the State of Israel provides a level of data protection that is "essentially equivalent" to that of the EU. This adequacy status was formally reviewed and reaffirmed by the Commission in 2024 and evaluated again in 2025, with the decision to keep it in place.

Onward Transfers to the United States

For services provided by our sub-processors based in the United States, which does not have a general adequacy decision, we utilize the following safeguards:

Standard Contractual Clauses (SCCs)

The primary mechanism for these onward transfers is the use of Standard Contractual Clauses approved by the European Commission. We have executed these clauses with our U.S. sub-processors to contractually obligate them to uphold EU data protection standards.

EU-U.S. Data Privacy Framework (DPF)

As a supplementary measure, we verify that our key U.S. sub-processors are self-certified and actively participate in the EU-U.S. Data Privacy Framework. While OpenSay, as an Israeli company, is not eligible to participate in the DPF, our reliance on sub-processors who do provides an additional layer of assurance for the protection of your data. The DPF has survived legal challenges as of September 2025.

7. Security

We are committed to protecting the security of your personal information. We implement appropriate technical and organizational measures to safeguard your data against unauthorized access, alteration, disclosure, or destruction. For more detailed information on our security practices, please visit our Security page.

8. Your rights and controlling your personal information

You always retain the right to withhold personal information from us, with the understanding that your experience of our website may be affected. We will not discriminate against you for exercising any of your rights over your personal information. If you do provide us with personal information you understand that we will collect, hold, use and disclose it in accordance with this privacy policy. You retain the right to request details of any personal information we hold about you.

If you have any questions or concerns about this privacy policy, our privacy practices, or if you wish to exercise any of your data protection rights, please contact our Data Protection Officer: Sagi Kedmi at sagi at opensay.co.

9. Cookies

We use “cookies” to collect information about you and your activity across our site. A cookie is a small piece of data that our website stores on your computer, and accesses each time you visit, so we can understand how you use our site. This helps us serve you content based on preferences you have specified.

10. Business transfers

If we or our assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, we would include data among the assets transferred to any parties who acquire us. You acknowledge that such transfers may occur, and that any parties who acquire us may continue to use your personal information according to this policy.

11. Limits of our policy

Our website may link to external sites that are not operated by us. Please be aware that we have no control over the content and policies of those sites, and cannot accept responsibility or liability for their respective privacy practices.

12. Changes to this policy

At our discretion, we may change our privacy policy to reflect current acceptable practices. We will take reasonable steps to let users know about changes via our website. Your continued use of this site after any changes to this policy will be regarded as acceptance of our practices around privacy and personal information.

Key Citations

• Data protection adequacy for non-EU countries
• The EU Commission Reaffirmed its Recognition of Israel's Adequate ...
• Answer given by Mr McGrath on behalf of the European Commission
• Adequacy of the EU–U.S. Data Privacy Framework Survives ...
• EU-U.S. Data Privacy Framework (DPF)