← Back to home

Privacy Policy — Superpal

Last updated: June 21, 2026

1. Introduction

This Privacy Policy explains how Agentic Labs, UAB (company code 307629422, VAT LT100020129713, registered at Sodų g. 15-13, LT-01313 Vilnius, Lithuania) (“we”, “us”, “our”, or “Superpal”) collects, uses, shares, and protects personal data in connection with the Superpal service — an AI digital employee that operates inside your Slack workspace (with Microsoft Teams to follow) (the “Service”).

Our two roles. We handle personal data in two distinct capacities:

  • As a processor — for the data your organization’s teams put through the Service (Slack messages, files, connected-account data, and similar — together, “Customer Data”). Here your organization is the data controller and decides why and how that data is used; we process it on your behalf to provide the Service, on your instructions and under our Terms of Service and any Data Processing Agreement.
  • As a controller — for the data we decide to process for our own purposes: account and billing information, communications with us, and website/product analytics and advertising data.

This Policy covers both. By using the Service, you acknowledge the practices described here. We review this Policy at least annually.

2. Key Definitions

Customer Data means data submitted to or processed by the Service on your behalf, including: connection credentials (e.g., OAuth tokens), workspace and user identifiers, workspace settings, files stored in Superpal, conversations and outputs generated in Superpal, scheduled tasks, approval decisions, and service logs.

3. Information We Collect

We collect only what is necessary to provide, secure, and operate the Service.

A. Workspace and user information. Workspace/team identifiers and limited metadata; the installer’s name and email (as provided by Slack); and identifiers for users who interact with the Service (Slack user ID, display name, and email where provided).

B. Verification data. A phone number used for one-time SMS verification at signup, checked for validity and line type. Verification is provided through our processor Twilio.

C. Connection credentials. OAuth access/refresh tokens, scopes, and expiry metadata for Slack and for any third-party integrations you enable. Credentials are held in an encrypted vault; depending on the sharing scope you select, an integration may be usable by authorized members of your workspace.

D. Content and records inside Superpal. Files created or uploaded in Superpal; conversation threads and agent outputs; tool-call records; approval/rejection decisions; and scheduled-task configurations.

E. Slack message content. Messages from channels where the Service is invited, direct messages to it, and thread replies — used to process your requests and maintain context.

F. Service logs and usage data. Timestamps, audit and security logs, error and request metadata, and usage signals needed to operate, secure, and improve reliability.

G. Communications with us. Information you provide when you contact support or email us.

H. Website, product analytics, and advertising data. When you visit our website or begin signup/checkout, we (and our analytics/advertising tools) may collect cookie and similar identifiers, device and browser metadata, IP address, pages viewed, interaction events, and campaign/referral/attribution data. Non-essential cookies and advertising pixels are set only with your consent (see Section 11).

We do not knowingly collect special-category (sensitive) personal data unless you provide it as part of your use of the Service.

4. How We Use Information and Legal Bases (GDPR)

We process personal data on the following legal bases under Article 6 GDPR.

  • To provide and operate the Service — authenticate users and workspaces, maintain integrations, execute tasks, generate outputs, and maintain context. Legal basis: performance of a contract; for Customer Data, processing is carried out on your instructions as controller.
  • AI processing to generate outputs — relevant Customer Data is processed by AI systems to produce responses and complete tasks at your direction. We do not use Customer Data for advertising, and we do not train our own or third-party foundation models on it.
  • Security, safety, and integrity — detect and prevent fraud, abuse, and unauthorized access; investigate incidents; maintain audit trails. Legal basis: legitimate interests, and legal obligation where applicable.
  • Service improvement — using aggregated or de-identified data that cannot reasonably identify you. Legal basis: legitimate interests.
  • Communications — service, security, and administrative messages, and support. Legal basis: performance of a contract / legitimate interests.
  • Analytics, advertising, and attribution — measure website/product usage and campaign performance and attribute signups. Legal basis: consent for non-essential cookies/pixels; legitimate interests for privacy-protective, essential analytics.
  • Compliance and protection — comply with legal obligations and enforce our Terms. Legal basis: legal obligation / legitimate interests.

Where we rely on legitimate interests, we balance them against your rights; you may object (see Section 10).

5. AI Processing and No Model Training

When the Service performs work, the data needed to complete a request (the prompt and context) is processed by our AI providers, Anthropic and Google. We require these providers to use your data only to provide the requested service and not to train their general models. Your data is processed in isolated requests and is not visible to other customers. We do not use Customer Data to train any model, our own or a third party’s.

6. How We Share Information

We do not sell your personal data.

A. Sub-processors (infrastructure and operations). We use vendors to host and run the Service, who process data on our behalf solely to provide, secure, and support it. Our core sub-processors include:

Sub-processorPurposeLocation
Google Cloud (GCP)Hosting, storage, computeEU (europe-west1)
AnthropicAI model processingGlobal
StripePayments and billingUS (SCCs)
TwilioPhone verificationUS (SCCs)

We may use additional vendors to fulfil specific tasks or integrations you enable. A current list of sub-processors is available on our Sub-processors page, and we will inform you of material changes so you may object where you have the right to do so.

B. Analytics and advertising partners. With your consent, we use analytics and advertising tools — currently LinkedIn Ads (and the LinkedIn Insight Tag), Google analytics/tracking, and Vercel, and we may add similar tools such as Meta. These may receive online identifiers, event metadata, and campaign/attribution data. We do not use Slack message content or Customer Data for advertising.

C. Slack platform. The Service integrates with Slack via Slack OAuth 2.0 and Slack APIs, subject to Slack’s terms and privacy policy. We access Slack data only after you grant permission, and you may revoke access at any time in Slack App Management. We affirm that Slack APIs are not used to develop, improve, or train generalized AI/ML models.

D. Legal compliance and protection. We may disclose information where required by law or valid legal process, or where necessary to protect rights and safety, prevent fraud or abuse, or enforce our Terms.

E. Business transfers. In a merger, acquisition, financing, or sale of assets, information may be disclosed to advisors and successors under appropriate confidentiality protections.

7. International Data Transfers

Customer Data is hosted and processed in the EU (Google Cloud, europe-west1). Some sub-processors — in particular our AI providers — may process data outside the EEA. Where they do, transfers are protected by an adequacy decision or appropriate safeguards such as the EU Standard Contractual Clauses.

8. Data Storage and Security

Customer Data is stored in the EU with encryption in transit (TLS 1.2+/1.3) and at rest (AES-256 with provider-managed keys). We apply access controls (role-based access, least privilege, multi-factor authentication for internal access), audit logging and monitoring, workspace isolation, and incident-response processes, including notification to affected customers and/or authorities where required. You are responsible for security within your own workspace (e.g., channel access and admin permissions).

9. Data Retention

We retain Customer Data only as long as needed to provide the Service, meet our obligations, and comply with law. When an account is closed, a subscription is cancelled, or we receive a validated deletion request, we delete the associated Customer Data within 90 days. Aggregated or de-identified data that can no longer identify you may be retained.

10. Your Rights

Subject to applicable law, you have the right to access, rectify, erase, restrict processing of, and object to processing of your personal data; to data portability; and to withdraw consent at any time (without affecting prior processing).

For Customer Data, where we act as processor, we will assist the controller (your organization) in responding to such requests, and may direct individual users to their workspace administrator where appropriate.

To exercise your rights, contact support@superpal.ai. We will respond within the timeframes required by the GDPR (generally one month, extendable where permitted). You also have the right to lodge a complaint with your supervisory authority — in Lithuania, the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija) — or the authority in your country of residence.

11. Cookies and Similar Technologies

We use cookies and similar technologies for two purposes:

  • Essential — required to run the website and Service (e.g., security, session, load balancing). These are always active.
  • Non-essential — analytics and advertising technologies, including the LinkedIn Insight Tag, Google tracking, and (in future) similar pixels such as Meta. These are set only after you give consent through our cookie banner, and you can change or withdraw your choices at any time via the banner/preferences link or your browser settings.

We do not fire advertising pixels before consent.

12. Children’s Privacy

The Service is intended for business use by adults and is not directed to children. We do not knowingly collect personal data from anyone under 18 (or the age of majority in their jurisdiction, if higher). If we learn we have, we will delete it. Contact support@superpal.ai with any concerns.

13. Slack Marketplace Compliance

The Service accesses the following Slack data:

Data typePurpose
Messages in channels where the Service is invitedProcess requests and provide AI assistance
Direct messages to the botRespond to direct interactions
Thread repliesMaintain context for requested actions
User profile informationIdentify users and personalize responses
Channel informationUnderstand context and permissions
File metadata and files (when you request)Process attachments and uploads/downloads

Our commitments: we use Slack data only to provide and operate the Service; we do not sell Slack data; we do not use it for advertising; we affirm Slack APIs are not used to develop, improve, or train generalized AI/ML models; and we do not train any foundation model on Customer Data. You may uninstall or revoke access at any time in Slack App Management — after which we stop collecting new Slack data immediately, with previously stored data deleted per Section 9.

14. Changes to This Policy

We may update this Policy. For material changes, we will notify you by appropriate means (e.g., emailing the account address or notifying workspace administrators). The “Last updated” date reflects the latest revision; continued use after changes take effect indicates acceptance.

15. Contact Us

Agentic Labs, UAB
Company code: 307629422 · VAT: LT100020129713
Sodų g. 15-13, LT-01313 Vilnius, Lithuania
Email: support@superpal.ai

As an organization established in the EU (Lithuania), we are not required to appoint an Article 27 EU representative.