Introduction

Wove Digital Ltd, trading as Adweaver ("we," "our," or "us") operates Adweaver - AI Marketing Hub for Slack (the "Service"). We take your privacy seriously and are committed to protecting your personal data in accordance with GDPR (UK/EU) and CCPA/CPRA (California) requirements.

This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

Table of Contents

• Information We Collect
• Google Account Data
• How We Use Your Information
• Legal Basis for Processing
• Data Sharing and Third Parties
• Data Storage and International Transfers
• Data Retention
• App Uninstallation
• Security Measures
• Data Breach Notification
• Your Rights
• California Privacy Rights
• Automated Decision-Making
• Children's Privacy
• Updates to This Policy
• Contact Us

1. Information We Collect

Information from Slack

When you install and use our Service, we collect:

• Workspace Information: Team ID, workspace name, and installation metadata
• User Identifiers: Slack user IDs and usernames (not email addresses unless separately provided)
• Content Data: Text you provide for AI processing (product descriptions, keywords, audience information)
• Usage Data: Commands used, features accessed, timestamp of activities
• OAuth Tokens: Encrypted bot tokens for Slack API access

Information You Provide

• Campaign Content: Ad copy drafts, keyword lists, persona descriptions you create
• Dashboard Access: Authentication tokens for web dashboard access (stored for 4 hours)
• Support Communications: Any information you provide when contacting us

Automatically Collected Information

• Performance Metrics: Response times, error rates, API latencies
• Usage Analytics: Feature adoption, daily active workspaces, retention metrics

2. Google Account Data

When you connect your Google account to Adweaver, we access and process the following data:

What Google Data We Access

• Google Ads API: Keyword search volumes, competition metrics, cost-per-click estimates, and campaign names for keyword research functionality
• Google Analytics 4 API: Audience demographics (age, gender), geographic locations, interest categories, and traffic sources for data-driven persona generation
• Google Sheets API: Spreadsheet creation and editing for exporting your generated marketing content

What Google Data We Store

• OAuth Refresh Tokens: Encrypted with AES-256 to maintain your Google connection
• Keyword Data: Cached for 24 hours to improve performance and reduce API calls
• GA4 Property List: Cached list of your GA4 properties for faster persona generation
• GA4 Demographic Data: Cached for up to 24 hours during active persona generation sessions

What We Do NOT Store

• Your Google password
• Full Google account data or profile information
• Google Ads campaign configuration or billing information
• Personal Google data unrelated to the Service features

How Google Data Is Used

Google data is used solely for:

• Providing keyword research with real Google Ads metrics
• Generating data-driven customer personas using your GA4 audience demographics
• Exporting generated content to Google Sheets

We do not use Google data for advertising, profiling, or any purpose other than providing the Service features you request.

Revoking Google Access

You can revoke Adweaver's access to your Google account at any time by:

• Using the /integrations command in Slack and selecting "Disconnect Google"
• Visiting your Google Account Permissions page and removing Adweaver

Google API Services User Data Policy Compliance: Adweaver's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

3. How We Use Your Information

We use collected information to:

• Provide the Service: Generate AI-powered marketing content using OpenAI GPT-4
• Process Commands: Respond to your Slack commands (/ad-copy, /keywords, /persona-builder)
• Maintain Dashboard: Provide web access to your generated content
• Track Usage: Monitor usage limits and enforce rate limiting
• Improve Service: Analyze feature usage patterns to enhance functionality
• Ensure Security: Verify Slack request signatures and prevent unauthorized access
• Communicate: Send important updates about the Service

Important: We do not use your content to train AI models. Your marketing content remains yours.

4. Legal Basis for Processing

Under GDPR, we process your data based on:

• Contract Performance (Article 6(1)(b)): Processing necessary to provide the Service you've requested
• Legitimate Interests (Article 6(1)(f)): Improving our Service, ensuring security, and preventing fraud
• Consent (Article 6(1)(a)): Where you've explicitly agreed to specific processing activities
• Legal Obligations (Article 6(1)(c)): Compliance with applicable laws and regulations

5. Data Sharing and Third Parties

We share your data with the following service providers to operate Adweaver:

Service Providers (Sub-Processors)

• OpenAI: AI content generation (GPT-4 API)
• Amazon Web Services: Cloud infrastructure hosting in eu-north-1 (Stockholm)
• Slack: Platform provider for app distribution
• Google: Google Ads API and Google Sheets API for keyword research and content export
• Stripe: Payment processing for subscriptions
• DataForSEO: Keyword research data provider

Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with all sub-processors that handle personal data. Enterprise customers requiring a DPA with Adweaver can contact admin@wovedigital.co.uk.

Sub-Processor List

A complete list of our sub-processors is available upon request. Contact admin@wovedigital.co.uk for the current list.

We do not sell your personal data. We do not share your data for advertising purposes. Data is only shared with service providers necessary to operate the Service.

6. Data Storage and International Transfers

• Primary Storage: AWS eu-north-1 (Stockholm, Sweden)
• Processing Location: European Union
• International Transfers:
  • OpenAI processes data in the United States
  • We rely on Standard Contractual Clauses for these transfers
  • AWS provides adequate safeguards for data transfers

7. Data Retention

We retain data for different periods based on its purpose:

• Campaign Content: Retained indefinitely unless you request deletion
• Dashboard Tokens: 4 hours from generation
• Usage Metrics: 90 days for detailed logs, aggregated data retained longer
• Installation Data: Duration of service use plus 30 days
• Slack Tokens: Duration of installation, encrypted at rest

8. App Uninstallation

When you uninstall Adweaver from your Slack workspace, the following data handling occurs:

Immediately Deleted

• Slack OAuth tokens (bot and user tokens)
• Dashboard authentication tokens
• Active session data

Deleted Within 30 Days

• Workspace configuration and preferences
• Usage tracking data
• User-workspace associations

Retained (Anonymized)

• Aggregated usage statistics (no personal identifiers)
• GDPR audit logs (retained for 3 years as required by law)

Generated Content

Your generated marketing content (ad copy, personas, keywords) is retained until you explicitly request deletion. This allows you to access your content if you reinstall the app. To delete all content, email admin@wovedigital.co.uk with your Workspace ID.

9. Security Measures

We implement industry-standard security measures:

• Encryption: All sensitive data encrypted at rest using AES-256
• Access Control: IAM roles and least-privilege access
• Request Verification: Slack signature verification on all endpoints
• Rate Limiting: Per-workspace limits to prevent abuse
• Monitoring: CloudWatch alerts for suspicious activity
• Regular Audits: Security reviews and dependency updates

10. Data Breach Notification

In the event of a data breach affecting your personal information:

GDPR Requirements (EU/UK)

• We will notify the relevant supervisory authority (UK ICO) within 72 hours of becoming aware of a breach
• If the breach poses a high risk to your rights and freedoms, we will notify affected users directly without undue delay

CCPA Requirements (California)

• We will notify California residents in accordance with California Civil Code § 1798.82
• Notification will include the types of information compromised and steps to protect yourself

Slack Platform Notification

Per Slack Developer Policy, we will notify Slack at feedback@slack.com of any security incidents affecting Slack user data

Our Response

Upon discovering a breach, we will:

• Immediately investigate and contain the incident
• Assess the scope and impact of the breach
• Take steps to mitigate harm to affected users
• Implement measures to prevent future incidents
• Document the breach and our response for regulatory purposes

11. Your Rights

Under GDPR (EU/UK Residents)

You have the right to:

• Access (Article 15): Request a copy of your personal data
• Rectification (Article 16): Correct inaccurate information
• Erasure (Article 17): Request deletion ("right to be forgotten")
• Restriction (Article 18): Limit processing in certain circumstances
• Portability (Article 20): Receive your data in a portable format
• Object (Article 21): Object to certain processing activities
• Withdraw Consent: Where processing is based on consent

To exercise these rights, contact admin@wovedigital.co.uk. We'll respond within 30 days.

You may also lodge a complaint with the UK Information Commissioner's Office (ICO).

12. California Privacy Rights

Under CCPA/CPRA

California residents have the following rights:

• Right to Know: What personal information we collect, use, and share
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information we hold about you
• Right to Opt-Out of Sale: We do not sell personal information
• Right to Limit Use of Sensitive Personal Information: Request that we limit use and disclosure of sensitive personal information to what is necessary to perform the Service
• Non-Discrimination: We won't discriminate against you for exercising your privacy rights

Global Privacy Control (GPC)

We honor Global Privacy Control (GPC) signals. If your browser sends a GPC signal, we treat it as a valid opt-out request under CCPA. You can enable GPC in compatible browsers to automatically communicate your privacy preferences.

Disclosure for California Residents

In the past 12 months, we have:

• Collected: Identifiers (Slack user IDs), commercial information (usage data), internet activity (feature usage)
• Not Sold: Any personal information to any party
• Not Shared for Cross-Context Behavioral Advertising: We do not share personal information for targeted advertising
• Disclosed for Business Purposes: To service providers (OpenAI, AWS, Google) for providing the Service

Authorized Agents

You may designate an authorized agent to submit requests on your behalf. We may require proof of authorization and verification of your identity.

To exercise California privacy rights: admin@wovedigital.co.uk

13. Automated Decision-Making

Adweaver uses artificial intelligence to generate marketing content. Here's how automated decision-making works in our Service:

How AI Is Used

• Content Generation: AI generates ad copy, keywords, and persona recommendations based on your inputs
• Quality Scoring: AI may score or rank generated content options
• Keyword Analysis: AI analyzes keyword relevance and suggests alternatives

Limitations of Automated Processing

• AI does not make legally binding decisions about you
• AI does not significantly affect your legal rights or produce legal effects
• All AI outputs are recommendations that require human review
• You can always override, edit, or reject AI recommendations

Human Oversight

You maintain full control over AI-generated content:

• Review all AI outputs before use
• Edit or regenerate content as needed
• Choose whether to use or discard recommendations

Contact us at admin@wovedigital.co.uk to contest any AI recommendation or request human review

14. Children's Privacy

Adweaver is designed for business and professional use and is not directed at children.

Age Requirements

• The Service is intended for users aged 16 and older
• We do not knowingly collect personal data from anyone under 16 years of age
• Use of the Service by minors is prohibited

Discovery of Minor Data

If we discover that we have inadvertently collected personal data from a child under 16:

• We will delete such data promptly
• We will take reasonable steps to prevent future collection
• We will notify the parent or guardian if contact information is available

Parental Concerns

If you believe we have collected data from a child under 16, please contact us immediately at admin@wovedigital.co.uk with the subject line "Children's Privacy Concern".

15. Updates to This Policy

We may update this Privacy Policy periodically. We'll notify you of material changes via:

• Slack app notification
• Email (if provided)
• Dashboard announcement

Continue using the Service after changes indicates acceptance of updated terms.

16. Contact Us

For privacy questions, concerns, or data subject requests:

• Email: admin@wovedigital.co.uk
• Company: Wove Digital Ltd (trading as Adweaver)
• Registered Address: United Kingdom
• Data Protection Officer: Thomas Walmsley

Response Times

• GDPR data subject requests: Within 30 days
• CCPA requests: Within 45 days
• General inquiries: Within 5 business days

Regulatory Contact

If you're unsatisfied with our response, you may lodge a complaint with:

• UK: Information Commissioner's Office (ICO) - ico.org.uk
• EU: Your local data protection authority

For data deletion requests, please include your Slack Workspace ID for faster processing.