Privacy Policy
Last updated: February 2026
Overview
Translation Bot is a Slack integration that automatically translates messages between languages. This policy explains what data we access, how we use it, and how we protect it.
Data Flow
When a message is sent or a flag emoji reaction is added in Slack:
Slack sends event to our server
Slack delivers the message text to our API endpoint via a verified webhook (HMAC-SHA256 signature).
Our server forwards text to AI API
The message text is sent to Google Gemini API for translation. We do not store the message content at any point.
Translation is written back to Slack
The translated text is attached to the original Slack message. No copy is retained on our server.
Data We Access
- Message content — We read message text solely to produce a translation. Message content is forwarded to Google Gemini API in real time and is never stored on our servers.
- Emoji reactions — We detect flag emoji reactions to determine which language to translate a message into.
- OAuth tokens — When you install the app, we store your Slack OAuth tokens securely in Vercel KV (encrypted at rest) to authenticate API calls on your behalf.
- Translation context — If you @mention the bot with context (e.g., proper nouns), that text is stored per-channel in Vercel KV to improve translation quality.
Data We Do NOT Collect
- We do not store message content — not before, during, or after translation.
- We do not log or retain translated output.
- We do not collect personal information, analytics, or usage metrics.
- We do not sell or share any data with third parties.
- We do not use cookies or tracking technologies.
Data Retention
We follow a minimal data retention policy. The table below describes every category of data we store:
| Data | Retention | How to Delete |
|---|
| Message content | Not stored — processed in memory only | N/A |
| Translation output | Not stored — written directly to Slack | N/A |
| OAuth tokens | Until app is uninstalled or access is revoked | Uninstall from Slack |
| Translation context | Until manually cleared | @TranslationBot clear context |
| Deduplication hashes | Auto-expires after 10 seconds | Automatic |
| OAuth prompt cooldown | Auto-expires after 24 hours | Automatic |
Third-Party Sub-processors
| Service | Purpose | Data Shared |
|---|
| Google Gemini API | Translation | Message text (real-time, not stored by us) |
| Vercel | Hosting & KV storage | OAuth tokens, translation context (encrypted at rest) |
| Slack | Messaging platform | Translated text written back to messages |
Each sub-processor's own privacy policy governs their handling of data.
Your Rights
- Data deletion — Uninstall Translation Bot from your Slack workspace to remove all stored OAuth tokens.
- Context deletion — Use
@TranslationBot clear context in any channel to remove stored translation context. - Data export — Contact us to request a copy of any data we store related to your workspace.
- GDPR — If you are in the EU/EEA, you have the right to access, rectify, or erase your personal data. Contact us to exercise these rights.
Security Measures
- Zero message retention — Message text is processed in memory and immediately discarded. We do not log, cache, or persist message content.
- Encryption in transit — All communication uses TLS 1.2+ — between Slack and our server, and between our server and the AI translation API.
- Encryption at rest — All persistent data (OAuth tokens, translation context) is stored with AES-256 encryption at rest in Vercel KV.
- Request authentication — Every incoming Slack webhook is verified using HMAC-SHA256 signatures. Invalid requests are rejected.
- Serverless isolation — Each request runs in an isolated serverless function with no shared state between invocations.
- AI safety — Multi-layer prompt injection defense: system prompt hardening, input isolation with delimiters, output length validation, and context sanitization.
- No analytics or tracking — We do not use cookies, tracking pixels, or analytics services.
Contact
For privacy-related questions, data requests, security concerns, or to request a Data Processing Agreement (DPA), contact us at jmoh@hayanmind.com.
Back to Home