Privacy Policy
Last updated · 21 May 2026
This Privacy Policy explains how Slatewise by Serenity ("Slatewise", "we", "us") collects, uses and protects personal data when you use our production budgeting and scheduling service (the "Service"). We are the data controller for account data, and a data processor for the project content you store in the Service.
1. Data we collect
- Account data — your name, email address and a password (stored only as a secure hash by our authentication provider).
- Workspace & project data — the company details, gear, crew roles, budgets, projects and calendar information you enter.
- Billing data — handled by Stripe. We store only a Stripe customer reference and your current plan/subscription status; we never see or store full card details.
- Operational logs — minimal technical logs needed to run and secure the Service. We do not run third-party advertising or cross-site behavioural tracking.
- Product analytics — to understand which features are used and improve the Service, we record a small set of in-app events (e.g. "project created", "PDF generated") via PostHog on its EU Cloud. This is cookieless and pseudonymous: it is keyed only to an internal account identifier — never your name or email — with no IP address stored, no cookies set, and no recording of the content you enter. We attach a small, fixed set ofnon-identifying account-state properties to that identifier (your top plan tier, how many workspaces you're in, your role on your current workspace, and your signup date) so we can build aggregate funnels and cohort analysis. Because it sets no cookies and is strictly necessary-adjacent and non-intrusive, no consent banner is required; deleting your account severs the link to you.
- Website analytics (cookies) — our public marketing website uses PostHog (EU Cloud) with cookies to measure traffic, referral sources and conversion. This is strictly opt-in: nothing is stored on your device and no analytics request is made until you accept the cookie banner. You can withdraw consent at any time via "Cookie settings" in the site footer. It is separate from, and additional to, the cookieless in-app analytics described above.
- Session-aware navigation cookie — when you are signed in to the app we set a small
slatewise_signed_incookie scoped to our domain. It carries a single boolean and no personal data — it lets the marketing website show you a direct link back to your workspace instead of the generic sign-in/sign-up buttons. It is cleared automatically when you sign out. - Crew shoot-day reminders (email) — when a producer chooses to send shoot-day reminders from a project's calendar, we email the assigned crew members an
.icscalendar attachment via Resend (EU region). The email contains the freelancer's name, the project + workspace name, and the shoot day details (date, call time, location, role). The producer's email is set as the Reply-To so questions reach a human. Sending is always a manual, explicit click — never automatic, and never for marketing. - Product & onboarding emails — as part of getting you set up, we send occasional product updates, tips, and a personal check-in from the founder a couple of days after you sign up. We rely on legitimate interest(Art. 6(1)(f)) for these low-frequency, non-promotional messages to our own signed-up users; the imposition is minimal and you can opt out at any time, two ways: a one-click unsubscribe link in every such email (handled by our email provider, Resend), and an "Email preferences" toggle in your account settings. Either stops all product / onboarding emails immediately and has no effect on essential service notices (Terms, Privacy, security), which are always sent.
- Push notifications— if you enable notifications on a device, we store that device's push token (via Google Firebase Cloud Messaging, the same provider that runs our database) so we can alert you about your shoots — bookings, schedule changes, and next-day reminders. This only happens after you explicitly turn it on, on the basis of your consent (Art. 6(1)(a)). Turn it off any time from your account settings or your browser/OS; the token is removed and deleting your account erases it.
- Service notices (email) — we maintain a list of signed-up account emails in Resend (EU region) so we can email you about material changes to the service: updates to these Terms, the Privacy Policy, our list of sub-processors (with at least 30 days' notice), security incidents, and planned downtime. These notices are part of delivering the service to you (contractual basis) and are not marketing — we do not send product updates or promotional emails via this channel without separate opt-in consent. Deleting your account removes your email from this list.
2. Lawful bases for processing
- Contract (Art. 6(1)(b) GDPR) — to provide the Service you signed up for.
- Legitimate interests (Art. 6(1)(f)) — to keep the Service secure and reliable, and for minimal cookieless, pseudonymous product analytics to improve it. We do not use this basis for marketing.
- Consent (Art. 6(1)(a)) — for cookie-based analytics on our marketing website. It is never set until you accept, and you can withdraw it at any time via "Cookie settings".
- Legal obligation (Art. 6(1)(c)) — where retention is required by law (e.g. Stripe retaining billing records for tax).
3. How we use data
Solely to operate, secure and support the Service: authenticating you, storing and displaying your workspace data, processing subscription payments via Stripe, and responding to support requests. We do not sell personal data, and we do not send marketing emails without opt-in.
4. Sub-processors
We rely on a small set of well-known providers. See our sub-processors list for the current set, what they process and where. We give notice before adding a new sub-processor.
5. Data residency & security
Production data is hosted in the European Union. Data is encrypted in transit (TLS) and at rest. Passwords are hashed by our authentication provider. Access to production systems is restricted to authorised personnel.
6. Retention
- Account and workspace data is retained while your account is active.
- We may delete accounts inactive for 24 months, after a warning email.
- On account deletion, your owned workspaces and their data are permanently removed, and disappear from short-term backups within a few days.
- Billing records are retained by Stripe as required by tax law (typically up to 7 years).
7. Your rights
Under the GDPR you have the right to:
- Access & portability — download all your data as JSON from your account page at any time.
- Rectification — edit your profile and workspace data directly in the app.
- Erasure — permanently delete your account and owned data from your account page.
- Object / restrict — contact us; since we don't process for optional purposes, deletion is usually the relevant remedy.
- Complain — to your local supervisory authority. In Greece this is the Hellenic Data Protection Authority (dpa.gr).
8. Children
Slatewise is not intended for anyone under 16. Account creation requires confirming you are at least 16 years old. We do not knowingly process children's data.
9. Contact
For any privacy request or question, contact privacy@slatewise.app. We respond to data subject requests within 30 days.
