Everything you’ve ever wanted to know about Karmabot GDPR compliance

Based on interviews with our customers

Vlad Sadovenko
Karma bot
3 min readSep 11, 2018


According to your data privacy policy, Karmabot collects information that may include but is not limited to Email address, First name and last name, Cookies and Usage Data. What other data do you collect?

We collect the admin’s email (a person who aded Karmabot) — consensually at the beginning of the on-boarding tour. We also get Slack display names, which are not necessarily the users’ actual names. Usage Data — we track that with the usual Google Analytics and Mixpanel: the data is anonymous and indicates general activity within the app. Karmabot does not read any of your channel content. It is not aware of their existence unless you’ve added the bot to a channel via `/invite @karmabot` command. We do not use Cookies on the landing page. Displaying notice on the internal pages. Generally, all data gets completely wiped out after 90 days after the bot deletion (unless it got added back and re-activated during that period of time).

How does that work?

Slack’s policies are really strict about sharing access to user’s emails. The bot went through the compliance process and got an approval.

How can the users use their rights given by GDPR?

At any moment a user can choose to reset Karmabot account to its original state (deleting all data) or deleting it altogether. All karma requests that Karmabot recorded can be edited, deleted and exported at any moment.

Who is the data Controller?

Karmabot is not a legal entity itself, it is one of the products of Sliday Limited company, established in 2009.

Do you use Cookies on the landing page?

We do not use Cookies on the landing page, however, there is a cookies consent popup message on the pages where we use Cookies.

Can we set data retention rules in the Account or the data retention rules that we apply to Slack are automatically applied to Karmabot as well?

We don’t have an access to Slack’s settings, however, once the user is deleted from Slack, we delete her or his data (user pic, display name, reasons for karma requests etc). This also applies to Slack’s guest users or users with limited-time access to Slack.

If we have an employee who is leaving the company, can we proceed with data erasure on his/her behalf?

If someone leaves the company or in other words is deleted from Slack, Karmabot deletes all personal data for this user. The only thing that remains in our records is the anonymised numbers of karma points for the user. This is made to keep the statistics for the team in order (karma shares, leaderboard). And it looks like this:

Deleted user_1 has 17% of karma shares in Q2 2018

Do we have to sign any DPA with Karmabot since we will be disclosing personal data of the users to Karmabot?

We comply with strict Slacks rules for personal data disclosure (otherwise there’s no way to be listed in Slack App Store) and have never signed additional DPA’s with our customers, however, if it is required by your company’s policies, we’re more than happy to do so.

How will you let us know about data breach is there is any?

There’s a Security Contact feature for security issues. Please head over to Settings add your security contact email and Save the changes.

Try Karmabot today! 30-days free trial is available. Already with us? Book a free 1-on-1 Karmabot demo to get the most out of it for your team.

