Conclude
PrivacyTerms

Legal

Privacy Policy

This Privacy Policy explains what information Conclude collects, how we use it, who we share it with, and the choices available to customers, workspace users, and public feedback submitters.

Last updated April 9, 2026

Information we collect

We collect information you provide directly, including account details, workspace setup information, billing information, support requests, and any feedback, attachments, comments, or knowledge base content you submit through the Service.

We also collect operational data such as device and browser information, IP-derived location data, authentication events, feature usage, public voting identifiers, and application logs needed to run, secure, and improve the product.

How we use information

We use personal data to provide and secure the Service, manage accounts and workspaces, process billing, operate public boards and knowledge bases, send service communications, provide customer support, and improve product performance and reliability.

Where applicable, we may also use data to power product features you enable, including AI-assisted categorisation, duplicate detection, theme detection, search, and integrations with third-party tools.

AI processing

Conclude is AI-native. Feedback text, follow-up responses, and screenshots submitted via our widget or React SDK are processed by OpenAI on our behalf to derive sentiment, generate semantic embeddings, classify type and severity, and cluster related items into themes. Screen recordings are transcribed via OpenAI Whisper when recording features are enabled.

OpenAI acts as a subprocessor under our agreement and does not use submitted content to train its models. Workspace administrators who do not want their end-users' feedback content sent to OpenAI should contact us before enabling AI features.

Cookies and local storage

Conclude uses essential cookies and browser storage to keep users signed in, maintain security, remember interface preferences, and support public feedback flows such as voting and submission state. If we introduce non-essential analytics or marketing cookies, we will update this policy and any required consent flow.

How we share information

We share information with service providers (subprocessors) that help us operate the product. Each subprocessor is bound by a written data processing agreement and is permitted to process data only on our instructions.

Current subprocessors

  • Supabase — Postgres database and Storage (screenshots, recordings). Stores all customer and end-user feedback content.
  • Vercel — Application hosting, edge functions, and serverless compute.
  • OpenAI— AI processing of feedback content (sentiment, embeddings, theming, transcription). See “AI processing” above.
  • Clerk — Authentication for workspace team members. Does not authenticate end-users of the feedback widget.
  • Trigger.dev — Background job orchestration for AI pipelines. Receives feedback IDs to invoke OpenAI on our behalf.
  • Resend — Transactional email delivery (status-change notifications, team invitations).
  • Stripe — Workspace billing. Processes customer payment data; does not handle end-user feedback content.
  • Linear, Notion, Slack, and similar integrations— When a customer enables an integration, relevant feedback metadata is shared with that provider on the customer's instruction.

We may also disclose information when required by law, to enforce our agreements, or to protect the rights, security, and integrity of Conclude, our customers, or the public.

Slack integration permissions

When a workspace connects Slack to Conclude, our bot requests the Slack scopes listed below. We ask only for what we need to deliver the feature surface described elsewhere in this policy — each scope below maps to a specific, opt-in customer action.

  • commands — register the slash command (default: /feedback) so workspace members can file feedback from any channel.
  • chat:write and chat:write.public — post the ephemeral confirmation after a slash-command submission, the direct message confirmation after a message-shortcut submission, and the channel notification when a customer has configured a notification channel.
  • users:read and users:read.email— resolve a Slack user's display name and email so feedback rows carry meaningful submitter attribution and so the email-based notification system can reach the right person when their feedback changes status.
  • team:read — read the workspace name and basic metadata so the integration card in Conclude shows the right workspace.
  • channels:read — list public channels so a workspace admin can choose which channel receives new-feedback notifications.
  • channels:history — read the messages in a thread when a workspace member runs the summarize sub-command on the slash command. The thread contents are passed to OpenAI for summarization and stored as part of the resulting feedback row; we do not retain Slack messages outside that row, and we do not read channel history at any other time.
  • channels:manage— create new public channels when a workspace member explicitly clicks “Create #conclude-feedback” in the Conclude integrations card, or, in upcoming releases, when they choose to create a channel grouped around a detected feedback theme. Conclude does not create channels autonomously and never archives or renames channels. Channels we create are clearly marked with a “Created by Conclude” welcome message so workspace admins have an audit trail.

A workspace admin can revoke these permissions at any time by disconnecting the integration in Conclude (Integrations → Slack → Disconnect) or by removing the Conclude app from the Slack workspace. Either action revokes the bot token immediately. Existing feedback rows in the Conclude workspace are preserved.

Data retention

We retain information for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods vary based on the type of data, workspace settings, and whether an account or workspace remains active.

Security

We use administrative, technical, and organizational safeguards designed to protect personal data. No method of transmission or storage is fully secure, so we cannot guarantee absolute security.

International transfers

Your information may be processed in countries other than your own. Where required, we rely on appropriate safeguards for cross-border data transfers.

Your rights

Depending on your location, you may have rights to access, correct, delete, restrict, or export your personal data, and to object to certain processing. You can also opt out of product emails using unsubscribe links where available.

Data deletion

When a workspace is deleted, all associated end-user identities, feedback items, attachments, and derived AI data (embeddings, themes) are removed via cascading database deletion.

For per-user erasure (GDPR Article 17 / CCPA right to delete) on a still-active workspace, contact us at support@conclude.fyi with the relevant submitter identifier (the user ID or email your application passes to the SDK). We do not currently expose an automated API for per-user deletion; requests are processed manually within statutory timeframes.

Contact us

Questions or requests about privacy can be sent to support@conclude.fyi.