SlabOS
SlabOS
Privacy Policy

Privacy Policy

Effective Date: March 28, 2026

Last Updated: March 28, 2026

SlabOS ("we", "our", or "us") operates the SlabOS countertop fabrication platform available at slabos.org and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

We are committed to protecting the privacy of our users and complying with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Canadian privacy legislation.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Full name and email address
  • Company or business name
  • Phone number (optional)
  • Password (stored in hashed form, never in plain text)
  • Business address and location

1.2 Business and Operational Data

As you use the Service, you may input and store:

  • Countertop drawings, measurements, and design specifications
  • Customer and account records
  • Quotes, invoices, and pricing information
  • Job and project management data
  • Material inventories and slab images
  • Notes, annotations, and internal communications

1.3 Usage Data

We automatically collect certain information when you access the Service:

  • Browser type and version
  • Device type and operating system
  • Pages visited, features used, and time spent
  • IP address and approximate geographic location
  • Referring URLs and navigation paths

1.4 AI Interaction Data

When you use our AI-powered features (such as the business intelligence assistant or price list import), the queries you submit and resulting responses are processed to provide the requested functionality. AI interactions are scoped to your own business data and are not used to train third-party models.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service: Operating the platform, processing your drawings and quotes, managing your accounts and jobs
  • Authentication and Security: Verifying your identity, maintaining account security, and preventing unauthorized access
  • Product Improvement: Understanding usage patterns to improve features, fix issues, and develop new capabilities
  • Customer Support: Responding to your inquiries, troubleshooting technical issues, and providing onboarding assistance
  • Communications: Sending service-related notices, security alerts, and (with your consent) product updates
  • Legal Compliance: Fulfilling legal obligations, enforcing our terms, and protecting our rights

We do not sell your personal information to third parties. We do not use your business data for advertising or marketing purposes.

3. Data Storage and Infrastructure

Your data is stored and processed using the following infrastructure:

  • Application Hosting: Our application servers are hosted on Railway, with infrastructure located in North America
  • Database: Your business data is stored in PostgreSQL databases hosted by Supabase, with servers located in Canada and the United States
  • File Storage: Uploaded files (such as slab images) are stored on our application servers with access restricted to authorized users within your organization

All data is transmitted over encrypted connections (TLS/SSL). Database connections use encrypted channels. We implement industry-standard security measures to protect your data at rest and in transit.

4. Third-Party Services

We use the following third-party service providers to operate the platform:

Stripe

Payment processing. Stripe collects and processes payment information directly. We do not store your full credit card number on our servers. Stripe's handling of your data is governed by their privacy policy.

Anthropic (Claude AI)

AI-powered features, including the business intelligence assistant and price list import. When you use AI features, relevant data from your account is sent to Anthropic's API to generate responses. Anthropic does not use API inputs to train their models. See Anthropic's privacy policy for details.

Supabase

Database hosting and management. Your business data is stored in Supabase-managed PostgreSQL databases with encryption at rest and in transit.

Railway

Application hosting and deployment infrastructure. Railway hosts our server-side application code and handles request routing.

5. Data Retention and Deletion

We retain your data for as long as your account remains active and as needed to provide the Service. Specifically:

  • Active Accounts: All business data is retained while your subscription is active
  • Account Deletion: Upon request, we will delete your account and associated personal information within 30 days. Business data (quotes, jobs, customer records) will be permanently deleted within 90 days
  • Backups: Residual copies in encrypted backups are purged on a rolling basis, typically within 90 days of deletion
  • Legal Requirements: We may retain certain records longer if required by applicable law (for example, financial transaction records for tax purposes)

To request data deletion, contact us at admin@slabos.org.

6. Cookies and Local Storage

We use minimal cookies and browser local storage strictly for operational purposes:

  • Authentication Tokens: Session tokens stored securely to keep you logged in
  • User Preferences: Interface settings such as theme preferences and editor configuration

We do not use third-party advertising cookies, tracking pixels, or analytics platforms that track you across websites. We do not participate in cross-site tracking or behavioral advertising.

7. Canadian Privacy Law (PIPEDA) Compliance

As a Canadian company, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and are guided by its ten fair information principles:

  • Accountability: We are responsible for the personal information under our control and have designated a privacy officer to oversee compliance
  • Identifying Purposes: We identify the purposes for which personal information is collected at or before the time of collection
  • Consent: We obtain meaningful consent for the collection, use, and disclosure of personal information
  • Limiting Collection: We limit collection to what is necessary for the identified purposes
  • Limiting Use, Disclosure, and Retention: Personal information is used only for the purposes for which it was collected and is retained only as long as necessary
  • Accuracy: We take reasonable steps to ensure personal information is accurate, complete, and current
  • Safeguards: We protect personal information with security measures appropriate to the sensitivity of the data
  • Openness: We make information about our privacy policies and practices readily available
  • Individual Access: Upon request, we will inform you of the existence, use, and disclosure of your personal information and provide access to it
  • Challenging Compliance: You may challenge our compliance with these principles by contacting our privacy officer

8. Your Rights

You have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request that we correct inaccurate or incomplete personal information
  • Deletion: Request that we delete your personal information and account data
  • Data Export: Request an export of your business data in a standard, machine-readable format
  • Withdraw Consent: Withdraw consent for optional data processing (such as marketing communications) at any time
  • Complaint: File a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated

To exercise any of these rights, contact us at admin@slabos.org. We will respond to your request within 30 days.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

  • Encryption of data in transit (TLS 1.2+) and at rest
  • Hashed and salted password storage
  • Role-based access controls within the application
  • Multi-tenant data isolation ensuring your data is never accessible to other organizations
  • Regular security reviews and updates

While we take reasonable precautions to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

10. Children's Privacy

Our Service is designed for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child, we will take steps to delete that information promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email or through a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after such notice constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or need to report a concern, please contact us:

SlabOS Privacy Officer

Email: admin@slabos.org

Location: Winnipeg, Manitoba, Canada

You may also file a complaint with the Office of the Privacy Commissioner of Canada.