Legal

Privacy Policy

Operated by TEGRALAB S.R.L. · Effective Date: March 4, 2026

TEGRALAB S.R.L., B-dul Dacia nr. 133, Sc. D, Sector 2, București, Romania, CUI: 52851778 ("TEGRALAB", "we", "us") operates StrainSignal.

This Privacy Policy explains how we process personal data in connection with the StrainSignal service and our website.

1. Roles Under GDPR

For Customer Data processed through Slack:

  • The Customer (the company installing StrainSignal) is the Data Controller.
  • TEGRALAB S.R.L. acts as a Data Processor.

We process personal data strictly on documented instructions from the Customer.

For website analytics and account billing data, TEGRALAB acts as Data Controller.

2. Categories of Data Processed

2.1 Slack Workspace Data (Customer Data)

When installed in a Slack workspace, StrainSignal processes:

Identifiers

  • Slack User ID
  • Slack Workspace ID
  • Channel IDs
  • Email address
  • Display name
  • Profile picture

Activity Metadata

  • Message timestamps
  • Message counts
  • Channel participation counts
  • @mention counts
  • Response timing data
  • After-hours and weekend activity indicators

Derived Data

  • Behavioral metrics
  • Baseline comparisons
  • Risk scores
  • Alert history
  • Administrative configuration settings

2.2 Message Content Handling

StrainSignal receives full Slack message content transiently through Slack event delivery. Message content is:

  • Processed momentarily for the limited purpose of detecting @mentions for responsiveness metrics.
  • Immediately discarded.
  • Not stored.
  • Not indexed.
  • Not retained in logs or databases.

We do not build content profiles or perform semantic analysis.

2.3 Billing Data

Processed via Stripe:

  • Company name
  • Billing contact
  • Payment method details (handled by Stripe)
  • Subscription metadata

2.4 Website Data

If users visit our website, we may process:

  • IP address
  • Browser information
  • Usage analytics (via Google Analytics)
  • Cookies (see Cookie Policy)

3. Purpose of Processing

We process data solely to:

  • Provide workload and burnout risk indicators
  • Generate dashboards and alerts
  • Maintain account administration
  • Process payments
  • Provide customer support
  • Maintain system security

We do not sell personal data. We do not use Customer Data for advertising. We do not train AI models on Customer Data.

4. Legal Basis (GDPR)

For Slack Workspace Data: Processing is based on Article 28 GDPR (processing on behalf of the Controller).

The Customer is responsible for establishing lawful basis under Article 6(1)(f) legitimate interests, Article 6(1)(c) legal obligation, or other applicable lawful grounds.

For Website Data: Processing is based on legitimate interest (security, analytics) and consent (where required for cookies).

5. Data Retention

Customer Data:

  • Deleted immediately upon Slack uninstall or Customer deletion request.
  • No archived copies retained.
  • No long-term backups containing personal data are preserved after deletion.

Website and billing data are retained as required by accounting and legal obligations.

6. Data Hosting and Transfers

All production infrastructure is hosted in the European Union via Hetzner. Subprocessors may process data under appropriate safeguards.

If data is transferred outside the EEA (e.g., Stripe, SendGrid), transfers rely on Standard Contractual Clauses (SCCs), adequacy decisions, or other lawful transfer mechanisms.

7. Subprocessors

We use the following subprocessors:

  • Hetzner (EU hosting)
  • Stripe (billing)
  • SendGrid (email delivery)
  • Google Analytics (website analytics)
  • Cloudflare (security and CDN)

All subprocessors are contractually bound by data protection obligations.

8. Security Measures

We implement:

  • Encryption in transit (HTTPS/TLS)
  • Role-based access controls
  • Restricted internal access
  • Logical access controls
  • Infrastructure-level protections

No system can guarantee absolute security.

9. Data Subject Rights

Because TEGRALAB acts as Processor for Slack data, data subjects must direct rights requests to their employer (the Controller). We assist Controllers in responding to requests.

For website data, individuals may contact hello@strainsignal.com.

Rights include:

  • Access
  • Rectification
  • Erasure
  • Restriction
  • Objection
  • Data portability
  • Complaint to supervisory authority

Romanian supervisory authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)

10. Automated Decision-Making

StrainSignal generates automated risk indicators. However, outputs are informational only. No automated decisions with legal or similarly significant effects are made by TEGRALAB. Customers remain solely responsible for employment decisions.

11. Children

The Service is not intended for minors. We do not knowingly process data of individuals under 18.

12. Changes to This Policy

We may update this Privacy Policy periodically. The latest version will be published on our website.

StrainSignal is operated by TEGRALAB S.R.L., B-dul Dacia nr. 133, Sc. D, Sector 2, București, Romania · CUI: 52851778

Questions? hello@strainsignal.com