Yes, Slack requires a privacy policy for all App Directory apps. Slack's App Directory Guidelines mandate that every listed app have a publicly accessible privacy policy on its landing page. Your policy must disclose what workspace data your app accesses through OAuth scopes, how user information is stored and processed, and whether data is shared with third parties.
Slack is the workplace communication platform of choice for millions of organizations, from startups to Fortune 500 companies. The Slack App Directory hosts thousands of integrations that extend Slack's functionality, from project management tools to AI assistants to custom workflow automations.
If you are building a Slack app, you are building something that handles workplace data. Messages, user profiles, file shares, channel memberships, and organizational structures all flow through Slack's API. This data is often sensitive, sometimes confidential, and always personal. That is why Slack requires a privacy policy and why getting it right matters for your app's success.
This guide covers exactly what Slack requires in your privacy policy, how OAuth scopes determine your data obligations, why enterprise customers care deeply about your privacy practices, and the fastest way to create a compliant privacy policy for your Slack app.
Does Slack Require a Privacy Policy?
Yes. Slack's App Directory Guidelines explicitly require all listed apps to have a privacy policy. This requirement applies at the point of submission. Your app cannot be listed in the App Directory without a privacy policy URL. Slack's review team checks for this during the app review process.
Required
For all App Directory apps
Landing Page
Must be accessible there
Reviewed
During app submission
The requirement goes beyond just having a document. Slack expects your privacy policy to be accessible from your app's landing page, the page users visit when they learn about your app before installing it. This means users should be able to review your data practices before they decide to authorize your app in their workspace.
For apps distributed outside the App Directory (internal apps, custom integrations, or apps shared directly via install link), the App Directory listing requirement does not technically apply. However, Slack's API Terms of Service still govern your use of the Slack API, and GDPR, CCPA, and other privacy laws apply based on the data you process. In practice, every Slack app that handles user data should have a privacy policy regardless of its distribution method.
Q: What if my Slack app is only for internal use?
Internal apps that process employee data still need a privacy disclosure under GDPR. Even within your own organization, employees have data rights. An internal privacy notice describing what the app does with employee data is good practice and may be required by your organization's own compliance policies.
Q: Does Slack review my privacy policy content?
Slack's app review team checks that a privacy policy URL exists and is accessible. They may also verify that it addresses the data types your app accesses based on its requested scopes. A generic policy that does not mention Slack or workspace data may raise concerns during review.
What Data Slack Apps Receive
Slack apps receive data through several mechanisms: OAuth token scopes, Event API subscriptions, slash commands, interactive components, and direct API calls. The data your app receives depends on which of these it uses and what scopes it requests. Your privacy policy must cover all of it.
| Data Type | How App Receives It | Personal Data? | Sensitivity |
|---|---|---|---|
| Workspace info | OAuth token, team.info API | No (organizational) | Low |
| User profiles | users:read scope, user events | Yes (names, photos, titles) | Medium |
| User emails | users:read.email scope | Yes (directly identifiable) | High |
| Channel messages | Event subscriptions, channels:history | Yes (user-generated content) | High |
| File uploads | files:read scope, file events | Potentially (file contents) | High |
| Slash command input | Command payloads via HTTP POST | Depends on user input | Medium |
| OAuth tokens | OAuth flow during installation | Yes (access credentials) | Critical |
| Channel membership | channels:read, conversations.members | Yes (who is in which channel) | Medium |
A critical point that many developers overlook: even the simplest Slack app receives personal data. A slash command app with no database still receives the user ID, username, workspace ID, channel ID, and command text with every invocation. That is personal data being processed. Your privacy policy must account for all of it.
Did you know?
Slack sends your app more data than most developers realize. Every Event API payload includes the user ID, workspace ID, and a complete event object. Even events you do not explicitly listen to may be included in the payload if they are part of a related event chain. Your privacy policy should cover all data your app receives, not just the data you intentionally use.
Incidental Data Collection
One of the unique challenges of Slack app privacy policies is incidental data. When your app responds to a slash command, it receives the user's ID, the channel ID, and the team ID even if your app does not need this information to function. When your app subscribes to message events, it receives the full message object including the author's user ID and profile information.
Under GDPR, receiving this data counts as processing it, even if your app immediately discards it. Your privacy policy should acknowledge this incidental data collection and explain how your app handles it. For example: "Our app receives user IDs and workspace information as part of Slack's standard API payloads. This data is processed in memory to respond to your request and is not stored."
Slack App Directory Guidelines
Slack's App Directory has specific guidelines that go beyond general privacy law requirements. Understanding these guidelines is essential for getting your app approved and keeping it listed.
Minimum Privacy Policy Requirements
- What data is collected: Clearly list all data types your app accesses through Slack's API, including data received incidentally through event payloads
- How data is used: Explain the purpose of each data collection. Why does your app need user profiles? What does it do with message content?
- Data sharing: Disclose whether data from Slack workspaces is shared with any third-party services, and if so, which ones and for what purpose
- Data retention: How long is workspace data stored? What happens to the data when a workspace uninstalls your app?
- Security measures: What steps do you take to protect the workspace data your app handles?
- Contact information: How can users or workspace administrators reach you with privacy questions or data deletion requests?
Slack also requires that your privacy policy be consistent with your app's actual behavior. If your privacy policy says you do not store messages but your app logs message content to a database, that is a violation of both the App Directory Guidelines and applicable privacy laws.
Did you know?
Slack can remove apps from the App Directory for privacy policy violations. If users report that your app's data handling does not match what your privacy policy describes, Slack may investigate and remove your listing. Several high-profile apps have been removed or suspended for privacy concerns. Your privacy policy is not just a checkbox for listing. It is an ongoing commitment that Slack enforces.
Beyond the App Directory requirements, your Slack app must also comply with GDPR, CCPA, and any other applicable privacy laws. Many Slack workspaces are in the EU, making GDPR compliance essential. For comprehensive coverage of general app privacy policy requirements, see our dedicated guide.
OAuth Scopes and Data Access
OAuth scopes are the mechanism through which your Slack app requests access to workspace data. Each scope grants access to specific data types, and your privacy policy must accurately reflect the data accessible through your requested scopes. Requesting scopes your app does not need is both a Slack policy violation and a GDPR data minimization violation.
| OAuth Scope | Data Accessible | Privacy Disclosure Needed |
|---|---|---|
| channels:read | Channel names, topics, purposes, member counts | Workspace structure access |
| channels:history | Full message history in public channels | Message content processing |
| chat:write | Ability to post messages as the app | Content creation on behalf of app |
| users:read | User names, display names, profile photos, status | User profile data access |
| users:read.email | User email addresses in addition to profile info | Email address collection |
| files:read | File metadata, download URLs, file content access | File content processing |
| commands | Slash command payloads (user ID, channel, input text) | Command input processing |
| im:history | Direct message history with the app | Private message content |
Your privacy policy must match your scopes. If you request the users:read.email scope, your privacy policy must disclose that you access email addresses and explain why. If you later add a new scope, your privacy policy must be updated before you request that scope from users.
Slack also distinguishes between bot token scopes and user token scopes. Bot token scopes grant your app access to workspace data on behalf of the app itself. User token scopes grant access on behalf of the individual user who authorized the app. Both types must be covered in your privacy policy because both involve processing personal data.
Q: Should I request the minimum scopes necessary?
Yes. GDPR's data minimization principle (Article 5(1)(c)) requires you to collect only data that is necessary for your stated purposes. Slack also recommends requesting the minimum scopes needed. Over- scoping raises red flags during app review and with privacy-conscious workspace administrators.
Q: What if I need to add new scopes later?
When you add new scopes, existing installations need to re-authorize your app. Update your privacy policy before requesting the new scopes so that users can review the updated data practices when they re-authorize. This aligns with GDPR's requirement for informed consent.
Enterprise Grid Considerations
Slack Enterprise Grid is used by large organizations with strict compliance, security, and privacy requirements. If your app targets enterprise customers, or if you want it to be available to them, your privacy policy plays a critical role in sales and adoption.
Why Enterprise Customers Scrutinize Privacy Policies
- Compliance obligations: Enterprise customers in regulated industries (finance, healthcare, government) must verify that every third-party tool meets their compliance requirements before approving it
- Legal review: Enterprise procurement typically involves a legal team reviewing your privacy policy, terms of service, and data processing agreement before approving your app
- Data residency: Many enterprises require data to stay in specific geographic regions. Your privacy policy should disclose where data is stored and processed
- Sub-processor transparency: Enterprises want to know every third-party service that touches their workspace data. Your privacy policy should list all sub-processors
- Data deletion guarantees: Enterprises need assurance that their data is completely deleted when they uninstall your app or terminate the relationship
Did you know?
Many enterprise Slack customers require a Data Processing Agreement (DPA) in addition to a privacy policy before they will install a third-party app. A DPA is a legally binding contract that defines the roles and responsibilities of data controllers and processors. Having a comprehensive privacy policy makes DPA negotiations much smoother because it demonstrates you already understand your data handling obligations.
A well-written privacy policy can be a competitive advantage when selling to enterprise customers. If your competitor's app has a vague, one-paragraph privacy notice and yours has a detailed, comprehensive policy with clear data handling disclosures, enterprise procurement teams will favor yours. Privacy is increasingly a buying criterion, not just a legal requirement.
For enterprise readiness, your privacy policy should also address SOC 2 compliance (if applicable), data encryption at rest and in transit, access controls within your organization, incident response procedures, and data breach notification timelines. While not all of these are strictly privacy policy requirements, including them demonstrates maturity to enterprise buyers.
Common Mistakes Slack Developers Make
These are the five most common privacy policy mistakes Slack app developers make, and why each one can derail your App Directory listing or enterprise sales.
Mistake: "My app only reads messages, it does not store them"
Reading messages is data processing under GDPR, regardless of whether you store them. When your app receives a message event, it processes the message content, user ID, and channel information. Even if this data only exists in memory for milliseconds, it has been processed. Your privacy policy must disclose this processing and explain why your app needs access to message content. Additionally, many apps that "do not store" messages actually log them through application logging or error tracking tools like Sentry.
Mistake: "Slack's privacy policy covers my app"
Slack's privacy policy covers Slack's platform and its relationship with users. It does not cover what your app does with the data it receives through the API. You are a separate data controller (or processor, depending on your architecture). When a workspace installs your app and your app stores their data on your servers, Slack's policy says nothing about how you handle that data. You need your own policy.
Mistake: "I only need a privacy policy for the App Directory listing"
The App Directory is just one enforcement mechanism. GDPR, CCPA, and other privacy laws require a privacy policy based on the data you process, not where your app is listed. Even if you distribute your app privately, you still process workspace data and need a privacy policy. Enterprise customers will also demand one regardless of your distribution channel. Your privacy policy is a legal and business requirement, not just a listing checkbox.
Mistake: "OAuth data is not personal data"
OAuth tokens are credentials that grant access to personal data. The token itself, while it looks like a random string, is linked to a specific user or workspace and can be used to access personal information. Under GDPR, OAuth tokens are considered personal data because they are unique identifiers tied to identifiable individuals. Your privacy policy must address how you store, protect, and handle OAuth tokens.
Mistake: "A simple one-liner is enough"
A privacy policy that says "We respect your privacy" or "We do not sell your data" without further detail does not meet GDPR, CCPA, or Slack's requirements. GDPR Article 13 requires specific information: identity of the controller, purposes of processing, categories of data, recipients, retention periods, and user rights. A one-liner covers none of these. Slack's review team will also flag an inadequate privacy policy during app review.
To understand the full consequences of operating without a proper privacy policy, see our guide on what happens without a privacy policy. And please do not copy another app's policy. Read why that creates legal problems.
How to Create a Privacy Policy for Your Slack App (6 Steps)
Follow these steps to create a privacy policy that meets Slack's App Directory requirements and complies with GDPR, CCPA, and other applicable privacy laws.
Audit your OAuth scopes and data access
Go to your app's configuration in the Slack API dashboard and review every OAuth scope you have requested, both bot token scopes and user token scopes. For each scope, document what data it gives your app access to. Check your Event API subscriptions and list every event type your app receives. Review your slash commands and interactive components. This audit is the foundation of your privacy policy.
Document what data your app stores and processes
Review your database schema and identify every table or collection that contains data from Slack workspaces. Note what you store (user IDs, team IDs, messages, configurations), where it is stored (cloud provider, region), how long it is retained, and who within your organization has access. Include any application logs that capture workspace data, even temporarily.
List all third-party services that receive data
Document every external service your app sends workspace data to. Common sub-processors include database hosting (AWS RDS, MongoDB Atlas, Supabase), AI and ML services (OpenAI, Anthropic), analytics (Mixpanel, Amplitude), error tracking (Sentry, Datadog), email delivery (SendGrid, SES), and cloud hosting (AWS, GCP, Azure). Each is a sub-processor that must be disclosed in your privacy policy.
Generate your privacy policy
Use a privacy policy generator to create a comprehensive policy based on your audit. Input the data types, storage methods, third-party services, retention periods, and your contact information. The generator produces a complete policy covering GDPR, CCPA, and Slack App Directory requirements in all required sections.
Host your privacy policy on your app's website
Publish your privacy policy at a permanent, publicly accessible URL on your app's website or landing page. Slack requires the privacy policy to be accessible from your app's landing page. Use a clean, dedicated page (e.g., yourapp.com/privacy) rather than embedding it in a PDF or document that requires download.
Add the privacy policy to your App Directory listing
Include the privacy policy URL in your Slack App Directory submission. Also link to it from your app's landing page, installation flow, and help documentation. Remember to update your policy whenever you change scopes, add third-party services, or modify your data handling practices.
The Easiest Way to Get a Slack App Privacy Policy
Writing a privacy policy for a Slack app is more complex than for a simple website because you need to address OAuth scopes, event subscriptions, workspace data handling, and potentially enterprise compliance requirements. Doing this from scratch requires deep knowledge of GDPR, CCPA, and Slack's specific developer guidelines.
A privacy policy generator handles this complexity for you. You describe your app's data handling, and the generator produces a complete, legally compliant policy that covers all required sections. The result is a professional privacy policy ready for your App Directory listing and enterprise customer reviews.
The generated policy includes everything your Slack app needs: data categories mapped to your OAuth scopes, legal basis for processing, third-party sub-processor disclosures, user rights under GDPR and CCPA, data retention and deletion practices, and contact information. It follows the same standards used in our GDPR privacy policy template.
Frequently Asked Questions
Does Slack require a privacy policy for apps?
Yes. Slack's App Directory Guidelines require all listed apps to have a publicly accessible privacy policy. The policy must be linked from your app's landing page and included in your App Directory submission. Even apps distributed outside the Directory should have one for GDPR and CCPA compliance.
What data do Slack apps receive?
Slack apps receive data based on their OAuth scopes and event subscriptions. This can include workspace information, user profiles, email addresses, channel messages, file uploads, slash command payloads, and OAuth tokens. Even simple slash command apps receive user IDs and workspace IDs with every invocation.
What are OAuth scopes and how do they affect my privacy policy?
OAuth scopes define what data your app can access in a workspace. Each scope (channels:read, users:read.email, files:read, etc.) grants access to specific data types. Your privacy policy must accurately reflect the data accessible through all your requested scopes. Adding new scopes requires updating your privacy policy.
Do I need a privacy policy if my app is not in the App Directory?
Yes. The App Directory is just one reason to have a privacy policy. GDPR and CCPA require a privacy policy based on the data you process, not where your app is distributed. If your app processes personal data from Slack users (which virtually all apps do), you need a privacy policy for legal compliance.
How do enterprise customers affect my privacy requirements?
Enterprise Grid customers have strict compliance requirements and will review your privacy policy before approving your app. Many require a Data Processing Agreement (DPA). A comprehensive privacy policy that addresses data residency, sub-processors, and deletion practices can make the difference between winning and losing enterprise deals.
What happens if my Slack app does not have a privacy policy?
Your app cannot be listed in the Slack App Directory without a privacy policy. Beyond that, you face GDPR fines of up to 20 million euros and CCPA penalties of up to $7,500 per violation. Enterprise customers will refuse to install your app, and Slack can take action against apps that violate their API Terms of Service.
How do I create a privacy policy for my Slack app?
Audit your OAuth scopes and data handling, then use a privacy policy generator to produce a complete, compliant policy. Host it on your app's website and add the URL to your App Directory listing. The whole process takes under five minutes.
Related Resources
Privacy Policy for Apps
General app privacy policy requirements for all platforms
Privacy Policy for Discord Bots
Discord Developer Policy requirements for bot developers
Privacy Policy for Chrome Extensions
Chrome Web Store privacy requirements for extension developers
Privacy Policy for SaaS
Privacy requirements for software-as-a-service products
GDPR Privacy Policy Template
All 12 required GDPR sections with a compliant template
What Happens Without a Privacy Policy
The real consequences of operating without one
Privacy Policy for Websites
Complete guide for website privacy policy requirements
Can I Copy Someone Else's Privacy Policy?
Why copying creates both copyright and compliance risk