Tovo
Back to home

Privacy Policy

Last updated June 13, 2026

Tovo (“Tovo,” “we,” “us”) builds a Slack app that turns messages into tracked checklists. This policy explains what data we handle, why, and the choices you have. We collect only what we need to run the service.

Information we collect

We collect the following when you install and use Tovo in Slack:

  • Slack workspace & identity. Your workspace (team) ID and name, channel IDs, and the Slack user IDs, display names, and email addresses of people who interact with Tovo. We read email addresses (Slack scope users:read.email) only to route per-task notifications and identify task owners.
  • Content you create. The text of checklists, runs, tasks, subtasks, templates, owners, due dates, and the activity log generated as work progresses.
  • Messages you direct to the bot. When you mention @tovo or DM it, we process that message to draft a checklist. If AI authoring is enabled, the message text is sent to our AI provider to parse it into structured steps (see Subprocessors).
  • OAuth tokens. The access tokens Slack issues at install, stored so the app can post and update messages on your behalf.
  • Billing details. If you upgrade, our payment processor (acting as Merchant of Record) handles your payment. We receive a subscription status and plan tier — we never see or store full card numbers.
  • Technical logs. Standard request and error logs (including IP address and timestamps) used to operate, secure, and debug the service.

How we use information

  • Create, post, and keep checklist messages up to date in your channels.
  • Assign owners and send notifications by DM, email, or channel mention.
  • Run reminders and overdue nudges, and maintain the activity log.
  • Process payments, enforce plan limits, and provide customer support.
  • Monitor, secure, and improve reliability of the service.

We do not sell your data, and we do not use your content to train AI models.

Subprocessors

We rely on a small set of vendors to deliver Tovo:

  • Vercel — application hosting and serverless compute.
  • Supabase — managed PostgreSQL database and authentication.
  • Anthropic — AI parsing of the messages you send to the bot (only when AI authoring is used). Anthropic does not use this data to train its models.
  • Payment processor — our Merchant-of-Record payment provider handles checkout, billing, and tax for paid plans.
  • Email delivery (SMTP) — used only if your workspace enables email notifications.

Slack data

Our use of information received from Slack APIs adheres to the Slack API Terms of Service, including the Limited Use requirements. We request only the OAuth scopes the app needs to function, and you can review and revoke them at any time from your Slack workspace’s app management settings.

How we share information

We share data only with the subprocessors listed above, and only as needed to run the service. We may also disclose information when required by law, to enforce our terms, or to protect the rights and safety of our users. We do not sell or rent personal data.

Data retention & deletion

We keep your data for as long as Tovo is installed in your workspace. When you uninstall the app, the associated OAuth tokens are invalidated and we delete or anonymize workspace data within 30 days, except where we must retain limited records (e.g. billing) to meet legal obligations. You can request export or deletion of your data at any time by emailing support@tovo.run. Workspace admins can also export their runs and tasks with /tovo export.

Your rights

Depending on where you live, you may have the right to access, correct, export, or delete the personal data we hold about you, and to object to or restrict certain processing. To exercise any of these rights, contact us at support@tovo.run.

Security

Data is encrypted in transit (TLS) and at rest. Every inbound Slack request is signature- verified, app access follows least-privilege principles, and write access to our database is restricted to server-side code. See our Security page for more.

International transfers

Tovo is operated from, and processes data in, data centers that may be located outside your country. Where required, we rely on appropriate safeguards for cross-border transfers.

Children’s privacy

Tovo is a workplace tool and is not directed to children. We do not knowingly collect personal data from anyone under 16.

Changes to this policy

We may update this policy from time to time. Material changes will be reflected by the “Last updated” date above, and where appropriate we’ll provide additional notice.

Contact us

Questions about this policy or your data? Email support@tovo.run.