Skip to main content

Privacy Policy

Last updated: 28 March 2026

FlexiDesk ("we", "us", "our") is committed to protecting the privacy of your information. This policy explains how we collect, use, store, and protect data when you use the FlexiDesk Slack application ("the Service"). We comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). See also our Terms of Service.

1. What We Collect

FlexiDesk is built with a privacy-first approach. We collect only the minimum data needed to operate the booking service:

  • Workspace information — Slack workspace ID and team name to identify your organisation.
  • User identifiers — Slack user IDs and display names to associate bookings with people. We do not store email addresses, passwords, or personal contact information.
  • Booking data — space, date, desk or unit assignment, time slots (for meeting rooms), and guest names entered by admins.
  • Workspace configuration — spaces, capacity, attendance policies, routines, and admin settings.
  • Audit log — a record of administrative actions (space creation, booking cancellations) within each workspace.

Guest names are the only freeform personally identifiable information stored by FlexiDesk and may constitute personal information under the Privacy Act 1988 and other applicable privacy laws. All other user data is limited to Slack-provided identifiers.

2. What We Do Not Collect

  • We do not store credit card numbers, billing addresses, or invoices. All payment processing is handled entirely by Stripe.
  • We do not read message content in your Slack channels. FlexiDesk has no access to your conversations.
  • We do not use cookies, tracking pixels, or analytics tools. There is no advertising and no secondary use of your data.

3. Legal Basis for Processing

We process your data to provide the Service and fulfil our contractual obligations to you. Specifically, data processing is necessary to:

  • Deliver the booking functionality you have installed FlexiDesk to use.
  • Process subscription billing through our payment provider.
  • Send operational notifications (booking confirmations, cancellations, reminders) via Slack DM.
  • Provide workspace admins with occupancy reports and data exports.

We do not sell, rent, or share your data with third parties for marketing or advertising purposes.

4. Data Storage, Transfers, and Security

All data is hosted on Google Cloud Platform in the United States (us-central1 region) using Cloud Firestore. By using FlexiDesk, you acknowledge that your data is transferred to and stored in the United States, which may not have equivalent privacy protections to Australia. We mitigate this risk by relying on Google Cloud's contractual commitments and industry-standard security controls.

Data is encrypted at rest by default (Google Cloud Firestore) and encrypted in transit via TLS. Data is scoped per workspace and fully isolated — no organisation can access another's data. Direct database access is denied at the infrastructure level. All data operations run through authenticated server-side functions only.

Every request from Slack is verified using cryptographic signature validation. Our OAuth install flow is protected against CSRF attacks with time-limited, single-use state tokens. Stripe webhook payloads are verified via signature before processing.

5. Security Practices

FlexiDesk follows industry-standard security practices aligned with ISO 27001 principles. While we do not currently hold independent certification, our controls include:

  • Access control — production systems use least-privilege identity and access management (IAM). Database credentials and API keys are stored in Google Secret Manager and are not accessible in source code. Scheduled functions require authenticated OIDC tokens and are not publicly accessible.
  • Data segregation — all data is isolated per workspace using scoped Firestore collections. No workspace can query, view, or modify another workspace's data. This isolation is enforced at the database query level and reinforced by Firestore security rules that deny all direct client access.
  • Logging and monitoring — administrative actions within each workspace are recorded in a per-workspace audit log. Infrastructure-level logging is provided by Google Cloud Logging. Automated uptime monitoring checks service health every five minutes, with email alerts on failure.
  • Encryption — data at rest is encrypted via Google Cloud Firestore's default encryption (AES-256). All data in transit is encrypted via TLS. Slack request payloads are verified using HMAC-SHA256 signatures.
  • Vulnerability management — dependencies are regularly reviewed and updated. Security patches are applied promptly. Code changes go through review before deployment.
  • Backup and recovery — Google Cloud Firestore provides automatic data replication and point-in-time recovery capabilities. The Service is deployed across multiple instances with automatic scaling to ensure availability.

FlexiDesk is built on SOC 2-certified infrastructure (Google Cloud Platform and Stripe).

6. Data Retention and Deletion

If you uninstall FlexiDesk from your Slack workspace, all data is retained for 30 days to allow for reinstallation without data loss. After this grace period, all workspace data is automatically and permanently deleted, including:

  • All bookings, spaces, units, and routines
  • Admin records and user preferences
  • Audit logs and waitlist entries
  • Associated Stripe subscriptions (cancelled automatically)

No data is retained beyond this 30-day window.

7. Data Breach Notification

In the event of a confirmed data breach that is likely to result in serious harm to affected individuals, we will:

  • Notify affected workspace administrators within 72 hours of confirming the breach.
  • Notify the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches (NDB) scheme.
  • Provide details of the breach, the data involved, and steps being taken to contain and remediate it.

8. Third-Party Services

FlexiDesk relies on the following third-party services to operate:

  • Slack — the messaging platform FlexiDesk runs on. Governed by Slack's Privacy Policy.
  • Google Cloud Platform — hosting, database, and serverless compute. Governed by Google Cloud's Privacy Notice.
  • Stripe — payment processing and subscription management. Governed by Stripe's Privacy Policy. Card details, billing addresses, and invoices are stored by Stripe and never touch FlexiDesk's servers.

9. Slack Permissions

FlexiDesk requests only the Slack permissions it needs to function:

  • chat:write and im:write — to send booking confirmations and reminders via DM.
  • commands — to handle the /flexidesk slash command.
  • users:read — to display user names alongside bookings.
  • team:read — to read your workspace name during setup.

We do not request permissions to read message history, access private channels, or modify your workspace settings.

10. Your Rights

You have the right to:

  • Access your data — workspace admins can export booking data as CSV at any time from within the app.
  • Delete your data — uninstalling FlexiDesk triggers automatic deletion after 30 days, or you can request immediate deletion.
  • Request a full data export — contact us for a complete export of your workspace data.
  • Correct your data — workspace admins can update space configurations and cancel or modify bookings directly within the app.

To exercise any of these rights, email support@flexidesk.app.

11. Privacy Complaints

If you believe we have breached your privacy or the Australian Privacy Principles, you may lodge a complaint by emailing support@flexidesk.app with the subject line "Privacy Complaint". We will acknowledge your complaint within 7 days and aim to resolve it within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

12. Children's Privacy

FlexiDesk is a workplace tool and is not directed at individuals under 16. We do not knowingly collect data from children.

13. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via the FlexiDesk home tab in Slack. Continued use of FlexiDesk after changes constitutes acceptance of the updated policy.

14. Contact

If you have questions about this privacy policy or how we handle your data, email support@flexidesk.app.