Everyone · ~3 min

Privacy & Hashing

HushAsk is built on one guarantee: we cannot tell who sent a message. Here's exactly how that works — technically and in plain English.

The one-sentence version

When you send a message, your Slack user ID is passed through a SHA-256 one-way hash function before anything touches the database. The hash cannot be reversed. The original ID is never stored.

What SHA-256 means in practice

SHA-256 is a cryptographic function that converts any input into a fixed-length string:

One-way — you can turn a Slack ID into a hash, but you cannot turn the hash back into a Slack ID.
Deterministic — the same ID always produces the same hash, but only within HushAsk's salted context.
Collision-resistant — two different IDs will never produce the same hash.

HushAsk adds a private salt — unique to your deployment — to your ID before hashing. Even if someone had a list of every Slack user ID in existence, they couldn't reverse-engineer which hash belongs to which person.

What we store

Data	Stored?
Your Slack user ID	Never — discarded immediately after hashing
Your name or email	Never — not requested from Slack's API
Your profile photo	Never — not accessed
Your DM channel ID (`source_channel`)	Purged — stored temporarily; deleted after the first reply is sent
Message content	Yes — for delivery and optional Notion sync
User hash (64 characters)	Yes — used only to detect abuse patterns; cannot identify you
Target channel ID	Yes — routing only
Timestamp	Yes — standard delivery metadata

No message content is written to application logs. Message bodies are stored only in the database.

The source_channel purge

When you send a message, HushAsk temporarily stores your DM channel ID so it knows where to deliver any admin reply. As soon as a reply is sent — or the conversation is closed without a reply — this value is deleted from the routing table. After that point, there is no record linking the anonymous post to any DM channel.

Can admins see who sent a message?

No. Admins see the anonymous message in their triage channel and can reply — but sender identity is never revealed. The reply is routed through the temporary routing record, which is then purged.

What about Slack itself?

HushAsk can't protect against Slack's own audit logs — that's a Slack platform constraint, not ours. On Enterprise Grid plans, Slack makes bot interaction logs available to workspace administrators. If your company is on Enterprise Grid, your Slack admin could see that you sent a DM to HushAsk — independently of anything HushAsk stores.

To check which plan your company is on: open Slack on the web and go to [yourworkspace].slack.com/account/workspace-settings — the plan is listed under the Overview section. No admin access needed. If it says Enterprise Grid, this caveat applies to you.