Privacy Policy
Last updated: March 2026
The short version: HushAsk is designed to protect your identity. We never store your Slack user ID, name, or email. Messages are routed using a one-way cryptographic hash. We cannot identify who sent any message — and that's intentional.
HushAsk exists because people won't ask certain questions if their name is on them. That only works if anonymity is real — not a policy promise, not a setting that could be toggled, but a technical property of how the system is built. This page explains exactly what HushAsk collects, what it doesn't, and where the limits of our control end and Slack's begin.
1. Who we are
HushAsk ("we," "us," or "our") enables anonymous message routing within Slack workspaces.
Questions? Contact us at [email protected].
2. What we collect
When you interact with HushAsk, we collect a limited set of data necessary to operate the service:
- Message content — The text of messages you choose to route through HushAsk. Stored temporarily while you select a routing destination, and post-routing for Notion sync where enabled.
- Anonymous user hash — A 16-character truncated SHA-256 hash derived from your Slack user ID and workspace ID, combined with a private salt. This hash cannot be reversed to identify you. It is used only for abuse detection at a workspace level.
- Routing metadata — Which channel a message was delivered to, the timestamp, and whether the message was synced to Notion. No sender identity is included.
- Workspace configuration — The Slack team ID, configured channel IDs, and any Notion integration credentials supplied by workspace admins.
3. What we never collect
- Your Slack user ID (discarded immediately after hashing)
- Your Slack display name, real name, or email address
- Your profile photo or any other profile data
- Your IP address
- Message drafts or unsent text
- Direct messages not sent through the HushAsk routing flow
4. How identity hashing works
When you send a message through HushAsk, your Slack user ID and workspace ID are passed through a SHA-256 one-way hash function combined with a private server-side salt. The result is a 16-character string that:
- Cannot be mathematically reversed to recover your Slack ID
- Is not linkable to any external identity database
- Is unique within HushAsk's context but not cross-referenceable
The original Slack user ID is never written to disk or transmitted to any external service. The hash is used solely for aggregate abuse detection — not for tracking individuals.
What admins can and cannot see:
| Admin can see | Admin cannot see | |
|---|---|---|
| Message content | ✓ | |
| Sender name or handle | ✓ | |
| Sender Slack ID | ✓ | |
| Any identifier linking message to sender | ✓ |
Sender identity cannot be recovered from HushAsk's database. It is not stored.
5. How we use your data
We use the data we collect to:
- Route your message to the correct Slack channel
- Enable workspace admins to sync answered messages to Notion
- Detect and prevent abuse within a workspace (using anonymized hashes only)
- Enforce the monthly free-tier message limit
- Improve the reliability and performance of the service
We do not use your data for advertising, profiling, or any purpose beyond operating HushAsk.
6. Data sharing
We do not sell, rent, or share your personal data with third parties. The only external data flows are:
- Slack API — Message delivery to your workspace's Slack channels. Governed by Slack's Privacy Policy.
- Notion API — Only when a workspace admin explicitly syncs a specific message. Governed by Notion's Privacy Policy.
No message content is shared with any other third party.
7. Notion integration
The Notion integration is entirely optional. If a workspace admin connects Notion:
- Only messages explicitly synced via the "Archive This Thread" flow are sent to Notion
- Messages are stored in a database within the admin's own Notion workspace — no sender identity is included in the record
- We store the Notion API access token on our server to enable syncing — it is encrypted at rest using AES symmetric encryption (Fernet, AES-128-CBC). The encryption key is stored separately as a server environment variable.
- The access token can be revoked at any time from Notion's integration settings, which will disable syncing immediately
8. Data retention
- Message content — Retained for up to 12 months to support Notion sync. Admins can request early deletion by contacting [email protected].
- Routing data — Deleted immediately after your admin reply is delivered.
- Your hashed identifier — Retained alongside message content for the same 12-month period. It is a one-way cryptographic hash and cannot be reversed to identify you.
- Pending messages (awaiting routing selection) — Deleted immediately upon routing or if the routing flow is abandoned.
- Workspace configuration — Retained until the app is uninstalled from Slack, or until an admin resets the configuration.
- OAuth state tokens — Automatically purged after 1 hour.
9. Your rights
Because we do not store identifiable information about message senders, we cannot fulfill data subject access or deletion requests on a per-sender basis — we genuinely cannot link a request to a stored record.
Workspace admins can request deletion of all message content for their workspace by contacting [email protected].
If you are in the EU or UK: You have rights under GDPR/UK GDPR. Because our data is anonymized by design, most message data falls outside the scope of personal data as defined by GDPR. Configuration data (workspace ID, channel IDs) can be deleted upon workspace admin request.
10. Slack platform and audit logs
This section is important if your organization uses Slack's Enterprise Grid plan.
HushAsk operates within Slack and is subject to Slack's Privacy Policy and Slack's Developer Policy. Slack may independently log API events according to their own policies.
When you send a message to any Slack app — including HushAsk — Slack's platform records that interaction in its own audit log. On Enterprise Grid plans, Slack makes this log available to workspace administrators through Slack's own tooling. This means your Slack admin may be able to see that you sent a DM to the HushAsk bot, independent of anything HushAsk stores or controls. HushAsk has no access to this log and no ability to suppress it. It is a Slack platform behavior, not a HushAsk behavior.
If this matters to you, check with your Slack administrator whether your workspace is on Enterprise Grid before using HushAsk.
11. Security
We take the following measures to protect data:
- Identity hashing with a private server-side salt (SHA-256)
- Slack credentials stored as environment variables, never in source code
- Notion tokens stored encrypted at rest
- SQLite WAL mode for safe concurrent access with no network exposure
- The application server does not expose internal files (source code, database, environment config) via the web interface
No system is perfectly secure. If you discover a vulnerability, please report it responsibly to [email protected].
12. Changes to this policy
We may update this policy as the product evolves. Material changes will be communicated to workspace admins via the HushAsk App Home. The "Last updated" date at the top of this page will reflect the most recent revision. Continued use of HushAsk after changes constitutes acceptance of the updated policy.
13. Contact
For privacy questions, data deletion requests, or security disclosures:
- Email: [email protected]
- Security: [email protected]