# privacy policy — zaptipr

_Last updated: may 19, 2026_

This policy explains what data we collect, why, and what we do with it. Zaptipr is a product of Bitcoiner Talent, Inc., a Delaware corporation. We refer to ourselves below as "Zaptipr" or "we".

Our approach to data is the same one we'd want applied to our own: collect as little as possible, keep it as briefly as possible, share it only where the product needs it to work, and never sell it or use it to train AI models.

## who this covers

Zaptipr has two surfaces. The marketing website at zaptipr.com (the page you're on now) and the Slack app you install into a Slack workspace. They have different data flows, so we cover them separately below.

## what the website collects

_Short version: just your email if you join the waitlist, and nothing else._

The marketing site is intentionally lightweight. We do not run analytics. We do not set tracking cookies. We do not load advertising pixels. We do not share visitor data with anyone.

If you join the waitlist, we ask for one piece of data: your email address. We use it to send you a launch announcement when Zaptipr is generally available, and to keep you updated about meaningful product news in the meantime. We hold your email until you unsubscribe (every email we send includes a one-click unsubscribe link). We will not sell, share, or pass your email to third parties or data brokers.

Waitlist emails are stored with Resend, our email service provider, in the United States.

## what the slack app collects

_Short version: only what we need to route a zap, render the interface, and bill the workspace._

When a workspace admin installs Zaptipr from the Slack App Directory, Slack issues us a bot token and identifies the workspace. We collect:

- **workspace identifiers**: the Slack-assigned workspace ID and the workspace subdomain, used to scope all Zaptipr data per workspace.
- **bot OAuth token**: issued by Slack so we can post messages and respond to commands. Encrypted at rest.
- **installer's Slack user ID**: captured as the initial billing-owner contact. Replaceable by any workspace admin.

When members of the workspace use Zaptipr, we collect:

- **Slack user ID**: the stable identifier Slack assigns each member, stored when they first interact with Zaptipr.
- **display name**: the name Slack returns for the member, used so the interface can render who sent or received a zap.
- **lightning address**: the public payment identifier you provide via /zapwallet. Required if you want to receive zaps. You can update or delete it at any time. We never see your wallet's private keys, seed phrases, or any secret material.
- **active-member snapshot**: a periodic count of active workspace members, stored as a single integer on the workspace record so we can compute the workspace's monthly bill.

For every zap, we record an audit log entry containing the sender's Slack user ID, the recipient's Slack user ID, the bitcoin amount, any optional message text, whether the zap was posted publicly or kept private, the confirmation timestamp, and a confirmation token. We do not record the channel a zap was posted in.

For billing, we maintain a workspace billing record that identifies the billing owner by Slack user ID, holds the pricing configuration (any waiver, optional per-member rate override, cached active-member snapshot), tracks the current paid period and last payment, logs renewal-reminder deliveries, and records Zaprite checkout outcomes. No email addresses or other personal contact details are stored on billing records.

## slack permissions

Zaptipr requests the minimum Slack permissions needed for shipped features. The current production manifest requests seven bot scopes. No user-token scopes are requested.

| scope | what it enables |
| --- | --- |
| channels:join | lets the bot join public channels where it's invited |
| channels:read | lists public channels so the bot can be added |
| chat:write | posts zap confirmations, modals, and bot DMs |
| commands | receives slash commands (/zap, /zapwallet, /zaphistory, /zapbilling, /zaphelp) |
| groups:read | reads private-channel metadata where the bot is added (so /zap works from private channels) |
| im:write | sends direct messages from the bot (zap receipts, renewal reminders) |
| users:read | reads the basic member directory (ID and display name) for billing counts and UI rendering |

Future reaction-triggered features — for example, a react-with-an-emoji flow for birthday zaps — will require additional permissions to read message content. If and when those features are introduced, workspaces will see a separate Slack re-authorization prompt at that time. No message content is read until that prompt is accepted.

## what payments look like

Subscription payments are processed by Zaprite, a PCI-compliant payment processor in the United States. When you check out, Zaprite collects your payment instrument (credit card or bitcoin). Zaptipr never sees your card number, CVV, billing address, or any other PCI-scope payment data.

Zaprite returns to us a small set of order metadata: order ID, status, amount, currency, paid timestamp, and the payment method category ("card" or "bitcoin"). Zaprite may also include the buyer's email in the webhook payload it sends us. We retain that payload for diagnostic and reconciliation purposes. We do not act on this email, send mail to it, or expose it in any user-facing surface.

## what we do not collect

To make this concrete:

- Slack passwords (Slack handles all authentication)
- your email address inside the Slack app (we don't store member emails)
- your profile picture (never stored)
- wallet seed phrases, private keys, or recovery phrases
- card numbers, expiry dates, or CVVs (Zaprite handles these, never seen by us)
- bank account numbers
- government identifiers (SSN, passport, tax ID)
- biometric or health data
- the contents of Slack messages outside Zaptipr's own commands and modals
- files attached in Slack
- direct messages between users (other than ones our own bot sends or receives)
- the channel a zap was posted in (only a public-or-private flag is stored)

## operational logs

We write structured application logs to standard output, captured by our hosting provider. Errors are forwarded to Sentry for monitoring. Logs cover inbound request metadata (route, status code, latency, source IP for rate-limiting and abuse detection), Slack signature verification outcomes, webhook delivery traceability, and errors. Sensitive values (tokens, secrets, API keys) are redacted before they reach any log destination. Logs are retained for a limited operational window.

## who we share data with

Zaptipr only shares data with the third-party services we depend on to operate. Each is a "subprocessor" in privacy terms.

- **Slack Technologies, LLC** (United States). The platform Zaptipr is built on. Workspace tokens, member identifiers, and the messages we post into channels and DMs flow to Slack. Your Slack data is governed by your workspace's existing agreement with Slack.
- **Zaprite, Inc.** (United States). Our payment processor. Card data is handled exclusively by Zaprite under their privacy policy and PCI compliance posture.
- **Replit, Inc.** (United States). Our cloud hosting provider. Application servers and our PostgreSQL database run on Replit infrastructure with encryption at rest and standard cloud-hosting security.
- **Sentry** (United States). Error monitoring. Application exceptions and request metadata are forwarded to Sentry so we can detect and fix bugs.
- **Resend** (United States). Email service provider for the marketing-site waitlist only. Not in the Slack app data path.
- **the lightning wallet provider you choose** (location varies). When you set a lightning address via /zapwallet, your provider learns when you receive zaps and the amounts. Zaptipr does not select your provider and does not have a contract with them. You're responsible for understanding their privacy practices.
- **the Lightning Network** (decentralised). Bitcoin payments over Lightning move directly between sender and recipient through independent routing nodes. This is the underlying payment rail, not a subprocessor we contract with.

We do not sell user data. We do not share data with advertisers, marketers, or data brokers. We do not use user data to train AI or machine learning models. No LLM or ML vendor is in the request path for user data. We will only disclose data to law enforcement in response to a valid legal process (subpoena, court order, search warrant) and only the minimum data the process requires. Where the law allows, we will notify the affected workspace before complying.

## international data transfers

Our hosting and primary subprocessors (Slack, Zaprite, Replit, Sentry, Resend) are based in the United States. If you're using Zaptipr from outside the US, your data is processed in the US.

## how long we keep data

| data | retention |
| --- | --- |
| workspace tokens, member records, lightning addresses, zap log, billing records | for the lifetime of your Zaptipr installation |
| your lightning address | you can update or delete it any time via /zapwallet |
| OAuth state tokens | single-use, expire within minutes |
| operational logs | retained for a limited operational window |
| backups | per our hosting provider's backup retention schedule |

When a workspace uninstalls Zaptipr, deletion happens in two phases. First, the bot token is immediately revoked and the workspace is hidden from live queries (a "soft delete"). A daily sweep then hard-deletes all workspace data 30 days later. The 30-day buffer gives admins room to recover from accidental uninstalls — a re-install within the window restores everything. After 30 days the data is gone.

## your rights

You can ask us to:

- access the personal data we hold about you
- correct any inaccurate data (lightning address, display name)
- delete your personal data, subject to legal retention obligations
- restrict or object to certain types of processing
- receive your data in a portable, machine-readable format
- lodge a complaint with your local data protection authority

If you're a workspace admin, you can also:

- remove Zaptipr from your workspace at any time, which triggers our deletion process
- designate or change the billing-owner contact
- export your workspace's zap history and billing records before deletion

Send any of these requests to hello@zaptipr.com.

## security

A few of the commitments we make:

- All traffic, inbound and outbound, runs over HTTPS / TLS.
- Inbound webhooks (from Slack and Zaprite) are authenticated using cryptographic signatures issued by those platforms before we act on them.
- Sensitive credentials — including Slack bot tokens — are encrypted at rest using industry-standard cryptography.
- Tokens, secrets, and API keys are redacted before they reach any log destination.
- Database connections use TLS. Database queries are parameterised.
- Rate limiting is applied to public endpoints to mitigate brute force and abuse.
- The lightning-address validator includes safeguards against server-side request forgery on user-supplied domains.
- The OAuth install flow uses CSRF-resistant state tokens.

## children

Zaptipr is built for workplace use and is not directed at children. We do not knowingly collect personal data from anyone under 16 (or the higher minimum age in your jurisdiction). If you believe a child has provided data to us, contact us and we will delete it.

## changes to this policy

We may update this policy from time to time. Material changes will be communicated to billing owners via in-Slack notification. The "last updated" date at the top of this page will reflect the effective date.

## contact

Questions or requests: hello@zaptipr.com.
