Privacy Policy

Tribal is operated by Meet Tribal ("we", "us", "our"), a company registered in England and Wales. If you have any questions about this policy or how we handle your data, you can reach us at legal@meettribal.com.

This policy covers the Tribal web application at meettribal.com and the companion Tribal desktop application (together, "the Service").

Tribal is currently in private beta. Features, data practices, and this policy may change as the product evolves. We will notify you of material changes by updating the "Last updated" date above and, where appropriate, by sending a notice to your registered email address. Continued use of the Service after a change takes effect constitutes acceptance of the updated policy.

We collect the following categories of information:

• Account data. Your name, email address, and profile information provided when you sign up via WorkOS or Google OAuth.
• Workspace and Connection metadata.The names and identifiers of the Workspaces and Connections you create (e.g. "Acme — Slack workspace"), OAuth tokens needed to read from those sources, and permission scopes granted.
• Communications processed for inference. Content from the sources you connect — currently limited to Slack messages and threads in the private beta. This content is read and sent to AI model providers to extract structured objects. See §4 (Our storage stance) for what we retain.
• Derived Work Graph data. The structured objects Tribal infers from your communications: Tasks, Blockers, Decisions, Questions, Commitments, and their associated Evidence references, Rationale, Confidence scores, and state-change history (Revisions). Evidence references point back to source identifiers (e.g. Slack message IDs or channel thread timestamps) — they do not contain the raw message body.
• Interaction signals. Your confirmations, dismissals, resolutions, and corrections of inferred objects. These feed into ranking and future inference.
• Device and log data. IP address, browser or desktop-client version, operating system, and server-side logs generated in the normal operation of the Service.

Tribal's core design principle is extract structure, discard raw content. When your messages are ingested:

• Message bodies are sent to AI model providers to produce structured inferences (Blockers, Tasks, Decisions, etc.).
• The derived objects and lightweight Evidence references (source-system IDs / offsets, not the body text) are stored in our database.
• Raw message bodies are not stored as a primary record in our database. Transient copies that appear in logs, AI provider API calls, or in-flight buffers are minimised and short-lived.

This means the Work Graph you see in Tribal is a structured summary derived from your communications — not an archive of those communications themselves.

We use the information we collect to:

• Provide the Service. Ingest your connected sources, run AI inference, build and update your Work Graph, and surface Blockers and dependencies.
• Improve inference quality. Your interaction signals (confirms, dismissals, corrections) are used to rank and refine future inferences within your Workspace.
• Security and fraud prevention. Monitor for abuse and protect the integrity of the Service.
• Customer support. Respond to enquiries and troubleshoot issues.
• Legal and compliance obligations. Where required by law.

We do not sell your personal data to third parties, and we do not use your data for advertising.

Where UK GDPR applies, we rely on the following legal bases for processing:

• Performance of a contract. Processing your account data, Workspace/Connection metadata, and derived Work Graph data is necessary to deliver the Service you have signed up for.
• Legitimate interests. Improving inference quality using your interaction signals, operating server-side logs, and maintaining security — where those interests are not overridden by your rights and freedoms.
• Consent. Where you optionally connect a source (such as a personal email account or an additional Slack workspace) we will seek your explicit consent before ingesting it.
• Legal obligation. Where processing is required to comply with a legal duty.

Tribal sends excerpts of your ingested communications to third-party AI model providers to perform inference (extracting Blockers, Tasks, Decisions, and related objects). We take the following steps to protect your data in this context:

• We enter into data processing agreements with AI providers and contractually prohibit them from using your content to train or improve their models.
• Content sent to AI providers is scoped as narrowly as possible to what is necessary for the inference task.
• AI providers process data under our instructions as data processors, not as independent data controllers.

We use the following categories of sub-processors to deliver the Service. We maintain data processing agreements with each.

• WorkOS — authentication and identity management.
• PlanetScale (Postgres) — primary database for the Work Graph and account data.
• Vercel — web application hosting and edge infrastructure.
• Google — OAuth sign-in provider; Google Workspace source integration (future).
• Slack Technologies — source integration; messages are read via the Slack API under your authorisation.
• AI model providers — inference processing (specific providers will be listed here once finalised; all are bound by no-training commitments).

We will update this list when we add or change sub-processors and will give existing users reasonable notice before a new sub-processor is used to process their data.

• Derived Work Graph data (Blockers, Decisions, Tasks, Evidence references, Rationale, Revisions) is retained while your Workspace is active and for up to 30 days after Workspace deletion, after which it is permanently deleted. Database backups are purged on a rolling schedule within the same window.
• Account data is retained for the duration of your account and deleted within 30 days of account closure.
• Raw message content is not retained as a primary record. Transient log entries that may contain message excerpts are retained for up to 90 days for security and operational purposes, then deleted.
• OAuth tokens for connected sources are revoked and deleted when you disconnect a source or delete your Workspace.

UK / EU residents. Under UK GDPR and GDPR, you have the right to:

• Access the personal data we hold about you.
• Rectification of inaccurate or incomplete data.
• Erasure ("right to be forgotten") in certain circumstances.
• Portability of your data in a structured, machine-readable format.
• Restriction of processing in certain circumstances.
• Objection to processing based on legitimate interests.
• Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, email legal@meettribal.com. We will respond within one month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk, or with the supervisory authority in your EU member state.

California residents (CCPA/CPRA). You have the right to know what personal information we collect and how we use it, to request deletion, to correct inaccurate information, and to non-discrimination for exercising your rights. We do not sell or share personal information for cross-context behavioural advertising. To submit a request, email legal@meettribal.com.

Some of our sub-processors are based outside the UK or EEA. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including:

• UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) approved by the European Commission, as applicable.
• Transfers to countries with UK adequacy decisions where available.

You can request details of the safeguards in place for a specific transfer by emailing legal@meettribal.com.

We implement technical and organisational measures to protect your data, including:

• Encryption in transit (TLS) and at rest.
• Least-privilege access controls for our team and systems.
• Permission-aware data retrieval — derived objects are only surfaced to users whose Workspace has the appropriate access to the underlying source material.
• Regular review of third-party sub-processor security posture.

No system is completely secure. If you discover a security vulnerability, please report it responsibly to legal@meettribal.com.

The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us at legal@meettribal.com and we will delete it promptly.

We may update this policy from time to time. For material changes, we will update the "Last updated" date at the top of this page and send a notice to your registered email address at least 14 days before the change takes effect. For minor changes (such as clarifications or adding new sub-processors with reasonable notice), we will update the date and post the new policy.

For any questions about this policy or to exercise your data rights, please contact: