FindTopicsSign in
Legal

Privacy policy

What we collect, why we collect it, and what you can do about it. In plain English, not lawyer-speak.

This policy covers everything inside the EmojiBox umbrella: the emojibox.app website, the EmojiBox Slack app, and the EmojiBox for Slack browser extension. EmojiBox is operated from New Zealand.

01What we collect

When you sign in via Slack

We receive your name, email, profile picture, Slack user ID, and the team you signed in with (Slack team ID, name, domain, and team icon URL). We also record the timestamp of each sign-in plus a sign-in counter so we can tell active accounts from dormant ones.

When EmojiBox is installed in your Slack workspace

We receive metadata about your custom emoji: the emoji shortcode, the image URL Slack hosts it at, who uploaded it, when it was created, and a perceptual hash of the image (so we can detect duplicates). We mirror the image bytes to our own storage so emoji pages keep working if Slack rotates its CDN URLs.

If you or a teammate adds a description to an emoji, we store that description. If you subscribe a Slack channel to new-emoji notifications, we record which channel and who subscribed it.

When you use the website

We collect product analytics through PostHog: pages viewed, buttons clicked, time on page. Analytics are proxied through emojibox.app/ingest so they look first-party to your browser. Profiles are only created for signed-in users (PostHog identified_only mode).

Server logs and errors on the API are sent to Sentry. We don't log emoji image contents or descriptions. Just request paths, status codes, and stack traces.

When you use the browser extension

The extension reads things from your browser to do its job, but those things stay in your browser. None of the data below is sent to EmojiBox servers.

  • Your Slack session. When you have Slack web open, the extension reads the api_token from the page's boot_data and uses it directly from the extension's service worker to call Slack's API. Stored in chrome.storage.session (wiped when Chrome restarts). Never transmitted to EmojiBox.
  • Workspace metadata. Team ID, domain, name, and icon. Same scope as above, local cache only.
  • The list of emoji your workspace already has. Fetched once via Slack's emoji.adminList so the extension can skip names that already exist. Cached locally; not sent to us.
  • Image bytes.When you click "Push to Slack," the extension fetches the emoji image, posts it to Slack's emoji.add, and discards the bytes. Nothing is retained.

The extension's only Chrome permission is storage. Its host permissions are limited to Slack, EmojiBox, and our Azure blob storage. It never injects scripts into pages outside those origins.

02How we use it

To operate the service:

  • Show you your team's emoji and lore on the website and inside Slack.
  • Post notifications to channels you've subscribed when new emoji land in your workspace.
  • Render public emoji pages for indexing. The public market is intentionally crawlable and a key way teams discover EmojiBox.
  • Diagnose bugs, prevent abuse (rate limits, etc.), and decide what to build next based on aggregate usage.

We don't use your data for advertising, profiling, automated decision-making, or anything unrelated to the service.

03Public vs. private

Emoji uploaded to your Slack workspace are private to your team by default. If a teammate publishesan emoji to the public market, that emoji's shortcode, image, and description become accessible at emojibox.app/market. We mention this on the publish action so it isn't a surprise. The uploader's name and avatar are not attached to public listings.

You can unpublish a public emoji at any time from your team dashboard, or by emailing data@emojibox.app.

04Subprocessors

We share data with the following processors so the service can run. We have data-protection agreements with each.

  • Microsoft Azure (Australia East): application hosting, PostgreSQL, blob storage for emoji images. Encrypted at rest and in transit.
  • Auth0 (Okta): authentication. Brokers the Slack OAuth flow and issues the access token your browser uses to call our API.
  • Slack: the integration we serve. We hold an OAuth token per workspace so the EmojiBox bot can read emoji and post messages.
  • PostHog: product analytics. Events are proxied through our own domain.
  • Sentry: server-side error monitoring on the API.
  • Vercel: hosting for the website.

We don't sell your data. We don't share it for advertising. We share it with these processors strictly so we can run the parts of the service they power.

05Cookies

The website sets a small number of cookies. None are for ads.

  • Session cookiesset by Auth0 to keep you signed in. Essential; without them you can't use the dashboard.
  • First-party PostHog cookies for product analytics. Set on .emojibox.app; readable only by us.

The browser extension does not set any cookies of its own. It does read your existing Slack session cookie (via host_permissions) so it can authenticate to Slack on your behalf. That cookie stays in your browser; we never receive it.

06Retention

We keep account and emoji data for as long as your team uses EmojiBox. If your team uninstalls the Slack app, we keep your data for 30 days in case you reinstall, then delete it. Public emoji pages and their images may persist after deletion if they've been published to the market. Email us to unpublish them.

Server logs (Sentry, request logs) are retained for 90 days. Analytics events (PostHog) are retained for 12 months in raw form; aggregates may be retained indefinitely.

07Your rights

Under GDPR (EU/UK) and the New Zealand Privacy Act 2020, you can ask us to:

  • show you what we hold about you,
  • correct anything that's wrong,
  • delete your account and data,
  • export your data in a portable format,
  • stop processing your data for any non-essential purpose (e.g. analytics).

Email data@emojibox.app with the request. We respond within 30 days.

08Security

All traffic to and from emojibox.app, our API, and our blob storage is over TLS. Stored data is encrypted at rest by the underlying Azure managed services. Slack tokens and OAuth refresh tokens are encrypted with a key held outside the database. EmojiBox does not collect or store payment information; there is no paid tier yet.

09Children

EmojiBox is built for use inside workplaces and adult communities on Slack. We don't knowingly collect data from anyone under 13. If you believe we have, email data@emojibox.appand we'll delete it.

10Changes to this policy

When we make material changes (new subprocessors, new categories of data, new retention windows), we'll update the "last updated" stamp below and post a heads-up on the website. The current version is always at emojibox.app/privacy.

11Contact

For privacy questions, requests, or to flag a concern, email data@emojibox.app. For other questions, see support.

Last updated · 2026-05-09