Mootivation Technologies Corp.

Canada

Mootivation Technologies Inc. (“Mootivation”) retains Customer Data collected through the Celebrio Slack app as outlined below. Unless we have agreed to a shorter period in writing, these retention limits apply to every workspace: Slack‑Provided Data • Includes workspace IDs, user IDs, display names, email addresses (if the scope is granted), and the interaction payloads you actively send to Celebrio (slash commands, button clicks, etc.). • Retention: for as long as the workspace keeps Celebrio installed, plus 90 days. • Deletion: when Celebrio is uninstalled or a workspace admin requests erasure. OAuth tokens are revoked immediately; data is queued for deletion within 24 hours, removed from production systems within 30 days, and purged from encrypted backups within 90 days. Service Data • Includes points balances, recognitions, reward redemptions, usage logs, and IP addresses captured by our web dashboard. • Retention and deletion follow the same timeline as Slack‑Provided Data (workspace life + 90 days, then the same purge flow). Support & Ticket Data • Includes names, email addresses, ticket content, and any attachments you send to our support channels. • Retention: 2 years after a ticket is closed. • Deletion: we delete records automatically at expiry or sooner on verified request. Financial & Accounting Records • Includes reward‑store transactions, invoices, and other accounting entries required for compliance. • Retention: 7 years, as mandated by statutory financial regulations. • Deletion: records are removed once the legal obligation ends. Aggregated / Anonymised Analytics • Contains only de‑identified usage metrics with no personal data. • Retention: indefinite (because it is non‑identifiable). Key Controls and Customer Options • Early deletion on demand: Workspace owners can email [privacy@celebrio.team]at any time to request partial or full data erasure. We act within 30 days and provide written confirmation once finished. • Data minimisation: Celebrio stores only the data explicitly sent to it via interactive components; it never reads general Slack message history or files. • Back‑up lifecycle: All backups are encrypted (AES‑256) and automatically aged out after 90 days, guaranteeing complete removal within that timeframe. • Compliance alignment: These retention limits satisfy GDPR Art. 5(1)(e), CCPA, and Slack Marketplace requirements for clear retention schedules and uninstall‑driven deletion. This policy ensures we keep customer data only for as long as necessary to deliver Celebrio, comply with law, and support legitimate business needs, after which we securely and irreversibly delete it.

Mootivation Technologies Inc. (“Mootivation”) removes customer data in accordance with strict timelines and technical controls designed to meet industry standards, GDPR, CCPA, and Slack Marketplace requirements. Uninstall‑Triggered Deletion – When a workspace removes Celebrio, OAuth tokens are revoked instantly, blocking any further data collection. All workspace‑scoped data (recognitions, points, reward records, logs) is placed in a deletion queue within 24 hours. Customer‑Initiated Erasure – Workspace Owners/Admins may email privacy@celebrio.team at any time to request full or partial data deletion. We verify the request, then follow the same deletion workflow as above. Production Purge Window – Queued data is permanently deleted from live databases and object storage within 30 days of the trigger event. Backup Lifecycle – Encrypted backups exist solely for disaster‑recovery purposes. They are automatically aged out and overwritten on a rolling 90‑day cycle, ensuring all deleted data disappears from backups within that period. No Cold Archiving – We do not move customer‑identifiable data to long‑term offline archives. If data is no longer needed for service delivery, legal, or accounting obligations, it is destroyed rather than archived. Deletion Verification – Upon completion, we send written confirmation to the requester or the workspace’s Primary Owner. Logging & Audit – All deletion events are logged internally and reviewed for compliance as part of our annual security audit. Secure Destruction Standards – Data in storage is erased using cryptographic erasure; cloud objects are deleted via provider APIs guaranteeing physical‑media sanitization. This policy ensures customer data is retained only for its intended purpose, then securely and irreversibly removed on uninstall, request, or at the end of the defined retention period.

Mootivation Technologies Inc. (“Mootivation”) will store customer data in accordance with the following practices: Hosting locations – All production systems run in Microsoft Azure data centres located in Canada (primary) with encrypted replicas in the Netherlands. No customer‑identifiable data is stored outside these jurisdictions. Encryption in transit & at rest – Every connection to Celebrio uses TLS 1.2+; all databases, file objects, and backups are encrypted at rest with AES‑256 or stronger. Encryption keys are managed through Azure Key Vault and rotated at least annually. Tenant segregation – Workspace data is logically isolated by unique identifiers; each request is scoped to its workspace context, preventing cross‑tenant access. Access controls – Production access is limited to a small operations team. Secure backups – Encrypted backups are maintained solely for disaster‑recovery purposes, stored in the same regions, and follow a rolling 90‑day retention before automatic overwrite (see Data Archival & Removal Policy). Data minimisation – Celebrio stores only the interaction payloads explicitly sent to the app; it does not ingest or persist general Slack message history, files, or passwords. Sub‑processor assurances – All infrastructure and service providers are ISO 27001 or SOC 2 certified and contractually bound to equivalent security controls and confidentiality obligations. Monitoring & hardening – Continuous vulnerability scanning, intrusion detection, and quarterly patch cycles ensure environments remain up‑to‑date and hardened against emerging threats. Compliance alignment – Storage practices satisfy GDPR Art. 32, CCPA, and Slack Marketplace requirements for secure, region‑bound data handling. These measures ensure customer data remains secure, encrypted, and region‑restricted for the entire period it is stored by Celebrio.

Canada, Netherlands

Cloud hosted

Azure

no

no

When someone requests for Mootivation to delete personal data, we will respond via email within 72hrs. Our first recommendation is for the user to ask their organization to delete their user profile from our dashboard. If that's not an option, we will delete the user profile from their organization's account. At first, the user's profile data is soft deleted for a period of 14 days. After that time, our servers will automatically delete the user profile and any associated data.

no

no

no

security@celebrio.team

no

no

no

None

no