Privacy Policy

1. Introduction

FROST THE BRAND LLC (“Frosty,” “we,” “us,” or “our”) operates Frosty, an autonomous AI coworker service (the “Service”) available as a web app and a Slack integration that connects to the business tools you authorize. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you use the Service, and your rights and choices. By using the Service, you agree to the practices described here.

“Customer Data” means data submitted to or processed by the Service on your behalf, including connection credentials (such as OAuth tokens), account and workspace identifiers and settings, files and apps (Spaces) created in Frosty, conversations and outputs, automations and approval decisions, and service logs.

2. Information We Collect

We collect only what we need to provide, maintain, and secure the Service.

• Account and workspace information: your name and email (through our authentication provider) when you create an account or join a workspace, your workspace/organization identifiers, and the identifiers of users who interact with Frosty.
• Connection credentials: access tokens and scopes for the integrations you enable (including Slack and any apps connected through our integration provider). Integrations are workspace-shared, so related credentials and settings may be used by authorized members of your workspace through Frosty. We never send your account passwords or raw credentials to the AI model.
• Content and records inside Frosty: the messages, instructions, and files you give Frosty; the work it produces (reports, dashboards, hosted Spaces); conversation threads and tool calls; automation configurations; and approval or rejection decisions.
• Slack message content (if you connect Slack): message content from channels where Frosty is invited, direct messages to Frosty, and thread replies, used to process your requests and maintain context.
• Service logs and usage data: operational and security logs (timestamps, errors, request metadata) and usage events (tasks run, credits used, features used) needed to operate, secure, and improve reliability.
• Communications with us: information you provide when you contact support.
• Website, analytics, and advertising data: when you visit our site, use our product, or begin signup or checkout, we and the third-party tools we use may collect cookies, pixels, and similar online identifiers, device and browser metadata, IP address, pages viewed, interaction events, and referral or campaign identifiers, used for analytics, advertising measurement, and referral attribution.

Sensitive data: we do not knowingly collect sensitive personal data (such as financial account numbers, health data, or children's data) unless necessary for the Service and provided by you.

3. How We Use Your Information

• Provide and operate the Service: authenticate users and workspaces, maintain the integrations you enable, run tasks, generate outputs, and maintain context.
• AI processing: relevant portions of Customer Data may be processed by AI systems to produce responses and outputs at your direction. We do NOT use Customer Data for advertising, and we do NOT train our own or any third-party foundation models on Customer Data.
• Security and integrity: detect and prevent fraud, abuse, and unauthorized access, investigate incidents, and maintain audit trails.
• Service improvement: using aggregated or de-identified data that cannot reasonably identify you.
• Communications: service-related messages (product, security, billing, and administrative) and customer support.
• Analytics, advertising, and attribution: measure product and website usage and campaign performance, run and measure advertising, attribute signups and subscriptions (including to our affiliate program and ad campaigns), and prevent abuse of our marketing and referral programs.
• Compliance and protection: comply with law, enforce our Terms, and protect the rights, safety, and property of our users and Frosty.

4. How We Disclose or Share Information

We never use your Customer Data (your conversations, files, and connected-app content) for advertising, and we do not sell your Customer Data. We do use third-party analytics, advertising, and attribution tools that collect online identifiers and usage data about your visits to our website and product, as described below. Otherwise, we share information only as needed to provide and support the Service, with appropriate safeguards.

A. Service providers (subprocessors). We use vendors to host and operate the Service. They may process Customer Data on our behalf solely to provide, secure, and support the Service:

• Anthropic: AI processing (generating responses, reports, and actions from the prompt and context for your requests).
• Clerk: authentication and identity (sign-in, account and workspace identifiers).
• Composio: third-party app integrations (OAuth tokens and actions for the apps you connect).
• E2B: secure sandboxed compute, where Frosty builds and runs work, including browser automation.
• Stripe: payments and billing (billing contact and transaction metadata; full card details are handled by Stripe, not stored by us).
• Resend: transactional email (magic links, approvals, notifications).
• Cloudflare: CDN, DNS, and edge security (network metadata and request logs).
• Railway: hosting and storage (the application, logs, and stored workspace data).
• Slack: the Slack integration (messages and metadata where Frosty is used), if you connect it.

Apps you connect (such as Google, Microsoft, a CRM, or an ad platform) are accessed only under the authorization you grant, through our integration provider, and are governed by each provider's own terms.

B. AI provider details. When you use AI features, the prompt and context needed to generate an output are sent to our AI provider (Anthropic). Anthropic processes data in the United States, may briefly retain it per its API policy for security and abuse monitoring, processes each request in isolation (not visible to other customers), and does not use it to train its models.

C. Analytics, advertising, and attribution. We use third-party analytics, advertising, and attribution tools, which may include Google Analytics, Hyros, and advertising platforms such as Google and Meta, to measure usage, run and measure advertising campaigns, and attribute signups and subscriptions. These tools may receive online identifiers, device and event metadata, and referral or campaign data. Depending on where you live, some of this may be considered a “sale,” “sharing,” or “targeted advertising” under applicable law, and you may have the right to opt out (see Your Rights and Choices). You can manage cookies in your browser, and where required we provide a cookie-consent control. We never use your Customer Data (conversations, files, or connected-app content) for advertising.

D. Slack platform. The Service integrates with Slack via Slack OAuth 2.0 and Slack APIs, subject to Slack's terms and privacy policy. We access Slack data only after you grant permission, and you can revoke access at any time in Slack App Management. Slack APIs are not used to develop, improve, or train generalized AI or ML models.

E. Legal compliance and protection. We may disclose information if required by law or valid legal process, or to protect the rights and safety of users and the public, prevent fraud, or enforce our Terms.

F. Business transfers. If Frosty is involved in a merger, acquisition, financing, restructuring, or sale of assets, information may be disclosed to advisors and successors, subject to appropriate confidentiality protections.

G. Third-party links. The Service may link to third-party websites or services; we are not responsible for their privacy practices.

5. Data Storage and Security

Customer Data is stored in the United States with reputable cloud providers, using encryption and access controls appropriate to the data. We maintain industry-standard safeguards:

• Encryption in transit (TLS 1.2+ / 1.3) and at rest.
• Access controls: least-privilege access and multi-factor authentication on administrative systems.
• Isolation between workspaces (tenants) so one customer's data is not exposed to another.
• Secure storage of connected-account tokens.
• Audit logging, monitoring, and an incident-response process, including notification to affected customers or authorities where required by law.

You are responsible for maintaining appropriate security in your own Slack workspace and connected accounts (for example, channel access and admin permissions). No method of transmission or storage is completely secure, but we work continuously to protect your data.

6. Data Retention

We retain Customer Data only as long as needed to provide the Service, meet our obligations, and comply with law.

• Active systems: when an account is closed or we receive a verified deletion request, we delete Customer Data from active production systems, typically within about 30 days.
• Backups: any backups we maintain for business continuity are encrypted and are purged as they age out on their normal rotation.
• Exports: where legally permitted, you may request an export before deletion.
• Derived data: derived data (such as indexes or embeddings) is deleted or disassociated when the underlying Customer Data is deleted, subject to backup rotation and legal obligations.

7. Your Rights and Choices

Depending on where you live, you may have rights to access, correct, delete, or export your personal data, and to object to or restrict certain processing.

• Access and correction: request a copy of, or correction to, the personal data we hold about you.
• Deletion: delete your account and its data from the Account page at any time. For workspace-level data, we may require the request to come from an authorized workspace administrator or account owner.
• Withdraw consent / disconnect: uninstall the Slack app or disconnect an integration to stop new collection from that source. This does not by itself delete previously stored data, which we remove per Section 6.
• Marketing preferences: opt out of marketing messages at any time; you will still receive essential service communications.
• Opt out of sale, sharing, or targeted advertising: where applicable, you may opt out of the “sale” or “sharing” of your personal information and of targeted advertising, using our cookie controls and any “Do Not Sell or Share My Personal Information” option we provide. We honor recognized browser opt-out signals (such as Global Privacy Control) where required by law.
• Data portability: where required by law (such as GDPR), request a copy of your data in a machine-readable format.
• Authorized agents and U.S. state rights: where permitted, you may use an authorized agent, and residents of certain U.S. states may have rights to know, access, delete, correct, and opt out of certain uses. We will not discriminate against you for exercising your rights.
• EEA / UK rights: you may also object to or request restriction of certain processing and lodge a complaint with your local supervisory authority.

To exercise any of these, email support@heyfrosty.ai. After a verifiable request we will respond within the timeframe required by law (typically within 45 days, with a permitted extension where allowed). If we deny a request, you may appeal by emailing support@heyfrosty.ai with “Privacy Appeal” in the subject line.

8. Children's Privacy

The Service is intended for business use by adults and is not directed to children. We do not knowingly collect personal data from anyone under 18 (or the age of majority in their jurisdiction, if higher). If we learn we have, we will delete it promptly. Contact support@heyfrosty.ai if you believe a child has provided personal data.

9. International Users and GDPR / UK GDPR

FROST THE BRAND LLC is based in the United States and may process personal data in the U.S. If you are in the EEA or UK, we process personal data under one or more legal bases, including performance of a contract (providing the Service you request), consent (such as connecting Slack via OAuth and certain non-essential cookies where required), and legitimate interests (security, fraud prevention, and improving reliability), balanced against your rights. Where required for cross-border transfers, we use appropriate safeguards such as Standard Contractual Clauses, and we will appoint an EU/UK representative and update this Policy if required by law.

10. Slack Marketplace Compliance

If you connect Slack, Frosty accesses the following Slack data for the purposes shown:

• Messages in channels where Frosty is invited: process requests and provide AI assistance.
• Direct messages to Frosty: respond to direct interactions.
• Thread replies: maintain context for requested actions.
• User profile information: identify users and personalize responses.
• Channel information: understand context and permissions.
• Files and file metadata (when you request): process attachments and uploads or downloads.

Our commitments: we use Slack data only to provide and operate the Service; we do not sell Slack data; we do not use Slack data for advertising; we affirm Slack APIs are not used to develop, improve, or train generalized AI or ML models; and we do not train our own or any third-party foundation models on Customer Data. You can uninstall Frosty or revoke access at any time in Slack App Management; after revocation we stop collecting new Slack data immediately, and previously stored data is deleted per Section 6.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by appropriate means (such as notifying workspace administrators or emailing the address associated with the account). The “Last updated” date reflects the most recent revision, and your continued use of the Service after changes take effect indicates acceptance.

12. Contact

Questions or requests about this Privacy Policy or our data practices: email support@heyfrosty.ai.

FROST THE BRAND LLC, 7150 E Camelback Rd, Unit 444, Scottsdale, AZ 85251, USA.