SLIDESHOT [legal]
#

Privacy Policy

Updated March 15, 2026

This Privacy Policy explains how Slideshot collects, uses, stores, and shares personal data when you use the website, app, API, and related services.

```meta
Controller

Ahmed Sulaiman trading as Slideshot

Privacy Contact

ahmed@slideshot.ai

```
##

Contents

- 1. Who We Are - 2. Personal Data We Collect - 3. How We Use Personal Data - 4. AI Processing and Automation - 5. How We Share Personal Data - 6. Security-Sensitive Data Handling - 7. International Transfers - 8. Retention - 9. Your Rights - 10. Cookies and Similar Technologies - 11. Children's Privacy - 12. Changes and Contact
##

1. Who We Are

Ahmed Sulaiman trading as Slideshot is the data controller for the personal data described in this Privacy Policy, unless this policy states otherwise.

If you have privacy questions or want to exercise your rights, contact us at ahmed@slideshot.ai.

##

2. Personal Data We Collect

The information we collect depends on how you use the Service. We may collect the following categories of personal data:

-

Account and identity data: email address, authentication identifiers, and session information associated with your account.

-

Early access and contact data: work email, demo URL, intended use, and other information you submit through our early access or contact forms.

-

Run request data: target URLs, goals, run options, timestamps, statuses, and error messages linked to the runs you create.

-

Artifacts and generated outputs: files and metadata created during a run, which may include events.jsonl, trace.zip, raw.mp4, demo.mp4, plan.json, generated-playwright.ts, and related file metadata.

-

Credential data: credential labels, target domains, login email addresses, and encrypted passwords that you choose to store for authorised use.

-

One-time authentication inputs: OTP codes, magic-link URLs, or similar transient values you submit when a run pauses for authentication. These values are stored in encrypted form when persisted.

-

Reusable browser session data: encrypted browser storage snapshots for target domains, which can include cookies, local storage, and IndexedDB data captured from successful runs.

-

Technical and usage data: IP address, browser and device details, request metadata, and operational logs generated when you access the website, app, or API.

##

3. How We Use Personal Data

We use personal data to operate and improve the Service, including to authenticate users, queue and execute runs, return artifacts, provide support, secure the Service, investigate misuse, and communicate with you.

Where UK data protection law applies, our main legal bases are: contract (to provide the Service you requested), legitimate interests (to secure, maintain, debug, and improve the Service and communicate with users), consent where required for specific communications, and legal obligation where processing is required by law.

##

4. AI Processing and Automation

Slideshot uses AI-assisted planning as part of some run execution flows. Depending on the run, we may send model providers information needed to plan actions, such as your goal, the target URL, page observations, action history, and other runtime context required to complete the task.

We take steps to avoid exposing raw secrets in model-facing context. Stored passwords, one-time authentication inputs, and other sensitive values are handled separately and are redacted from model-facing planning history and related artifacts where our systems are designed to do so.

##

5. How We Share Personal Data

We share personal data only as needed to operate the Service, comply with law, or protect rights and safety.

We do not sell personal data or share it for cross-context behavioural advertising.

-

Infrastructure providers: we use Supabase for authentication and database services.

-

Storage providers: we may store artifacts in local storage during processing and in S3-compatible object storage in deployed environments.

-

AI providers: we use OpenAI or another configured model provider to support planning and execution workflows.

-

Email and waitlist tools: we use Listmonk to manage early access and related contact submissions.

-

Professional advisers and authorities: we may disclose data where reasonably necessary for legal compliance, enforcement, fraud prevention, or the protection of rights, property, and safety.

-

Business transfers: if the business is sold, transferred, or reorganised, relevant data may be transferred as part of that transaction, subject to applicable law.

##

6. Security-Sensitive Data Handling

We use technical and organisational measures designed to protect personal data. In particular, stored passwords, one-time authentication inputs, and reusable browser session snapshots are encrypted before being stored by our systems.

Credential records remain associated with your account until you delete them or they are otherwise removed. One-time authentication inputs are designed to be cleared after consumption, run completion, or timeout. Reusable browser session snapshots are designed to expire automatically after a limited period.

No system is completely secure, and we cannot guarantee absolute security.

##

7. International Transfers

Our service providers may process personal data outside the UK. Where we transfer personal data internationally, we aim to rely on lawful transfer mechanisms and safeguards required under applicable data protection law.

##

8. Retention

We keep personal data for as long as reasonably necessary for the purposes described in this policy, including to provide the Service, keep records, resolve disputes, enforce agreements, and comply with legal obligations.

-

Account data, run history, and artifact metadata are generally retained until account closure, deletion request, or when they are no longer needed for operational or legal purposes.

-

Artifacts and generated outputs may remain available until deleted by us, removed under an applicable policy, or no longer needed for service operation.

-

Stored credentials remain until you delete them, your account is deleted, or they are otherwise removed.

-

Reusable browser session snapshots are designed to expire automatically after their configured retention window.

-

Waitlist and early access records are retained until you unsubscribe, ask us to delete them, or they are no longer needed.

##

9. Your Rights

Depending on where you are located, you may have rights to access, correct, delete, restrict, or object to our use of your personal data, and to request portability of certain data. You may also withdraw consent where we rely on consent.

To exercise rights, contact us at ahmed@slideshot.ai. We may need to verify your identity before acting on a request.

If you are in the UK, you also have the right to complain to the UK Information Commissioner's Office if you believe your personal data has been handled unlawfully.

##

10. Cookies and Similar Technologies

The Service may use cookies or similar browser storage that are necessary for authentication, session continuity, security, and related product functionality. Browser session reuse features may also store encrypted browser state associated with target domains so later runs can reuse that state.

This Service is not built around targeted advertising. If we materially change how we use cookies or similar technologies, we will update this policy and any relevant notices.

##

11. Children's Privacy

Slideshot is intended for professional and business use and is not directed to children. If you believe a child has provided personal data to us, contact us so we can investigate and take appropriate steps.

##

12. Changes and Contact

We may update this Privacy Policy from time to time. When we do, we will post the revised version on this page and update the effective date above.

If you have questions about this Privacy Policy or our data practices, contact us at ahmed@slideshot.ai.