Privacy Policy

Account information: When you sign up, we collect your email address, name, and studio details (company name, logo, brand color) that you provide during onboarding.

Usage data: We collect information about how you interact with the Service, including pages visited, features used, and actions taken, to improve the product and detect issues.

Client data you enter: Information you add about your clients and projects (names, contact details, project scopes) is stored on your behalf to power the Service. You are the data controller for this information.

Payment information: Billing is handled by Stripe. We store only your Stripe customer ID and subscription status — never raw card numbers or bank details.

Communications: If you contact us for support, we retain those communications to resolve your issue and improve the Service.

We use the information we collect to:

• Provide, maintain, and improve the Service
• Process transactions and send billing-related communications
• Send transactional emails (intake confirmations, proposal notifications, invoice receipts)
• Respond to support requests and troubleshoot issues
• Send product updates and feature announcements (you may opt out at any time)
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations

We do not sell your personal data to third parties. We do not use your client data for any purpose other than providing the Service to you.

We rely on the following third-party services to operate the platform:

• Supabase — database hosting and authentication. Your data is stored in Supabase's infrastructure.
• Stripe — payment processing for subscriptions and client invoice payments.
• Resend — transactional email delivery (intake notifications, proposal sends, invoice emails).
• Google Analytics — usage analytics. Only loaded after you accept analytics cookies. IP anonymization is enabled. Data is processed by Google in accordance with their privacy policy.
• Sentry — error tracking and performance monitoring. May capture technical data including user identifiers, browser information, and stack traces when errors occur. Used solely to diagnose and fix issues.
• Crisp — customer support chat. Processes communication data, IP addresses, and browser information when you use the support chat feature.
• Google (Gemini AI) — powers the optional AI proposal assistant. When you use an AI feature, the relevant project brief details (scope, deliverables, timeline, budget — not client contact details) are sent to Google's Gemini API to draft proposal line items. We use a paid Gemini API tier; Google does not use this content to train its models.

Each provider processes your data only to the extent necessary to provide their service and is bound by their own privacy policies and data processing agreements. We encourage you to review their policies.

We use cookies and similar technologies to keep you signed in, remember your preferences, and understand how the Service is used. These include:

• Strictly necessary cookies: Required for authentication and session management. Cannot be disabled.
• Functional cookies: Remember your settings and preferences.
• Analytics cookies: Aggregate, anonymized data collected via Google Analytics to understand usage patterns and improve the product. Only loaded after you accept analytics cookies.

You can manage cookie preferences through the cookie banner displayed on your first visit, or through your browser settings. Note that disabling necessary cookies will prevent you from using the Service.

We retain your account data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal, tax, or fraud prevention purposes. Anonymized, aggregated usage data may be retained indefinitely.

Depending on your location, you may have rights including:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate data.
• Deletion: Request deletion of your personal data (subject to legal retention requirements).
• Portability: Request your data in a machine-readable format.
• Opt-out: Opt out of marketing communications at any time via the unsubscribe link in any email.
• California residents (CCPA): You have the right to know what data we collect, the right to delete it, and the right to opt out of sale (we do not sell personal data).

To exercise any of these rights, contact us at hello@firstslate.co. We will respond within 30 days.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These include:

• Encrypted connections: All data in transit is protected via HTTPS/TLS.
• Row-level security: Database access controls ensure each producer can only access their own data. No producer can access another producer's clients, projects, invoices, or proposals.
• Server-side credentials: All sensitive API keys and database credentials are stored server-side only and are never exposed to browsers or clients.
• Access controls: Administrative access to the platform is restricted to verified team members via email-based allowlists.

However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

FirstSlate allows producers to share proposals, invoices, call sheets, and project briefs with their clients via unique links. These links use cryptographically random identifiers (UUIDs) that are statistically impossible to guess — the same model used by services like Notion, Dropbox, and Google Docs shared links.

Access to these pages is controlled entirely by the producer. Only the specific data needed to display that document is returned — no other client data, project data, or producer account details are accessible via these links.

Important: Anyone who obtains a share link can view the linked document. Producers are responsible for sharing links only with their intended recipients. If a link is shared unintentionally, the producer should contact us to have the document recalled or the link invalidated.

The Service is not directed to children under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy periodically. We will notify you of material changes via email or a notice within the Service. The “Last Updated” date at the top of this page reflects the most recent revision. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

For privacy-related questions or to exercise your rights, contact us at hello@firstslate.co or visit our contact page.