Data security & Privacy statement v3

Effective since Jul 27, 2024.

Previous version of the statement: Data Security and Privacy Statement - Planning Poker v2. Please check list of changes in Data Security and Privacy Statement: v2 to v3 for the details on what’s changed in the new version of the statement.

Introduction

This Privacy Policy supplements the Appfire Privacy Policy and explains what information Appfire Technologies, LLC ("Vendor") collects about you and why, what we do with that information, and how we handle the content you place in Planning Poker ("Add-On").   In the event of a conflict between the terms of this Privacy Policy and the Appfire Privacy Policy, the terms of this Privacy Policy shall control.

Scope of Privacy Policy

This Privacy Policy applies to the information that we obtain through your use of the "Planning Poker". By using "Planning Poker" you consent to the collection, processing, storage, disclosure, and other uses described in this Privacy Policy.

Definitions

The App: a bundle of code, resources and configuration files that can be used with an Atlassian product to add new functionality or to change the behavior of that product's existing features, which is the "Planning Poker" in the scope of this document.

Content: any information or data that you upload, submit, post, create, transmit, store or display in an Atlassian Service.

Information: all of the different forms of data, content, and information collected by us as described in this Privacy Policy.

Personal Information: information that may be used to identify or contact you as a natural person, such as: name, address, email address, or phone number. Personal Information does not include information that has been anonymized such that it does not allow for the ready identification of specific individuals.

Changes to our Privacy Policy

We may change this Privacy Policy from time to time. If we make any changes, we will notify you by revising the "Effective Starting" date at the top of this Privacy Policy.

If you disagree with any changes to this Privacy Policy, you will need to stop using Atlassian Services and deactivate your account(s), as outlined below.

Information available to us:

Atlassian Marketplace Information

  • Contact information such as name, email address, mailing address, and phone number

  • Billing information such as credit card details and billing address

  • Jira host details (as prescribed by the Atlassian Connect Guidelines)

    • description

    • eventType

    • productType

    • baseUrl

    • pluginsVersion

    • serverVersion

    • sharedSecret

    • publicKey

    • clientKey

Content

We collect and store Content that you create, input, submit, post, upload, transmit, store or display in the process of using the App or Websites. Such Content includes any Personal Information or other sensitive information that you choose to include ("incidentally-collected Personal Information").

Other submissions

We collect other data that you submit to us, such as surveys, activity or event, request customer support, communication with us via third party social media sites or any other form of communicating with us. For example, information regarding a problem you are experiencing with the App could be submitted to our issue tracker or sent via email.

Information we collect from your use of the App:

Web Logs

As is true with most websites and services delivered over the Internet, we gather certain information and store it in log files when you interact with the App. This information includes internet protocol (IP) addresses as well as browser type, internet service provider, URLs of referring/exit pages, operating system, date/time stamp, information you search for, locale and language preferences, identification numbers associated with your Devices, your mobile carrier, and system configuration information, the URLs you accessed (and therefore included in our log files) include usernames as well as elements of Content (such as Jira project names, project keys, status names, and JQL filters) as necessary for the App to perform the requested operations. Occasionally, we connect Personal Information to information gathered in our log files as necessary to improve App Services for individual customers. In such a case, we would treat the combined Information in accordance with this privacy policy. Logs are kept for the past 30 days.

Analytics Information

We collect analytics information when you use the App to help us improve our products and services. This analytics information consists of the feature and function of the App being used, the associated license identifier (SEN) and domain name, the username and user data available from the Jira REST API. The analytics information we collect includes elements of Content related to the function the user is performing. As such, the analytics information we collect may include Personal Information or sensitive business information that the user has included in Content that the user chose to upload, submit, post, create, transmit, store or display in the App.

As of the date this policy went into effect, we use Amplitude, LogRocket and Pendo as analytics providers. To learn more about the privacy policy of Amplitude, refer to Amplitudes's Policies and Principles.  To learn more about the privacy policy of LogRocket, refer to LogRocket Privacy Policy. To learn more about data privacy of Pendo, refer to Pendo Data Privacy and Security.

Analytics Information Derived from Content

Analytics information also consists of data we collect as a result of running queries against Content across our user base for the purposes of generating Usage Data. "Usage Data" is aggregated data about a group or category of services, features or users that does not contain Personal Information.

Though we may happen upon sensitive or Personal Information as we compile Usage Data from Content across user instances, this is a byproduct of our efforts to understand broader patterns and trends. It is not a concerted effort by us to examine the Content of any particular customer.

Tracking Technologies

We utilize session storage, local storage and IndexedDB to store user session data and facilitate a seamless user experience. These technologies help maintain your session state, allowing you to stay logged in and use the App without needing to re-enter your credentials during active sessions. Session storage temporarily stores data while you are using the App, and IndexedDB is used for more persistent storage of data for improved performance and offline capabilities.

You can instruct your browser to manage or block certain data storage mechanisms, including session storage, local storage and IndexedDB. However, disabling these features may affect your ability to use certain functionalities of the App. Your browser may also have built-in tools to manage local storage and other tracking technologies used by the App.

How we use the information we collect

General Use

We use the Information we collect about you (including Personal Information to the extent applicable) for a variety of purposes, including to:

  • Provide, operate, maintain and improve the App;

  • Enable you to access and use the App, including uploading, downloading, collaborating on and sharing Content;

  • Process and complete transactions, and send you related information, including Release Notes and Feature Prompts;

  • Send transactional messages, including responding to your comments, questions, and requests; providing customer service and support; and sending you technical notices, updates, security alerts, and support and administrative messages;

  • Send promotional communications, such as providing you with information about services, features, surveys, newsletters, offers, promotions, contests, events and sending updates about your team and chat rooms; and providing other news or information about us and our selected partners;

  • Monitor and analyze trends, usage, and activities in connection with the App and for marketing or advertising purposes;

  • Investigate and prevent fraudulent transactions, unauthorized access to the App, and other illegal activities;

  • Personalize the App, including by providing content that matches your interests and preferences;

  • Enable you to communicate, collaborate, and share Content with users you designate; and

  • For other purposes about which we obtain your consent.

Notwithstanding the foregoing, we will not use Personal Information appearing in our Analytics Logs or Web Logs for any purpose. The use of Information collected through our Atlassian Services shall be limited to the purposes disclosed in this policy.

Compiling aggregate analytics information

To better comply with the Atlassian Marketplace, we make extensive use of analytics information (including log and configuration data) to understand how the App is being configured and used, how it can be improved for the benefit of all of our users, and to develop new products and services. As such we generate Usage Data (as defined above) from the web logs and analytics logs described above, including the Content elements captured in such logs, as well as from the Content stored in the App.

Information sharing and disclosure

We will not share or disclose any of your Personal Information or Content with third parties except as described in this policy. We do not sell your Personal Information or Content.

Your Use

 When you use the App, the Content you provide will be displayed back to you. 

Collaboration

As a natural result of using the App, you may create Content that other users of your Jira instance can access for the purposes of collaboration. Some of the collaboration features of the App display your profile information, including Personal Information included in your profile, to users with whom you have shared your Content

Service Providers, Business Partners, and Others

We work with third-party service providers to provide website, application development, hosting, maintenance, back-up, storage, virtual infrastructure, payment processing, analysis and other services for us. These service providers may have access to or process your Information for the purpose of providing those services for us. This list includes:

Information we do not share

We do not share Personal Information about you with third parties for their marketing purposes (including direct marketing purposes).

Data storage, transfer and security

Cloud App hosts data with Google Cloud Platform service providers in us-central1 region (Council Bluffs, Iowa, North America) in United States. The servers on which Personal Information is stored are kept in a controlled environment. While we take reasonable efforts to guard your Personal Information, no security system is impenetrable and due to the inherent nature of the Internet as an open global communications vehicle, we cannot guarantee that information, during transmission through the Internet or while stored on our systems or otherwise in our care, will be absolutely safe from intrusion by others, such as hackers. In addition, we cannot guarantee that any incidentally-collected Personal Information you choose to store in the App is maintained at levels of protection to meet specific needs or obligations you may have relating to that information.

Where data is transferred over the Internet as part of the App, the data is encrypted using industry-standard SSL (HTTPS).

Data flow

The app installs a "connector" into the customer Jira, which then communicates with our APIs (via an iframe basically). This is how all Atlassian Connect apps work.

The API services are hosted in Google Cloud Platform. Data is stored in Firebase Realtime DB service provided by Google Cloud Platform.

Here's a high-level overview of what is happening under the hood (Cloud edition).

Planning Poker API stores the following data:

  • All user-generated data while in-game (estimation scores, game names)

  • Issues Identifiers only (e.g. SSP-1, SSP-2 etc.)

  • User Identifiers only (e.g. 6cc40a26-6e1b-4aae-aa3d-2f00c15a745f etc.)

These IDs are used for the following:

planning-poker (1).png

 

  • When the user loads the game from the Planning Poker API, they receive all relevant Game Session information represented by the IDs (issue IDs and user IDs). After that, JavaScript code in the user's browser executes a call to the Jira REST API to fetch all the information about the Issue and to populate it into the Number 1 on the screenshot. This communication happens only between the user browser and the Jira REST API.

  • Same logic applies to the population of Game Players section — Number 2  on the screenshot.

  • Estimation context (Number 3) is basically just a search from the current user browser against the Jira REST API.

  • Estimation Backlog and Archive (Number 4) is represented by the issue IDs. When a used clicks on any of the IDs, the required data is pulled via the current user browser JavaScript from the Jira REST API (no outgoing requests).

There are also other views in the Planning Poker where the issues information is displayed (such as Estimation Backlog Details), but the logic there is the same as described above.
Therefore, the only outgoing information from Jira is the anonymised IDs, the rest happens between the user browser and Jira REST API (within the same network).

A rough illustration of this communication is attached below.

Planning Poker for Jira DC:

PlanningPokerDC.png

Planning Poker for Jira Cloud: