Jira Privacy

Atlassian (Jira Cloud) Integration – Privacy Addendum

This addendum describes how we process personal data when you connect your Jira Cloud instance to your Upvoty project.

1) Scope and Roles

  • This addendum applies only to data processed through the Jira Cloud integration.

  • For Jira user-related data, Upvoty acts as a data processor on behalf of the customer (the Jira site/project owner). The customer remains the data controller.

2) Categories of Personal Data We Process

  • Atlassian account identifier of the authorizing user: accountId.

  • OAuth 2.0 credentials tied to the authorizing user: access token, refresh token, token metadata (expiry, token type, granted scopes), Jira cloudId.

  • Minimal webhook metadata provided by Jira (e.g., issue key, issue type id, status id, timestamps). We deliberately avoid storing Jira user profile attributes (names, emails, avatars).

  • We do not copy or persist Jira user emails or display names received in webhook payloads. Any incidental appearance in transient logs is minimized and not retained beyond operational necessity.

3) Purposes of Processing

  • Authenticate and maintain the Jira connection (OAuth).

  • Create or link Jira issues to Upvoty feedback and synchronize statuses between systems.

  • Operate webhooks for near real-time updates and ensure integration health.

  • Fulfill data subject requests (export/delete) initiated by customers or Atlassian under their Personal Data Reporting processes.

  • Security, fraud prevention, and service reliability (e.g., abuse-rate limiting, diagnostics).

4) Legal Bases

  • Performance of a contract: providing the Jira integration you enabled.

  • Legitimate interests: ensuring security, integrity, and reliability of the integration.

  • Where required, your consent to connect the integration and grant scopes.

5) Retention and Deletion

  • Integration credentials (accountId, tokens) are retained only while the integration remains connected or until revoked/expired.

  • Upon integration removal or a deletion request for a specific Atlassian accountId:

  • Tokens are revoked and erased.

  • The stored accountId is removed or irreversibly anonymized.

  • Integration entries are marked invalidated and cease processing.

  • Webhook payloads are processed transiently; we do not persist full payloads. Operational logs exclude Jira personal data and are retained only for brief diagnostic windows, then rotated.

6) Personal Data Reporting (PDR) Compliance

We support Atlassian’s Personal Data Reporting requirements for OAuth (3LO) integrations.

  • Export: On request (from the customer or via Atlassian’s PDR relay), we will provide a machine-readable report of Jira-related personal data we store for the specified accountId (e.g., the existence of accountId, whether tokens are present—masked).

  • Deletion: On request, we revoke and erase tokens and remove or anonymize the accountId associated with the integration, and prevent further processing tied to that accountId.

  • Request Authentication: We accept requests initiated by the customer’s project/site admin through our support channel, or by Atlassian through their PDR relay. We verify request authenticity before actioning.

  • Timelines: We act promptly and within statutory timeframes applicable to the customer’s region and Atlassian’s PDR expectations.

7) Webhooks and Logging

  • We register Jira webhooks to receive issue status updates; webhook requests are validated and minimized.

  • We log only non-PII operational identifiers (e.g., issue key, project key, integration id) needed for troubleshooting.

  • We do not write Jira user personal data into persistent logs.

8) Data Sharing and Subprocessors

  • We call Jira Cloud APIs to perform the functions described above.

  • We may use infrastructure providers (e.g., hosting, monitoring) strictly as processors under data processing agreements. A current list of subprocessors is available upon request.

  • We do not sell Jira user personal data.

9) Security Measures

  • Tokens and secrets are stored securely and transmitted over TLS.

  • Principle of least privilege, access controls, encryption at rest, secret rotation procedures, and monitoring are applied.

  • Webhook endpoints are protected by non-guessable secrets and rate limits.

10) International Transfers

  • Where data is processed outside your jurisdiction, we rely on appropriate safeguards (e.g., SCCs or equivalent frameworks) with our subprocessors. Details available upon request.

11) Your Choices and Controls

  • You can disconnect the integration at any time. Disconnecting revokes tokens and stops processing.

  • You can request export or deletion for Jira-related personal data (by accountId) through your admin or via our support.

12) Children’s Data

  • Our services (including the Jira integration) are not directed to children. We do not knowingly process children’s personal data.

13) Contact for Privacy Requests

  • Email: hi@upvoty.com

  • Include your Jira site URL, Atlassian accountId (if available), your role (site/project admin), and the nature of your request (export or deletion). We will verify authority before fulfilling requests.

14) Changes to this Addendum

  • We may update this addendum to reflect changes in our integration or regulatory requirements. Material changes will be communicated through appropriate channels.