Changelog Panel for Jira — Privacy Policy

1. Introduction

EvolRed ("we", "our", "us") is committed to protecting the privacy and security of all users of our Atlassian Marketplace applications. This Privacy Policy explains what personal data our applications access, how that data is processed, the legal basis for processing, your rights, and how to contact us.

This policy applies to the specific application named at the top of this page. The App Data Summary section above describes the exact data that application accesses. If you are looking for a general company privacy policy, please visit evolred.com/privacy.

2. Who We Are

EvolRed is the data processor for personal data handled by our Atlassian Forge applications. Atlassian Pty Ltd acts as the data controller for data stored within the Atlassian platform. Your organisation's Atlassian administrator determines how the platform and its apps are used.

For privacy enquiries, contact us at: [email protected]

3. Data We Access

The types of data accessed by this application are listed in the App Data Summary section at the top of this page. In general, our applications may access the following categories of data depending on their functionality:

• Jira issue metadata such as issue keys, titles, statuses, priority levels, labels, story points, and assignee information. We do not access or store the full body content of issues unless the app's functionality specifically requires it (as described in the App Data Summary).
• User account identifiers such as Atlassian account IDs, display names, and email addresses, used to associate actions with users, display user information within the app, and verify licensing.
• Project and board metadata such as project keys, board configurations, and sprint data, used to scope the app's functionality to the correct context.
• App configuration and preferences such as rule settings, templates, or display preferences, stored in Forge KV storage and scoped to the relevant project or user.

We request only the minimum Forge permissions required to deliver each app's functionality. Every permission is documented in the app's manifest.yml and reviewed by Atlassian's security team before publication.

4. How We Use Your Data

Data accessed by our applications is used exclusively to:

• Provide the app's core functionality as described in its feature list and documentation
• Store user preferences and configuration to personalise the app experience
• Enforce licensing by checking the current user's entitlement via Atlassian's licensing API
• Maintain audit trails where applicable (e.g. action logs, scan histories)

We never use your data for:

• Advertising, marketing, or promotional purposes
• Profiling, behavioural analysis, or user tracking
• Training machine learning models or AI systems
• Sale, rental, or commercial exchange with any third party
• Any purpose unrelated to the app's stated functionality

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process personal data under the following legal bases:

• Legitimate interest (Article 6(1)(f) GDPR): Processing is necessary to provide the app's functionality that your organisation has chosen to install and use. Our legitimate interest is delivering the service your administrator has requested.
• Contract performance (Article 6(1)(b) GDPR): Where you have purchased a paid app, processing is necessary to perform our obligations under the licence agreement.
• Consent: We do not rely on consent as a legal basis. If we ever introduce processing that requires consent, we will obtain it explicitly before proceeding.

6. Data Storage and Location

All data processed by our applications is stored and processed entirely within Atlassian's Forge infrastructure. The Forge platform runs on AWS infrastructure managed by Atlassian, in regions determined by your Atlassian Cloud instance configuration.

• No data is transmitted to EvolRed servers. Our applications have no egress permissions and cannot communicate outside the Forge sandbox.
• No external databases or storage services are used. All persistent data is stored in Forge KV storage, scoped to your Atlassian Cloud instance.
• No data is cached outside the Forge environment. When the app is uninstalled, all associated Forge KV storage data is permanently deleted by Atlassian.

For details on Atlassian's infrastructure and data residency, see Atlassian's Cloud Security page.

7. Data Retention

We do not maintain independent databases, backups, or archives of your data. Data retention is governed entirely by the Forge platform:

• Configuration and preferences are stored for the lifetime of the app installation and deleted when the app is uninstalled.
• Computed or cached data (such as health scores, reports, or scan results) is stored in Forge KV storage and deleted upon uninstallation.
• Audit log entries (where applicable) are retained for the lifetime of the app installation to support compliance requirements.

After uninstallation, Atlassian permanently deletes all Forge KV storage data associated with the app. EvolRed retains no copies.

8. Data Sharing and Third Parties

We do not sell, rent, trade, or otherwise share your data with any third parties.

The only entity involved in data processing is Atlassian Pty Ltd, which provides the Forge platform infrastructure. Atlassian's data processing practices are governed by:

• Atlassian Privacy Policy
• Atlassian Data Processing Addendum

Where an app uses Atlassian's Rovo AI capabilities (as indicated in the App Data Summary), data processed by the AI agent is handled within Atlassian's AI infrastructure under Atlassian's own data processing terms.

Our applications do not include or integrate with:

• Analytics or telemetry services (no Google Analytics, Mixpanel, Amplitude, etc.)
• Advertising networks or tracking pixels
• Social media widgets or share buttons
• External APIs, webhooks, or third-party services of any kind

9. Data Security

Our applications are built using Atlassian's Forge platform, which provides enterprise-grade security controls:

• Sandboxed execution: Forge apps run in an isolated sandbox with no access to the host network, file system, or other apps.
• No egress by default: Our apps have no outbound network access. They cannot send data to external servers.
• Scoped permissions: Each app requests only the minimum permissions needed. Permissions are reviewed by Atlassian's security team during the Marketplace review process.
• Encrypted storage: Forge KV storage is encrypted at rest and in transit using Atlassian's infrastructure encryption.
• No secrets in code: We do not store API keys, tokens, passwords, or other secrets in application code or client-side assets.

Additionally, EvolRed follows secure development practices including TypeScript strict mode, input validation at every resolver boundary, no logging of personal data in production, and regular dependency audits.

10. Your Rights Under GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights:

Right	What It Means	How to Exercise
Access	Request a copy of personal data we process about you	Email [email protected]
Rectification	Request correction of inaccurate data	Update your data in the app or contact us
Erasure	Request deletion of your personal data	Uninstall the app (deletes all Forge storage) or email us for targeted deletion
Restriction	Request that we limit processing of your data	Email [email protected]
Portability	Receive your data in a machine-readable format	Email [email protected]
Objection	Object to processing based on legitimate interest	Email [email protected]
Withdraw consent	Withdraw consent where processing is based on consent	Not applicable (we do not rely on consent)

All our Forge apps implement Atlassian's GDPR privacy hooks (onPersonalDataRequest and onPersonalDataDelete). When you exercise your right to access or deletion through Atlassian's data portability tools, our apps will automatically respond with the relevant data or delete it.

We will respond to all privacy requests within 30 days. If we need more time due to the complexity of the request, we will notify you within 30 days and explain the reason for the delay.

11. Your Rights Under CCPA/CPRA (California)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected.
• Right to delete: You may request deletion of personal information we hold about you.
• Right to opt out of sale: We do not sell personal information. No opt-out is necessary.
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, email [email protected] with the subject line "CCPA Request".

12. International Data Transfers

Our applications process data exclusively within Atlassian's Forge infrastructure. We do not independently transfer data across borders. Any international data transfer is managed by Atlassian as part of their platform operations and is subject to Atlassian's Data Processing Addendum and Standard Contractual Clauses.

13. Cookies and Tracking

Our Forge applications do not set, read, or use cookies. They do not use local storage, session storage, or any browser-based tracking mechanism. No fingerprinting or device identification techniques are employed.

14. Children's Privacy

Our applications are designed for use by businesses and professionals in a workplace context. We do not knowingly collect or process data from anyone under the age of 16. If you believe a minor's data has been processed through one of our applications, please contact us immediately at [email protected] and we will take steps to delete it.

15. Data Breach Notification

In the unlikely event of a data breach affecting personal data processed by our applications, we will:

1. Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by GDPR
2. Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms
3. Document the breach, its effects, and the remedial actions taken

Since our apps process data exclusively within Atlassian's infrastructure, most breach scenarios would fall under Atlassian's responsibility to report. We will cooperate fully with Atlassian in any breach investigation and supplement their notification where appropriate.

16. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or app functionality. When we do:

• The Effective Date shown in the App Data Summary at the top of this page will be updated
• Material changes will be noted in the app's changelog
• We will not reduce your rights under this policy without obtaining your explicit consent

We recommend reviewing this page periodically. Continued use of the application after changes constitutes acceptance of the updated policy.

17. Contact

For privacy-related questions, data subject requests, or complaints:

Email: [email protected]

We aim to respond to all privacy enquiries within 5 business days and to resolve all data subject requests within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.