Privacy policy

PRIVACY POLICY — SprintLineup for Jira

Last updated: March 8, 2026

  1. INTRODUCTION

This Privacy Policy describes how [Your Company Name] („we“, „us“, „our“)
collects, uses, stores, and protects End-User Data when you use SprintLineup
(„the App“), an Atlassian Forge application for Jira Cloud.

SprintLineup is a visual sprint planning tool that helps teams plan sprints
by assigning Jira issues to team members on an interactive timeline.

By installing and using SprintLineup, you agree to the practices described
in this policy. This policy supplements the Atlassian Marketplace Partner
Agreement and the Atlassian Developer Terms.

  1. APP PROVIDER

Dominik Wagner
Belpstrasse 23, 3007 Bern, Switzerland
info@helvici.com
https://helvici.com/

  1. GDPR AND CCPA ROLES

Under the General Data Protection Regulation (GDPR):

  • The organization that installs SprintLineup („the Customer“) is the
    DATA CONTROLLER. The Customer determines the purposes and means of
    processing End-User Data by choosing to install and configure the App.
  • We, the App provider, act as a DATA PROCESSOR. We process End-User Data
    solely on behalf of the Customer and only as necessary to provide the
    App’s functionality.
  • Atlassian acts as a SUB-PROCESSOR. Atlassian operates the Forge platform
    infrastructure where the App’s code executes and data is stored.

Under the California Consumer Privacy Act (CCPA):

  • We act as a SERVICE PROVIDER with respect to End-User Data processed
    by the App.
  1. HOSTING AND INFRASTRUCTURE

SprintLineup is built entirely on the Atlassian Forge platform:

  • All application code executes within the Atlassian cloud infrastructure.
  • All data is stored using Atlassian Forge Storage, within the Customer’s
    Atlassian cloud tenant.
  • The App does NOT operate any external servers, databases, or third-party
    services.
  • There is NO data egress. No End-User Data leaves the Atlassian platform.
  • The App does NOT store End-User Data outside of Atlassian products
    and services.
  • The App does NOT process End-User Data outside of Atlassian products
    and services or outside of the end-user’s browser.
  • The App does NOT share End-User Data with any third-party entities.
  1. END-USER DATA WE COLLECT AND STORE

We collect and store only the minimum data required to provide the App’s
functionality. All data listed below is stored in Forge Storage, scoped to
the Customer’s Atlassian site.

5.1 Team Member Data

When a user adds Jira users to a planning board, the following data is
stored:

  • Atlassian account ID (pseudonymous user identifier assigned by Atlassian)
  • Work day configuration (which days of the week the team member works)
  • Role label (optional, user-defined text such as „Developer“ or „QA“) The App does NOT store display names, email addresses, avatar URLs,
    or any other Atlassian profile data. These are resolved live from the
    Jira REST API each time the App is loaded and are never persisted in
    Forge Storage. Purpose: Display team members on the planning timeline and calculate
    workload capacity.

5.2 Sprint Planning Data

When a user plans sprints or calendar weeks, the following data is stored:

  • Task assignments: Jira issue key, assigned team member (Atlassian account
    ID), planned date, and estimated duration
  • Absence records: team member (Atlassian account ID), date, and duration Purpose: Persist planning decisions across sessions and synchronize sprint
    assignments with Jira.

5.3 Board Configuration

  • Board metadata: internal board ID, board name, Jira board ID, project
    key, board type, creation timestamp
  • Last opened board preference (internal board ID only)
  • Custom backlog ordering (ordered list of Jira issue keys) Purpose: Support multi-board management and remember user preferences.

5.4 End-User Data We Access but Do NOT Store

The App reads the following data from Jira REST APIs during normal
operation. This data is displayed in the user interface in real time
and is NOT persisted in Forge Storage:

  • Jira issue details (summary, status, priority, labels, linked issues,
    subtasks, epic information, assignee)
  • Jira sprint metadata (name, state, start/end dates, goal)
  • Jira board listings (board names, types, project associations)
  • User profiles (display name, email address, avatar URL — used for
    display in the team management UI and on the planning timeline)
  • User search results (display name, email address, avatar URL)

5.5 Logs

The App writes operational log entries using the Forge runtime console.
These logs may contain Jira issue keys, board identifiers, and Atlassian
account IDs for debugging purposes. Logs are managed entirely by the
Atlassian Forge platform and are subject to Atlassian’s own data retention
policies. We do not store or process log data outside of Atlassian.

  1. JIRA PERMISSIONS (SCOPES)

SprintLineup requests the following Atlassian OAuth 2.0 scopes. Each scope
is limited to the minimum access required for the App’s functionality:

read:issue-details:jira Display issue details in the backlog
and on the planning timeline

read:jql:jira Search for project issues using JQL

read:project:jira Read project metadata to associate boards
with projects

read:jira-work Read issues and sprint data for planning

write:jira-work Update issue fields (status, description)
when edited through the App

read:jira-user Search for Jira users when building a
planning team

read:board-scope:jira-software Read Jira board configuration

read:sprint:jira-software Read sprint data (names, dates, state)

write:sprint:jira-software Create, start, and complete sprints

write:board-scope:jira-software Move issues between sprints and backlog

delete:sprint:jira-software Delete temporary test sprints created
during board capability detection

storage:app Store planning data in Forge Storage

report:personal-data Report stored accountIds to Atlassian
via the Personal Data Reporting API
(GDPR compliance)

All Jira API calls are made using delegated user authentication (asUser()),
meaning the App operates within the permissions of the currently logged-in
Jira user. The App cannot access data that the user does not already have
permission to view or modify in Jira.

  1. HOW WE USE END-USER DATA

We use collected data exclusively to provide the App’s core functionality:

  • Displaying team members on the sprint planning timeline
  • Persisting task assignments and absence records across sessions
  • Synchronizing sprint assignments with Jira
  • Remembering board preferences and custom backlog ordering
  • Calculating team workload and utilization

We do NOT use End-User Data for:

  • Analytics, telemetry, or usage tracking
  • Advertising, marketing, or profiling
  • Training machine learning or AI models
  • Any purpose other than providing the App’s functionality as described
    in this policy
  1. DATA SHARING AND THIRD PARTIES

We do NOT share, sell, rent, or disclose End-User Data to any third parties.

The App has no external network calls (no egress). All data remains within
the Customer’s Atlassian cloud instance on the Forge platform. There are no
webhooks, external APIs, or data exports to third-party services.

The only sub-processor is Atlassian, which provides the Forge platform
infrastructure. Atlassian’s sub-processor list is available at:
https://www.atlassian.com/legal/sub-processors

  1. DATA RETENTION

9.1 During App Use

Planning data (team members, task assignments, absences, board
configurations) is stored in Forge Storage for as long as the App is
installed on the Customer’s Atlassian site.

9.2 Board Deletion

When a board is deleted through the App, all associated data is removed
from Forge Storage, including team member records, task assignments,
and absence records for that board.

9.3 App Uninstallation

When the App is uninstalled, Atlassian removes all Forge Storage data
associated with the App from the Customer’s site, in accordance with
Atlassian’s data retention policies. We do not retain any End-User Data
after uninstallation.

9.4 No Custom Retention Periods

The App does not currently support customer-configurable data retention
periods. Data persists until explicitly deleted (via board deletion) or
until the App is uninstalled.

  1. PERSONAL DATA REPORTING (GDPR COMPLIANCE)

SprintLineup implements the Atlassian Personal Data Reporting API to comply
with GDPR requirements. A scheduled process runs weekly and performs the
following:

  1. Scans all planning boards for Atlassian account IDs stored in Forge
    Storage.
  2. Reports those account IDs to Atlassian via the Personal Data Reporting
    API (POST /app/report-accounts/).
  3. Processes the response:
    • For CLOSED accounts: the App automatically erases all stored data
      associated with that account ID, including team membership records,
      task assignments, and absence records across all boards and sprints.
    • For UPDATED accounts: the App strips any residual profile data
      (display name, avatar URL) that may exist from older versions.

This ensures that when an Atlassian account is closed or modified, the
App removes all personal data associated with that user in a timely
manner, in compliance with the right to erasure (Article 17 GDPR) and
the right to rectification (Article 16 GDPR).

  1. END-USER RIGHTS

Depending on the applicable jurisdiction, end-users and Customers may
exercise the following rights regarding personal data processed by the App:

  • Right of access: Request information about what personal data is stored.
  • Right to rectification: Update or correct personal data.
  • Right to erasure: Request deletion of personal data.
  • Right to data portability: Receive personal data in a structured format.
  • Right to restriction: Restrict certain processing of personal data.
  • Right to object: Object to processing of personal data.

How to exercise these rights:

  • Site administrators can delete boards and all associated data directly
    within the App at any time.
  • Uninstalling the App removes all stored data from Forge Storage.
  • For additional requests, contact us at info@helvici.com. We will
    respond within 30 days.

We will cooperate with Customers (as Data Controllers) to fulfill any data
subject access requests received from their end-users.

  1. DATA SECURITY

SprintLineup relies on the security measures provided by the Atlassian
Forge platform:

  • All data is encrypted in transit (TLS) and at rest by Atlassian
  • Application code runs in a sandboxed environment managed by Atlassian
  • No external network access (no egress permitted)
  • User authentication and authorization handled by Atlassian
  • API calls are scoped to the authenticated user’s Jira permissions

The App does not implement custom authentication, store credentials, or
manage encryption keys. All infrastructure security is provided by the
Atlassian Forge platform.

For security issues related to the App, contact: info@helvici.com

  1. DATA TRANSFERS

The App does not independently transfer End-User Data across borders. All
data processing occurs within the Atlassian Forge platform. Data residency
is governed by the Customer’s Atlassian cloud instance configuration and
Atlassian’s data residency policies.

The App does not transfer European Economic Area (EEA) residents‘ End-User
Data outside of the EEA independently of Atlassian. Any cross-border data
transfers are governed by Atlassian’s own transfer mechanisms and policies.

  1. DATA PROCESSING AGREEMENT

If you require a Data Processing Agreement (DPA) in accordance with
Article 28 of the GDPR or other applicable data protection legislation,
please contact us at info@helvici.com.

  1. COOKIES AND TRACKING

SprintLineup does NOT use cookies, local storage, browser fingerprinting,
or any client-side tracking mechanisms. The App does not include analytics
scripts, advertising pixels, or any third-party tracking code.

  1. CHILDREN’S PRIVACY

SprintLineup is a business productivity tool intended for professional use
in a workplace context. It is not directed at individuals under the age of

  1. We do not knowingly collect personal data from children.
  2. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. The „Last updated“
date at the top of this document indicates when it was last revised.

Material changes will be communicated through the App’s Marketplace listing.
Continued use of the App after changes constitutes acceptance of the
updated policy.

  1. CONTACT

If you have questions about this Privacy Policy, how SprintLineup handles
End-User Data, or wish to exercise any data protection rights, contact us:

Dominik Wagner
info@helvici.com
https://helvici.com/