Protecting your data and your privacy is a high priority and is very important to us. We, the codefortynine GmbH, a limited liability company pursuant to German law (“We”, “us” or “our”) adhere to a strict policy for ensuring the security and privacy of your data, in particular, your personally identifiable information (such as name, address, email address, and/or other identifiable information, collectively such personally identifiable information “Personal Data”).
We provide hosted services (“Cloud Apps”) for Atlassian Cloud Products (“Atlassian Cloud Product”) via the Atlassian Marketplace (https://marketplace.atlassian.com/). The apps are delivered through the Atlassian Connect framework (“Atlassian Connect”). Cloud Apps can be identified by the “Cloud” category in the corresponding Atlassian Marketplace listing.
We also provide downloadable products (“Server Apps”) for Atlassian Server Products, which are installed on your IT-systems. Server Apps can be identified by the “Server” category in the corresponding Atlassian Marketplace listing.
In the following all data processed by you via an Atlassian Cloud Product and one of our Apps are defined as “Customer Data”.
2. Name and Address of the Controller pursuant to Art. 4 No. 7 GDPR
3. General Information regarding the Data Processing
a) Scope of the data processing
We only collect and use personal data of our users insofar as this is necessary to provide our services. The collection and use of personal data of our users regularly takes place only with the user’s consent. An exception applies in those cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by law.
b) Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para.1 s.1 lit.a GDPR serves as the legal basis.
If the processing of personal data is required for the performance of a contract to which the data subject is a party, Art. 6 para.1 s.1 lit.b GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6 para.1 s.1 lit.c GDPR serves as the legal basis.
If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para.1 s.1 lit.f GDPR serves as the legal basis for processing.
c) Data deletion and storage period
Your personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. Data may be stored beyond that time if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which we are subject.
The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.
4. Your Rights as Data Subject
You have the following rights towards us regarding your personal data:
- Right to information,
- Right to correction or deletion,
- Right to restrict processing,
- Right to object to the processing,
- Right to data transferability.
Please send an email to firstname.lastname@example.org in order to exercise one or more of the aforementioned rights.
If you believe that the processing of personal data concerning you violates the GDPR, you have the right of appeal to a supervisory authority, without prejudice to any other remedies.
If you have given your consent to the processing of your data, you can revoke this at any time. Such revocation affects the permissibility of processing your personal data after you have given it to us.
If we base the processing of your personal data on the balancing of interests, you may object to the processing. This is the case if processing is not necessary, in particular, to fulfil a contract with you, which is described by us in the following description of the functions. When exercising such objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will examine the situation and either stop or adjust data processing or point out to you our compelling reasons for protection, on the basis of which we will continue processing.
Of course, you can object to the processing of your personal data for purposes of advertising and data analysis at any time. You can inform us about your advertising contradiction under the following contact data: email@example.com.
5. General Information regarding Data Processing with our Cloud Apps
Unless otherwise stated below our Cloud Apps do not store Customer Data locally, but store Customer Data in the corresponding Atlassian Cloud Product.
Account Data: Our Cloud Apps store Customer Data provided and generated by Atlassian, that are required for license validation, contract administration and communication with you as our customer. This includes your customer ID, URL of the Atlassian Cloud Product instance, installation details and access keys.
Operation Data: Our Cloud Apps temporarily store Customer Data which is required for the operation of the service. Such data for example includes macros, webhooks, issue and page content or other content accessible by the app.
Customer Uploaded Data: Our Cloud Apps store Data created with and for the Cloud Apps and stored within the Cloud Apps by you using the user interface. This includes for example templates (e.g. word documents, pdf-documents), configuration data or metadata.
Session Data: Our Cloud Apps store data resulting from your use of the service. This includes:
- date and time of the request
- time zone difference to Greenwich Mean Time (GMT)
- content of the request (specific page)
- access status/HTTP status code
- the amount of data transferred in each case
- website from which the request comes
- operating system and its surface
- language and version of the browser software.
Operation Data, Customer Uploaded Data and Session Data is deleted 90 days after uninstalling a Cloud App.
6. Specific Information regarding particular Cloud Apps
Please find the specific information regarding your particular Cloud App in Exhibit 1.
7. Information regarding our Server Apps
Please find the information regarding your Server App in Exhibit 2.
8. Data Location
Our Cloud Apps are hosted on Amazon Web Services (AWS) cloud services. The AWS privacy statement can be found at https://aws.amazon.com/privacy/.
9. Access to Customer Data
To some extent, we use external service providers to process your data (e.g. AWS). These have been carefully selected and commissioned by us, are bound by our instructions and are checked regularly. Our external service providers our process your personal data on the basis of a data protection agreement that complies with legal requirements.
These service providers belong to the following categories:
- hosting service providers,
- billing service providers,
- payment settlement service providers,
- user authentication service providers,
- communication service provider,
- fault and malfunction analysis service providers,
- analytics service providers,
- customer relationship management service providers.
Some of the external service providers are located in so-called third countries outside the European Union. In order to guarantee an adequate level of data protection, the service providers have either (i) submitted to the EU-US Privacy Shield (see https://www.privacyshield.gov/EU-US-Framework), or (ii) we have concluded data protection agreements with the providers on the basis of the so-called EU standard contract clauses, https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=EN.
The inclusion of the service providers is based on Art. 6 para.1 s.1 lit.f GDPR. It is necessary in order to be able to provide the services.
Exhibit 1 – Specific Information regarding particular Cloud Apps
a) Advanced Bulk Edit for Jira
No additional data is stored.
b) Comment History Log for Jira, Comment Custom Fields for Jira
Additional Issue IDs of Jira are stored. Issue IDs are temporarily stored in asynchronously processed jobs to go through all issues and their comments, e.g. upon installation of the app.
c) Deep Clone for Jira
We store configuration details like presets and user groups that have access to certain Jira projects, but no user names, e-mail addresses, etc.
d) Dynamic Fields for Jira
We store the details of the created dynamic fields like name, expression and type.
d) External Data for Confluence, External Data for Jira Fields
We store data source and field/template configurations, including authentication details, URLs and other configuration details the customer provides. Any content synced to fields/templates is stored in the Atlassian platform.
e) Google Calendar for Confluence
We have reading access to the Google calendars of our customers. We store the Google ID of the customer, the email address, access token as well as the Confluence User ID of the customer in our database.
f) Hangouts Chat for Confluence
Similar to Slack for Confluence, but here we also store access data to personal channels and their “display name”, which in personal channels usually consists of the full name of the user.
g) Jamf for Jira
We store configuration details, access credentials and the URL to the Jamf host provided by the customer. All data from synced assets is stored in the Atlassian platform.
h) Merge Agent for Jira
No additional data is stored.
i) Prime Custom Fields for Jira
No additional data is stored.
j) Quick Filters for Jira Dashboards
We store configuration details of all dashboard gadgets configured by the customer.
k) Slack for Confluence
We receive a (secret) Slack-URL from the customer, to which we can send messages. We store such Slack-URL and message templates in our database. In addition, we store the particular customer’s configuration, when Slack messages are to be sent (which pages, slack channels, which icon the slack bot should have, etc.).
l) Snipe-IT for Jira
We store configuration details, access credentials and the URL to the Snipe-IT host provided by the customer. All data from synced assets is stored in the Atlassian platform.
m) Version Sync for Jira
We store details of the projects and versions the customer configures to be synchronized with each other.
Exhibit 2 – Information regarding Data Processing with our Server Apps
Unless otherwise stated below we do not process Customer Data via our Server Apps.
Exception for Slack for Confluence (Server App):
We only process Customer Data, if you actively and knowingly send us such data, e.g. for maintenance purposes.
Exceptions for Google Calendar for Confluence (Server App):
Account Data: Google Calendar for Confluence stores Customer Data provided and generated by Atlassian, that are required for license validation, contract administration and communication with you as our customer. This includes your Server ID, installation details and access keys.
Customer Data: Google Calendar for Confluence has reading access to the Google calendars of our customers. We store the Google ID of the customer, his email address and an access token as well as the Confluence User ID of the customer in our database.
Session Data: Google Calendar for Confluence stores data resulting from your use of the service. This includes:
date and time of the request
time zone difference to Greenwich Mean Time (GMT)
content of the request (specific page)
access status/HTTP status code
the amount of data transferred in each case
website from which the request comes
operating system and its surface
language and version of the browser software.