Privacy Policy

1. Overview

ImpactLoop Ltd. (referred to here as ImpactLoop, ArdSaor, we, or us) is the service provider and Marketplace Partner responsible for our apps and the ardsaor.com website (together, the Services). We act as data controller for Site interactions and a data processor when storing or processing Atlassian data on behalf of a customer account. This Policy covers Forge-hosted apps installed in Jira Cloud and any related support channels.

2. Service provider & architecture

Our Jira Cloud apps run entirely on Atlassian’s Forge platform. Forge workers, storage, and invocation pipelines are hosted within Atlassian-managed infrastructure. Customer data remains within Atlassian’s cloud unless you explicitly request export or support assistance that requires a copy to leave the environment.

3. Jira Cloud data we access

Depending on the features you enable, the app may read or write the following Jira categories:

• Issue fields and custom field values
• Issue changelog entries and workflow history
• Issue comments and worklog summaries
• Project, board, and sprint metadata
• User display names, account IDs, and avatars made available through Jira APIs
• Automation configuration details necessary to execute decision logs

We request only the OAuth scopes required to deliver the selected features and never intentionally collect data unrelated to those use cases.

4. How we use Atlassian data

Access to Jira content is automated and scoped to the installation. Data is processed to power app features such as metrics, impact tracking, decision logs, and configuration insights. We do not sell or share Atlassian data, nor do we use it to market other products. Only personnel with a legitimate operational need (for example, supporting an admin ticket) can view customer data, and all access is logged.

5. Storage, security, and access controls

Forge storage is used for app settings, calculated metrics, and decision log entries. Atlassian encrypts data at rest and in transit. We layer Atlassian’s platform protections with least-privilege internal access, enforced MFA, code reviews, and dependency scanning. ImpactLoop staff access production data only through Atlassian-administered interfaces with auditable logs.

6. Telemetry and support logs

Operational telemetry captured by Atlassian may include timestamps, component identifiers, and anonymised request IDs. When you open a support ticket, we may request logs that contain Jira issue keys or user display names. Logs reviewed outside Atlassian’s cloud are retained for up to 30 days, redacted to remove unnecessary identifiers, and then securely deleted unless law requires longer retention.

7. Retention and deletion

Forge storage retains app data while the installation remains active. After uninstall, residual records are automatically purged within 30 days, with manual verification by our engineering team. Support correspondence and diagnostic data are kept only as long as necessary to close the request or as required for legal defense.

8. Choices for admins and users

Site visitors and app users may request access, correction, deletion, restriction, or portability of personal data where applicable law grants those rights. Jira administrators can revoke Forge app access at any time through Atlassian’s admin console, which immediately prevents further data processing. Requests can be sent to our privacy inbox, and we respond within 30 days (or faster where law requires).

9. Atlassian consent & scopes

Only Jira Cloud administrators can install the app. During installation we disclose the scopes requested and rely on the admin’s consent to access data within those scopes. Our practices comply with the Atlassian Marketplace Partner Agreement, including privacy, security, and audit obligations.

10. Sharing & subprocessors

We do not use subprocessors outside Atlassian for app runtime data. Email, ticketing, and productivity tools (currently Microsoft 365 and Linear) may store your contact details when you interact with our support team. Each provider is bound by a data-processing agreement and security controls consistent with EU and Atlassian requirements.

11. Incident response

We maintain an incident response playbook with 24/7 on-call escalation. If we confirm unauthorised access to Atlassian data, we will notify affected customers and Atlassian within 72 hours, provide remediation steps, and keep you informed until closure.

12. International transfers

ImpactLoop operates from Ireland. When Atlassian stores data in other regions, transfers occur under Atlassian’s regional arrangements and standard contractual clauses. Any data we handle outside Atlassian is processed in the EU or regions with equivalent safeguards.

13. Children

The Services are not directed to children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect information from children.

14. Changes

We update this Policy when we release new functionality or change data practices. The effective date reflects the latest revision. Material updates will be communicated through in-product notices, admin email, or our Trust page before they take effect.

15. Contact

Contact ImpactLoop’s Data Protection Officer at our privacy inbox or write to ImpactLoop Ltd., Dublin, Ireland. We will coordinate with your organisation to resolve any privacy questions.