Privacy Policy

1. Overview

ImpactLoop Ltd. (referred to here as ImpactLoop, ArdSaor, we, or us) is the service provider and Marketplace Partner responsible for our apps and the ardsaor.com website (together, the Services). We act as data controller for Site interactions and a data processor when storing or processing Atlassian data on behalf of a customer account. This Policy covers Forge-hosted apps installed in Jira Cloud and any related support channels.

2. Service provider & architecture

Our Atlassian Cloud apps use Atlassian Forge for app runtime, storage, and invocation pipelines. Baseline app operation keeps app state in Atlassian-managed infrastructure unless you explicitly export data or request support assistance that requires a copy to leave the environment.

AI Clearance can also run in connected mode when an administrator intentionally configures it. In connected mode, AI Clearance sends signed HTTPS requests to ArdSaor Core for connector testing, tenant binding, identity matching, and provisioning actions. Those requests may include cloud ID, connector metadata, grant metadata, subject identifiers, external identity values, and limited operational context. Connector credentials are stored through Forge secret storage and are used only for the configured Okta or Microsoft Entra group connector.

3. Atlassian Cloud data we access

Depending on the app and features you enable, the Services may read or write the following Atlassian data categories:

• Issue fields and custom field values
• Issue changelog entries and workflow history
• Issue comments and worklog summaries
• Project, service project, portal, board, sprint, and Confluence space metadata
• User display names, account IDs, and avatars made available through Jira APIs
• Governance configuration, request metadata, approval decisions, access grants, recertification state, and audit events
• Connector configuration references and external identity mappings when connected provisioning is configured

We request only the OAuth scopes required to deliver the selected features and never intentionally collect data unrelated to those use cases.

4. How we use Atlassian data

Access to Atlassian content is automated and scoped to the installation. Data is processed to power app features such as AI access intake, approvals, grants, provisioning follow-up, access reviews, evidence exports, metrics, decision logs, and configuration insights. We do not sell or share Atlassian data, nor do we use it to market other products. Only personnel with a legitimate operational need, for example supporting an admin ticket, can view customer data, and access is logged.

5. Storage, security, and access controls

Forge storage is used for app settings, catalog entries, access requests, grants, calculated metrics, and decision log entries. Forge secret storage is used for connector credentials, external identity secret values, and audit-chain secret material. Atlassian encrypts data at rest and in transit. Connected-mode requests to ArdSaor Core are HMAC signed and require configured runtime credentials. We layer Atlassian’s platform protections with least-privilege internal access, enforced MFA, code reviews, dependency scanning, and redaction controls for operational logs.

6. Telemetry and support logs

Operational telemetry captured by Atlassian may include timestamps, component identifiers, and anonymised request IDs. When you open a support ticket, we may request logs that contain Jira issue keys or user display names. Logs reviewed outside Atlassian’s cloud are retained for up to 30 days, redacted to remove unnecessary identifiers, and then securely deleted unless law requires longer retention.

7. Retention and deletion

Forge storage retains app data while the installation remains active. After uninstall, residual records are automatically purged within 30 days, with manual verification by our engineering team. Support correspondence and diagnostic data are kept only as long as necessary to close the request or as required for legal defense.

8. Choices for admins and users

Site visitors and app users may request access, correction, deletion, restriction, or portability of personal data where applicable law grants those rights. Jira administrators can revoke Forge app access at any time through Atlassian’s admin console, which immediately prevents further data processing. Requests can be sent to our privacy inbox, and we respond within 30 days (or faster where law requires).

9. Atlassian consent & scopes

Only Jira Cloud administrators can install the app. During installation we disclose the scopes requested and rely on the admin’s consent to access data within those scopes. Our practices comply with the Atlassian Marketplace Partner Agreement, including privacy, security, and audit obligations.

10. Sharing & subprocessors

Baseline Forge app runtime is hosted by Atlassian. When AI Clearance connected mode is configured, ArdSaor Core processes the minimum provisioning payload needed to execute connector actions, and the configured identity provider, currently Okta or Microsoft Entra, processes the corresponding group membership operation. Email, ticketing, and productivity tools, currently Microsoft 365 and Linear, may store your contact details when you interact with our support team. Each provider is bound by appropriate data-processing and security commitments.

11. Incident response

We maintain an incident response playbook with 24/7 on-call escalation. If we confirm unauthorised access to Atlassian data, we will notify affected customers and Atlassian within 72 hours, provide remediation steps, and keep you informed until closure.

12. International transfers

ImpactLoop operates from Ireland. When Atlassian stores data in other regions, transfers occur under Atlassian’s regional arrangements and standard contractual clauses. Any data we handle outside Atlassian is processed in the EU or regions with equivalent safeguards.

13. Children

The Services are not directed to children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect information from children.

14. Changes

We update this Policy when we release new functionality or change data practices. The effective date reflects the latest revision. Material updates will be communicated through in-product notices, admin email, or our Trust page before they take effect.

15. Contact

Contact ImpactLoop’s Data Protection Officer at our privacy inbox or write to ImpactLoop Ltd., Dublin, Ireland. We will coordinate with your organisation to resolve any privacy questions.