Privacy Policy — RaiSE for Jira (Free Beta)

Canonical language: English. Aviso de Privacidad en español (traducción de referencia). In case of discrepancy, the English version prevails.
Version: 1.2 (Free Beta) · Related documents: Terms of Service · Data Processing Addendum

Data controller / our role: HumanSys S.C. ("HumanSys", "we", "our", "us"), a Mexican sociedad civil with RFC HUM050923U24, registered office at San Francisco 238 Altos, Colonia del Valle, Benito Juárez, CDMX, México, C.P. 03100. HumanSys acts as a processor on behalf of the Atlassian customer (see §2).

Privacy contact: [email protected]

This Privacy Policy explains how HumanSys processes personal data when you install and use RaiSE for Jira (the "App"), a Forge app published on Atlassian Marketplace that connects to a Jira Cloud instance to produce delivery-reliability assessments and coaching signals.

Scope

This Policy applies to personal data processed by the App and its backend service (raise-server) in connection with your use of the App. It does not cover data you provide directly to Atlassian (governed by Atlassian's privacy policy) or to third-party AI providers you configure via BYOK (see §6).

Our role under GDPR / LFPDPPP

Controller: you (the Atlassian customer administrator) are the data controller for personal data in your Jira site.
Processor: HumanSys acts as a data processor when processing personal data from your Jira site through the App.
Sub-processor: Atlassian acts as a sub-processor to HumanSys through the Forge platform, under the Forge Data Processing Addendum.

What personal data we process

Data category	Example fields	Source
Atlassian account identifiers	`accountId`, `displayName`	Jira issue and user APIs
Jira issue metadata	issue key, summary title, status, priority, assignee, reporter, labels, timestamps	Jira REST API, issue webhooks
Project metadata	project key, name, categories	Jira REST API
Site metadata	`cloudId`, site URL	Forge runtime context
App telemetry	feature usage events, error logs	Generated by the App
Admin contact	email address of the installing admin (support only)	Atlassian Marketplace installation flow

In Phase 1 (Free Beta) the App does NOT process: issue descriptions, comments, attachments, full-text of summary fields beyond what is needed for coaching indicators, user email addresses other than the admin-contact email above, voice, video, biometric, health, or payment data.

Special categories (GDPR Art. 9 / LFPDPPP Art. 9): not within scope. Customers must not route sensitive personal data through the App without a prior written agreement with HumanSys.

Purposes and legal basis

Purpose	Legal basis (GDPR Art. 6)
Provide delivery-reliability assessments and coaching	Contract — Art. 6(1)(b)
Maintain service integrity, debug errors, prevent abuse	Legitimate interest — Art. 6(1)(f)
Compliance with legal obligations	Legal obligation — Art. 6(1)(c)

No sale of End User Data

HumanSys does not sell, rent, or monetize End User Data (as defined in the Atlassian Marketplace Partner Agreement §8.4(b)). We do not use personal data for advertising, cross-context behavioral targeting, or third-party profiling. De-identified and aggregated metrics used to improve the Service do not constitute sale.

Sub-processors

Sub-processor	Domain	Purpose	Location	Transfer safeguard
Atlassian Pty Ltd	atlassian.com	Forge platform runtime, Forge Storage	Regional (follows Atlassian data residency)	Forge DPA + SCCs
Fly.io Inc.	fly.io	`raise-server` backend hosting (app + PostgreSQL)	Los Angeles, California, USA (`lax` region)	SCCs 2021/914 (EU→US) + UK IDT Addendum

Sub-processor changes

We will give Customers at least 30 days' prior notice before adding or replacing a sub-processor, via (i) an updated version of this Policy at the URL indicated in the Marketplace listing, and (ii) the App listing release notes. Customers may object on reasonable data-protection grounds within that period; if the objection cannot be resolved, the Customer may terminate the Service by uninstalling the App.

BYOK AI integrations (optional)

In Phase 1 (Free Beta), the App does not send personal data to any third-party AI inference provider by default. If you choose to enable an AI feature that uses a "Bring Your Own Key" (BYOK) integration (e.g., Anthropic Claude, OpenAI), the following applies:

The integration is enabled by explicit configuration from the Atlassian admin.
Data is sent from raise-server to the AI provider's API using the credentials you supply.
You become the controller of that data flow with the AI provider of your choice; HumanSys is not a party to that relationship and does not retain AI provider credentials beyond what is necessary to execute the request.
The AI provider's own privacy policy governs that data transfer.

International data transfers

Personal data may be transferred from the European Economic Area, United Kingdom, or Switzerland to the United States and Mexico. Transfers are safeguarded by:

European Commission Standard Contractual Clauses (2021/914) incorporated via the Forge DPA and sub-processor contracts.
The UK International Data Transfer Addendum where applicable.
Additional technical safeguards: encryption in transit (TLS 1.2+), encryption at rest (default sub-processor disk encryption).

Retention and deletion

Trigger	Action	Timeline
App uninstalled from your Jira site	Personal data tied to that `cloudId` is deleted from `raise-server`	≤ 30 days
GDPR "right to erasure" or ARCO cancellation request	Deletion via Personal Data Reporting API	≤ 7 days
Atlassian account `closed` event (via Personal Data Reporting API)	Delete or anonymize all personal data linked to that `accountId`	≤ 7 days
Atlassian account `updated` event	Refresh or re-sync the affected fields	≤ 7 days
Site deletion by Atlassian	Personal data deleted automatically	≤ 30 days from notification
Inactivity	No automatic deletion during active install (Free Beta)	—

Personal Data Reporting API commitment

HumanSys complies with the Atlassian Personal Data Reporting API requirements. We respond to closed and updated events within the cycle period published via the Cycle-Period response header (default 7 days). We do not poll more frequently than the cycle period permits. Non-compliance with this API is a de-listing event per Atlassian Marketplace policy; we treat it as a release gate.

Backups are retained no longer than 30 days and are encrypted.

Your rights (GDPR Art. 15–22 and ARCO under LFPDPPP)

If your personal data is processed through the App you have the right to:

Access (GDPR Art. 15 / LFPDPPP Art. 23)
Rectification (GDPR Art. 16 / LFPDPPP Art. 24)
Erasure / Cancellation (GDPR Art. 17 / LFPDPPP Art. 25)
Restriction of processing (GDPR Art. 18)
Portability (GDPR Art. 20)
Object to processing based on legitimate interest (GDPR Art. 21 / LFPDPPP Art. 27)
Withdraw consent where processing is based on consent

To exercise any of these rights, contact [email protected]. We respond within 20 business days per LFPDPPP Art. 32 (Mexico) or 30 days under GDPR. Because HumanSys processes data as a processor on behalf of your organization, end-user requests are generally forwarded to your organization's Jira admin for response, coordinated through the Personal Data Reporting API.

Security

TLS 1.2+ for all data in transit.
Encryption at rest (sub-processor default disk encryption) for databases and backups.
Authentication: Forge-issued JSON Web Tokens for tenant bootstrap, server-side shared secrets stored hashed at rest.
No collection of Atlassian user API tokens / PATs (prohibited by Atlassian policy).
Tenant isolation: org_id scoping enforced at database and application layer; cross-tenant isolation tests are part of every release gate.
Least-privilege access: production access limited to named HumanSys personnel with documented operational need and audit logs.
Incident response: security incidents reported to affected customers without undue delay and, where required, within 72 hours per GDPR Art. 33.

Data breach notification

In the event of a personal data breach affecting your data, we will notify you within 72 hours of becoming aware of the breach, consistent with GDPR Art. 33–34.

Children

The App is intended for use by business customers of Atlassian. We do not knowingly process personal data of children under 16. If you believe we have inadvertently processed such data, contact [email protected] and we will delete it.

Changes to this Policy

We may update this Policy from time to time. Material changes will be notified via:

A new version of this Policy at the URL indicated in the Marketplace listing.
The App listing release notes on Atlassian Marketplace.
An in-app notification for continued use after the effective date of the update.

Each version is dated. The most current version supersedes prior versions.

Governing law and jurisdiction

This Policy is governed by the laws of Mexico, without prejudice to rights you hold under GDPR, UK GDPR, LFPDPPP, or other applicable data-protection laws.

Contact

HumanSys S.C.
San Francisco 238 Altos, Colonia del Valle, Benito Juárez, CDMX, México, C.P. 03100
RFC: HUM050923U24
Email (privacy matters only): [email protected]
General contact: [email protected]

For data-protection authority complaints:

Mexico INAI: https://home.inai.org.mx
EU: https://edpb.europa.eu/about-edpb/about-edpb/members_en
UK ICO: https://ico.org.uk

Aviso de Privacidad (español — traducción de referencia)

La versión canónica legal es la inglesa. Esta traducción se provee para conveniencia de usuarios en español; en caso de discrepancia, prevalece la versión en inglés.

Responsable / nuestro rol: HumanSys S.C. ("HumanSys", "nosotros"), sociedad civil mexicana con RFC HUM050923U24, domicilio en San Francisco 238 Altos, Colonia del Valle, Benito Juárez, CDMX, México, C.P. 03100. HumanSys actúa como encargado por cuenta del cliente Atlassian (ver §2).

Fecha efectiva: 2026-04-28 · Versión: 1.2 (Free Beta) · Contacto de privacidad: [email protected]

1. Alcance

Este Aviso aplica a los datos personales tratados por la App y su backend (raise-server) en conexión con tu uso de la App. No cubre datos que proveas directamente a Atlassian ni a proveedores de IA externos configurados vía BYOK.

2. Rol bajo GDPR / LFPDPPP

Responsable: tú (el administrador cliente de Atlassian).
Encargado: HumanSys.
Sub-encargado: Atlassian vía la plataforma Forge, bajo el Forge Data Processing Addendum.

3. Datos que tratamos

Identificadores de cuenta Atlassian (accountId, displayName), metadatos de issues (clave, título-resumen, status, prioridad, assignee, reporter, labels, timestamps), metadatos de proyectos (clave, nombre, categorías), metadatos del sitio (cloudId, URL), telemetría de la App (eventos, logs de error), y email del admin instalador (solo soporte).

En Fase 1 (Free Beta) la App no trata descripciones, comentarios, adjuntos, emails de usuarios distintos al admin, voz, video, datos biométricos, de salud, ni de pago. Categorías especiales (GDPR Art. 9 / LFPDPPP Art. 9) fuera del alcance.

4. Finalidades y base jurídica

Evaluaciones de confiabilidad y coaching — Contrato (GDPR Art. 6(1)(b))
Integridad del servicio, debug, prevención de abuso — Interés legítimo (Art. 6(1)(f))
Cumplimiento legal — Obligación legal (Art. 6(1)(c))

No venta: HumanSys no vende, renta ni monetiza datos personales de usuarios finales (MPA §8.4(b)). No usa datos para publicidad, targeting conductual cross-context ni perfilado de terceros.

5. Sub-encargados

Atlassian Pty Ltd (atlassian.com) — Runtime Forge + Forge Storage — residencia Atlassian regional — Forge DPA + SCCs.
Fly.io Inc. (fly.io) — Hosting raise-server + PostgreSQL — Los Ángeles, California, EUA (lax) — SCCs 2021/914 + UK IDT.

Avisaremos con al menos 30 días antes de agregar o reemplazar un sub-encargado. El Cliente puede objetar por razones razonables; si no se resuelve, puede terminar desinstalando.

6. BYOK IA (opcional)

En Fase 1 la App no envía datos personales a ningún proveedor de IA por default. Con BYOK, los datos se envían desde raise-server al API del proveedor con tus credenciales; tú te conviertes en responsable de ese flujo con el proveedor de IA.

7. Transferencias internacionales

Desde EEE/UK/Suiza a EUA y México, salvaguardadas con SCCs 2021/914, UK IDT Addendum donde aplique, y cifrado en tránsito (TLS 1.2+) y reposo.

8. Retención y eliminación

Desinstalación → eliminación por cloudId ≤30 días. Derecho al olvido / cancelación ARCO → Personal Data Reporting API ≤7 días. Evento closed → eliminación/anonimización por accountId ≤7 días. Evento updated → refresh ≤7 días. Eliminación del sitio por Atlassian → automática ≤30 días.

Cumplimos con el Personal Data Reporting API de Atlassian dentro del Cycle-Period (default 7 días). No cumplir es causal de de-listing; es release gate. Respaldos ≤30 días cifrados.

9. Tus derechos (GDPR Art. 15–22 y ARCO LFPDPPP)

Acceso · Rectificación · Eliminación / Cancelación · Limitación · Portabilidad · Oposición · Retirar consentimiento. Respondemos en máximo 20 días hábiles (LFPDPPP Art. 32) o 30 días (GDPR) a través de [email protected].

10. Seguridad

TLS 1.2+; cifrado en reposo; autenticación Forge JWT + secretos hasheados; no recopilamos PATs de Atlassian; aislamiento por org_id con pruebas cross-tenant como release gate; acceso mínimo privilegio; incidentes reportados ≤72h.

11. Notificación de brechas

≤72 horas tras conocimiento, conforme GDPR Art. 33–34.

12. Menores

App para clientes business. No tratamos datos de menores de 16 conscientemente.

13. Cambios

Nueva versión de este Aviso en la URL indicada en el Marketplace listing; release notes del listing; notificación in-app.

14. Ley aplicable

Leyes de México, sin perjuicio de derechos bajo GDPR, UK GDPR, LFPDPPP u otras leyes aplicables a tu jurisdicción.

15. Contacto

HumanSys S.C., San Francisco 238 Altos, Col. del Valle, Benito Juárez, CDMX 03100, México · RFC HUM050923U24 · [email protected] · [email protected]
INAI: home.inai.org.mx · EU: EDPB · UK ICO: ico.org.uk