Privacy Policy
Effective Date: April 6, 2026
VeloApps ("we", "us", "our") develops Jira applications published on the Atlassian Marketplace. This Privacy Policy covers our two products: IssueTwin (a self-hosted application) and Release Scheduler (a native Atlassian Forge application). It explains how data is collected, used, stored, and protected when either App is in use.
1. Information We Collect
1.1 IssueTwin — Jira Issue Data
When IssueTwin is used, the App accesses and processes Jira issue data from the Customer's Atlassian Cloud instance, including:
- Issue fields: summary, description, status, priority, type, labels, custom fields
- People fields: assignee display name, reporter display name
- Project metadata: project keys, issue types
- Timestamps: created date, updated date, resolution date
1.2 IssueTwin — Secondary Jira Instance Data
If configured by the Customer's administrator, IssueTwin may also access a secondary Jira instance (Cloud) to correlate issues across environments. The same categories of data listed above apply to the secondary instance.
1.3 IssueTwin — Configuration Data
The Customer's self-hosted backend stores configuration preferences set by the Jira administrator, including:
- Domain classification rules
- SLA tracking thresholds
- Notification preferences (Teams webhook URLs, email addresses)
- Custom field mappings and display labels
1.4 IssueTwin — Usage Data
The self-hosted backend collects basic usage data for operational purposes:
- Audit logs of administrative actions (with IP address and timestamp)
- Export and report generation events
- Error logs for troubleshooting
1.5 Release Scheduler — Data
Release Scheduler is a native Atlassian Forge application. All application data (release events, swim lanes, categories, and configuration) is stored exclusively in Atlassian Forge KVS (Key-Value Store) within the Customer's Atlassian Cloud instance. VeloApps does not operate any backend server for Release Scheduler and does not receive or store any data from this product.
2. How We Use Your Data
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Issue export and reporting (IssueTwin) | Jira issue data | Legitimate interest / contract performance |
| SLA compliance tracking (IssueTwin) | Issue priority, timestamps, status | Legitimate interest |
| Domain classification (IssueTwin) | Issue fields matched against rules | Legitimate interest |
| AI-powered report generation (IssueTwin, optional) | Issue data sent to Google Generative AI (only if Customer configures their own API key) | Consent (admin-enabled feature) |
| Notifications (IssueTwin) | Issue summaries, SLA alerts | Legitimate interest |
| Release planning (Release Scheduler) | Stored locally in Atlassian Forge KVS — not transmitted to VeloApps | Contract performance |
3. Third-Party Data Sharing
3.1 Google Generative AI (IssueTwin — optional)
If the Customer configures their own Google AI API key and enables the AI Reports feature, issue data (summaries, priorities, statuses) is sent to the Google Generative AI API for analysis and report generation. This integration is entirely under Customer control. The data is:
- Transmitted over HTTPS (encrypted in transit)
- Processed according to Google's AI Terms of Service
- Not used by Google to train their models (per their API terms)
- Only sent when the feature is explicitly enabled and a Customer API key is provided
3.2 Microsoft Teams (IssueTwin — optional)
If configured by the Customer with their own webhook URL, SLA breach alerts and weekly summary notifications are sent to Microsoft Teams. These payloads contain issue summaries and SLA metrics — no raw personal data beyond assignee/reporter display names.
3.3 Email — SMTP/Gmail (IssueTwin — optional)
If configured by the Customer with their own SMTP or Gmail credentials, export completion notifications and reports are sent via email. Email addresses of recipients are configured by the Customer's administrator.
3.4 Release Scheduler — No Third-Party Sharing
Release Scheduler does not transmit any data to VeloApps or any third party. All data remains within Atlassian Forge Storage.
4. Data Storage and Security
- IssueTwin Infrastructure: The backend runs on Customer-managed infrastructure as a self-hosted Docker container. VeloApps does not host or operate the backend.
- IssueTwin Database: PostgreSQL with encrypted connections; sensitive configuration values encrypted at rest — hosted on Customer infrastructure.
- IssueTwin Cache: Redis for ephemeral data (SLA cache, domain rules) — no persistent personal data; hosted on Customer infrastructure.
- Forge Storage: Issue-level SLA cache and all Release Scheduler data stored in Atlassian Forge Storage, governed by Atlassian's data residency settings.
- Authentication: JWT + HMAC signature verification for all Forge-to-backend communication.
- Audit Trail: All IssueTwin configuration changes logged with timestamp and IP on the Customer's backend.
5. Data Retention
- IssueTwin issue data: Cached temporarily during export processing on the Customer's backend; not persisted beyond the export lifecycle.
- SLA tracking data: Stored on Customer infrastructure; Customer controls deletion.
- Audit logs: Retained on Customer infrastructure; retention period managed by the Customer.
- Release Scheduler data: Stored in Atlassian Forge KVS; cleared upon app uninstallation per Atlassian policy.
6. Your Rights (GDPR)
If you are in the European Economic Area, you have the right to:
- Access: Request a copy of data processed about you
- Rectification: Request correction of inaccurate data
- Erasure: Request deletion of your data
- Restriction: Request limitation of processing of your data
- Portability: Receive your data in a structured, machine-readable format
- Object: Object to processing based on legitimate interest
Since the IssueTwin backend is self-hosted, the Customer (as data controller and infrastructure operator) can fulfill most data subject requests directly. For requests related to the Forge app components or vendor-held data, contact us at the email below. We will respond within 30 days.
7. International Data Transfers
IssueTwin backend data resides on the Customer's own infrastructure, in the location(s) chosen by the Customer. Data processed via the Forge app components is stored in Atlassian Forge Storage, governed by Atlassian's data residency settings. If the Customer enables AI Reports with their own Google AI API key, issue data may be processed in Google's data centers. We rely on appropriate safeguards (Standard Contractual Clauses where applicable) for any cross-border transfers involving the Forge components.
8. Children's Privacy
VeloApps applications are business tools intended for use by Jira administrators and team members. We do not knowingly collect data from children under 16.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify affected administrators via the app's admin panel when material changes are made. The "Effective Date" at the top reflects the latest revision.
10. Contact Us
For privacy inquiries, data requests, or concerns:
- Email: privacy@veloapps.com.tr
- Support: support@veloapps.com.tr