Privacy Policy
1. Overview
Spec2Tickets for Confluence and Jira ("the App") converts a Confluence page into a structured Jira breakdown — an Epic, Stories, Subtasks, and dependency links. This Privacy Policy explains what data the App handles and how.
2. Architecture and Data Flow
The App runs entirely on the Atlassian Forge platform — there is no Spec2JIRA-operated server or backend. It has two external touch-points:
- Atlassian APIs: the App reads the Confluence page you select and creates issues in your Jira project, using your own Atlassian session permissions (
asUser). - Anthropic API (your key): to generate the breakdown, the App sends the page content to Anthropic's Claude model using the Anthropic API key that you provide. The request is billed to, and governed by, your account and agreement with Anthropic.
Spec2JIRA operates no server or database of its own, so it stores no content on Spec2JIRA-operated infrastructure. Under BYOK, the only parties that handle your content are Atlassian (the Forge platform your instance runs on) and Anthropic (under your own API key).
During your free trial, Spec2Tickets may additionally call Anthropic under its own account (a welcome credit) to generate your breakdown — still from Atlassian Forge, with no vendor server. This managed processing is described below and in our DPA.
3. Data the App Processes
- Confluence page content: the text of the Confluence page you choose to convert — read via Atlassian APIs and sent to the Anthropic API (your key) to produce the breakdown.
- Generated breakdown: the structured work items (features, acceptance criteria, tasks, dependencies, concerns) returned by the model, which you review and edit before pushing to Jira.
- Jira project metadata: project key, issue types, and field information, used to create the issues.
- Configuration: your Anthropic API key and default Jira project key, stored in Atlassian Forge Key-Value Storage (the API key in encrypted secret storage, managed by Atlassian, with resolver-only access).
4. AI Processing and Anthropic (Bring Your Own Key)
The App does not run its own AI models and does not use a shared AI service. All AI processing is performed by Anthropic's Claude via the Anthropic API, authenticated with the API key you provide. Because the key is yours:
- API calls are billed to your Anthropic account and governed by your agreement with Anthropic.
- By default, Anthropic does not use data submitted through its API to train its models, and deletes API inputs and outputs within around 30 days; content flagged under its Usage Policy may be retained longer (up to about 2 years). Your own Anthropic agreement and retention settings govern this. You can verify it directly in Anthropic's official statements: "Is my data used for model training?" and the API data-retention documentation.
If no Anthropic API key is configured, the App cannot generate a breakdown and no page content is sent beyond Atlassian.
Managed AI processing (during your free trial)
While Spec2Tickets runs Claude for you on our own account (the welcome credit), the data handling differs from BYOK in these specific, disclosed ways:
- Roles. You remain the data controller; Spec2Tickets acts as a processor on your instructions, and Anthropic is our sub-processor for the AI inference.
- Retention (disclosed honestly). Managed processing uses Anthropic's asynchronous Message Batches API, which is not eligible for zero data retention: batch inputs and outputs are retained by Anthropic for up to about 29 days and then deleted, except content Anthropic flags for trust-and-safety or legal reasons, which it may retain longer per its policy. We do not claim “zero retention” for managed processing.
- No training. Neither Spec2Tickets nor Anthropic uses your content to train AI models (Anthropic's commercial/API no-training default).
- International transfers. Content is processed by Anthropic in the United States under Standard Contractual Clauses incorporated into Anthropic's commercial terms.
- Your documents. See our Data Processing Addendum and our public sub-processor list for the full detail.
- BYOK stays the privacy-maximising choice. If you need the strictest data posture — including configuring your own retention directly with Anthropic — use BYOK: your content is processed only under your own Anthropic agreement, and Spec2Tickets is not a processor of it.
5. Data Storage and Retention
The App stores data only in Atlassian Forge Key-Value Storage, inside your own Atlassian instance's app storage (encrypted and managed by Atlassian):
- Your Anthropic API key and default project key — kept until you change, clear, or uninstall.
- Page content and the generated breakdown — stored transiently to drive the review-and-push workflow. The App removes them when you push to Jira; a breakdown you never push, including one you regenerate away or leave to age, is automatically removed after 7 days of inactivity, and opening it for review resets that timer. Until removed, it remains only in your own Forge instance. Uninstalling the App removes all of its stored data.
Spec2JIRA keeps no copy of your content on any Spec2JIRA-operated system, because there is none.
6. Data Spec2JIRA Does NOT Have
Spec2JIRA, as the vendor, operates no server or database of its own. Under BYOK (your own key), it does not receive, store, or have access to:
- Your Confluence page content or generated breakdowns — these stay within Atlassian Forge and are sent to Anthropic under your key.
- Your Jira issue data.
- Your Anthropic API key — held in Atlassian's encrypted Forge secret storage, resolver-only.
- User identities, usage analytics, or telemetry — the App does not collect them.
During your free trial, while Spec2Tickets calls Anthropic under its own account (managed processing), it still runs no server of its own and stores no content on vendor infrastructure; it acts as a processor of that content on your instructions. See the Managed AI processing section and our DPA for its role and retention details.
7. Sub-processors and Third Parties
- Atlassian — the Forge platform hosts the App and stores its data within your instance; your Confluence and Jira data is governed by your Atlassian agreement.
- Anthropic — processes the page content you send via your own API key, under your agreement with Anthropic (see Section 4).
The App sends data to no other external service. Its only configured network egress is to api.anthropic.com.
8. Data Residency
The App runs within the Atlassian Forge platform. AI processing occurs in Anthropic's API regions per your Anthropic account. Your source content remains in your Atlassian instance, under your control.
9. GDPR
You (the customer) are the data controller for any personal data in your Confluence pages and Jira projects. Under BYOK, Anthropic processes the content you choose to send under your own agreement with Anthropic, and Spec2JIRA is neither a controller nor a processor of that content (it operates no systems that receive it). In all cases, Spec2JIRA stores no end-user content on its own systems.
During your free trial (managed processing), Spec2Tickets acts as your processor and Anthropic as its sub-processor, governed by our Data Processing Addendum; your data-subject rights are supported as set out there.
Spec2JIRA holds no personal data on its own systems — it operates none. Under BYOK, your data resides in your Atlassian instance and, transiently, with Anthropic under your own key — both of which you control. During the free trial, that transient AI processing runs under our Anthropic account instead, subject to the DPA and to Anthropic's retention schedule (about 29 days); it is still stored on no Spec2JIRA-operated system.
10. Security
- All access to Confluence and Jira uses Atlassian's
asUserauthorization — the App acts with the signed-in user's permissions, never a separate service account. - Your Anthropic API key is stored in Atlassian Forge encrypted secret storage, accessible only to the App's backend resolver and never exposed to the browser.
- Calls to Anthropic use HTTPS/TLS. The App's only external egress is
api.anthropic.com, declared in its Forge manifest. - The App follows Atlassian's security requirements for cloud Forge apps.
11. Access Control
Reading pages and creating issues use the signed-in user's own Atlassian permissions (asUser) — users can only act on content they already have access to. Configuration (the Anthropic API key and default project key) is set by an Atlassian administrator via Settings → Spec2Tickets.
12. Children's Privacy
The App is intended for professional software teams and is not directed to individuals under the age of 16.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Changes are posted on this page with an updated date; material changes will also be noted on the Atlassian Marketplace listing.
14. Contact
For questions about this Privacy Policy or the App's data practices:
- Email: privacy@spec2jira.com
- Website: spec2jira.com