Privacy Policy

Effective Date: April 15, 2026 · Last Updated: May 20, 2026

1. Overview

Spec2JIRA for Confluence and Jira ("the App") converts specification pages into structured Jira work items. This Privacy Policy describes how we handle data in connection with the App.

2. Architecture and Data Flow

The App consists of two components:

• Forge App (cloud component): A user interface layer hosted on the Atlassian Forge platform. It reads Confluence page content via standard Atlassian APIs and displays results within the Atlassian product interface.
• Self-Hosted Backend (customer component): A Docker container that you deploy on your own infrastructure. This backend performs all AI processing using an open-source language model (Qwen 2.5) running locally on your hardware.

Data flows directly between the Atlassian Forge platform and your self-hosted backend. No data is routed through, stored on, or accessible to Spec2JIRA's servers.

Each customer's backend domain is added to the Spec2Tickets Forge app egress allowlist on a per-installation basis (see installation docs Step 7). Customer data flows only between the Atlassian Forge platform and that specific customer's backend domain — there is no shared multi-tenant backend operated by Spec2JIRA.

3. Data We Process

3.1 Data Processed by the Forge App

The Forge app processes the following data transiently (in-memory, during a single request):

• Confluence page content: The text of the specification page you choose to process, read via Atlassian APIs and forwarded to your self-hosted backend.
• Jira project metadata: Project keys and issue type information, used to create work items in your Jira instance.
• Configuration data: Your backend URL and API key, stored in Atlassian Forge Key-Value Storage (encrypted, managed by Atlassian).

3.2 Data Processed by the Self-Hosted Backend

All AI processing occurs on your infrastructure. The backend processes Confluence page content and produces structured work item breakdowns. This data resides entirely on your hardware. We have no access to it.

3.3 Data We Do NOT Collect

We do not collect, store, transmit, or have access to:

• Confluence page content or any document text
• Jira issue data
• User identities, email addresses, or account information
• Usage analytics or telemetry
• Any personally identifiable information (PII)

4. Data Storage

The Forge app stores only configuration settings (backend URL and API key) using Atlassian's Forge Key-Value Storage, encrypted and managed by Atlassian.

Any data persisted by the self-hosted backend (such as pipeline logs or generated outputs) is stored on your infrastructure. You control retention, encryption, and access policies.

5. Third-Party Services

The App does not share data with any third-party services, sub-processors, or external APIs beyond the Atlassian platform itself.

The self-hosted backend uses an open-source AI model (Qwen 2.5 by Alibaba Cloud) that runs entirely offline on your hardware. No data is sent to model providers or any external AI service.

6. Data Residency

Because the backend runs on your infrastructure, you have full control over where your data is processed and stored. The Forge app component operates within the Atlassian Forge platform infrastructure.

7. GDPR Compliance

You (the customer) are the data controller for any personal data contained in your Confluence pages and Jira projects.

Spec2JIRA does not act as a data processor, as we do not process or store your end-user data. The Forge app acts as a pass-through interface within the Atlassian platform.

Since we do not store personal data, there is no personal data held by us to access, correct, delete, or export. All data resides within your Atlassian instance and your self-hosted backend, both of which you control.

8. Security

• All communication between the Forge app and your backend is encrypted via HTTPS (TLS 1.2+) with HSTS enabled.
• Backend authentication uses API key verification on every request.
• The Forge app follows Atlassian's security requirements for cloud applications.
• The self-hosted backend runs in an isolated Docker container on your infrastructure.

9. Authentication and Access Control

The self-hosted backend authenticates to Confluence and Jira using a service account that your Atlassian administrator provisions and scopes. The service account's credentials live in your backend's .env file only — they are never transmitted to Spec2JIRA, the Forge app's resolver layer, or any third party.

Recommended minimum scope (least-privilege):

• Read access to the Confluence spaces containing your specification pages.
• Create-issue permission in the target Jira project.

The backend never uses individual end-user credentials; all reads and writes are performed by the service account configured by your administrator. Configuration of the Spec2Tickets Forge app (backend URL, API key, Jira project key) is restricted to Atlassian administrators via the standard Manage Apps → Configure flow.

Page-search operations inside the Forge app interface use Atlassian's standard asUser() authorization — users see only the Confluence pages they have read access to in their normal Atlassian session.

10. Children's Privacy

The App is designed for professional software development teams and is not intended for use by individuals under the age of 16.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. Material changes will be communicated through the Atlassian Marketplace listing.

12. Contact

For questions about this Privacy Policy or the App's data practices:

• Email: privacy@spec2jira.com
• Website: spec2jira.com