Privacy Policy Customfield Editor for Jira

January 28, 2023

Data protection information for the Customfield Editor for Jira app

We are obliged by law to inform you about the processing of your personal data (hereinafter referred to as “data”) when you download and use our apps. This data protection notice informs you about the details of the processing of your data and about your legal rights in this regard. For terms such as “personal data” and “processing”, the legal definitions pursuant to Art. 4 GDPR apply. We reserve the right to adapt the privacy policy with future effect, in particular in the event of further development of the mobile apps, the use of new technologies or changes to the legal bases or the corresponding case law. We recommend that you read this privacy policy from time to time and take a printout or a copy for your records.

Scope

This privacy policy applies to downloads of the “Customfield Editor for Jira” app, in the versions “Customfield Editor Cloud App” and “Customfield Editor Data Center App” from the Atlassian Marketplace, as well as to all of their features. It does not cover any linked websites or apps of other providers. In addition, your basic use of the Jira software, which is provided by Atlassian, Pty Ltd. (Level 6, 341 George Street Sydney NSW 2000, Australia, hereinafter referred to as “Atlassian”) and use of the Atlassian Marketplace are subject to the Atlassian Privacy Policy, available at: https://www.atlassian.com/legal/privacy-policy

Controller

The “controller” responsible for the processing of your personal data is:

codeclou GmbH
HUerivnareivcphu--DQiverhuly--SFtgre.. 22
9900555522 REöötghuernaboancphu anna dqerre PCergtnaivtgzm
Deutschland
Tel.: ++4499 991111 3311110099990033
E-Mail: vasb@pbqrpybh.vb

Questions about data protection

If you have any questions about data protection with regard to our company or our app, you can contact us using the contact details provided under “Controller”.

Your rights

You have the following rights with regard to the personal data concerning you that you can assert against us:

  • Right of access: You can request access to the personal data concerning you which we process, as set forth in Art. 15 GDPR.
  • Right to rectification: If the information concerning you is not (or no longer) correct, you can request its rectification in accordance with Art. 16 GDPR. If your data is incomplete, you can request that it be completed.
  • Right to erasure You may request the erasure of your personal data in accordance with Art. 17 GDPR.
  • Right to restriction of processing: Pursuant to Art. 18 GDPR, you have the right to demand that the processing of your personal data be restricted.
  • Right to object to processing: Pursuant to Art. 21(1) GDPR, you have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data which occurs based on Art. 6(1) Sentence 1(e) or (f) GDPR. If you object, we will not process your data further, unless we can prove compelling legitimate reasons for the processing which override your interests, rights and freedoms or, moreover, the processing serves to establish and exercise or defend legal claims (Art. 21(1) GDPR). Furthermore, under Art. 21(2) GDPR you have the right to object at any time to the processing of your personal data for direct marketing purposes, which includes profiling to the extent that this is related to such direct marketing. In this privacy policy, we draw your attention to this right to object when describing each processing operation.
  • Right to withdraw your consent: If you have given your consent for processing, you have a right to withdraw that consent under Art. 7(3) GDPR.
  • Right to data portability: You have the right to receive the personal data you have given us in a structured, commonly used, machine-readable format (“data portability”) and the right to transfer this data to another controller, if the prerequisites of Art. 20(1)(a), (b) GDPR are fulfilled (Art. 20 GDPR).

You can assert your rights by informing us using the contact details specified under “Controller” above.

If you believe that the processing of your personal data violates data protection law, then under Art. 77 GDPR you also have the right to lodge a complaint with a data protection supervisory authority of your choice. This includes the data protection supervisory authority responsible for the controller:

Bayerisches Landesamt für Datenschutzaufsicht, Promenade 18, 91522 Ansbach, postal address: Postfach 1349, 91504 Ansbach, phone: +49981/180093-0, email: poststelle@lda.bayern.de, https://www.lda.bayern.de

Security of processing

We have taken comprehensive technical and organisational precautions to protect your personal data from unauthorised access, abuse, loss and other external disruption. To this end, we regularly review our security measures and adapt them to the latest standards.

Downloads of the Customfield Editor Cloud app and the Customfield Editor Data Center app

When you purchase and download the relevant app, the required information and your data will be transferred to the Atlassian Marketplace, which is operated by Atlassian, Pty Ltd. (Level 6, 341 George Street Sydney NSW 2000, Australia, hereinafter referred to as “Atlassian”), including but not limited to your first and last name, email address and your company name and address, time of download and payment information. We have no influence on this data processing by Atlassian and are not responsible for it.

We only process data to the extent necessary for downloading the app.

We do not receive any credit card data or other billing data from Atlassian, but only information about the licences sold, their validity as well as the data provided by you of a contact, such as name, address and email address, as well as the data provided by you of a contact for technical enquiries (“technical contact”) as well as the data provided by you of the direct contractual partner (“billing contact”).

The legal basis for this results from Art. 6(1) Sentence 1(b) GDPR, where the data processing is necessary for performing a contract, or Art. 6(1) Sentence 1(f) GDPR.

The provision of your data is necessary and obligatory in order to enter into and execute the contract, i.e. to be able to provide you with the app and to provide support. You are contractually obliged to provide your data. If you do not provide your data, it will not be possible to conclude and/or execute a contract. If, for support purposes, we process further personal data that relates to a person who is not our contracting party pursuant to Art. 6(1) Sentence 1(b) GDPR (e.g. further users of the app), then we process this on the basis of our legitimate interest pursuant to Art. 6(1) Sentence 1(f) GDPR. We have a legitimate interest in providing support.

Once the purpose has been achieved (e.g. contract processing, completion of the support request), the personal data will be blocked on our servers for further processing or erased from our databases, unless we are entitled to keep processing the data on the basis of a consent granted by you, a contractual agreement, a statutory authorisation or on the basis of justified interests (e.g. retention for asserting claims).

We have no influence on the erasure and blocking of your data by Atlassian.

Atlassian also processes your data in Australia. We have agreed standard contractual clauses with Atlassian. A copy is available on request. For further information about the protection of your data, in particular how long it is stored, please refer to: https://www.atlassian.com/legal/privacy-policy

You may object to the processing, insofar as it is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

KPI dashboard

In order to know how our key performance indicators (e.g. number of sales, number of active installations, total sales price) are developing, we use a KPI dashboard that is created using the GitHub Actions tool, which is provided by GitHub, Inc. (88 Colin P Kelly Junior Street, San Francisco, CA 94107 US; hereinafter referred to as “GitHub”). GitHub reads the customer data provided to Atlassian, such as name, address and payment information, and creates an anonymous KPI dashboard on this basis. KPI dashboards are tools that combine data sources and provide visual feedback at a glance, showing how a company is performing against its key performance indicators (KPIs). The anonymised KPI dashboards are then hosted by the external service provider Host Europe GmbH (Hansestraße 111, 51149 Cologne, Germany).

The legal basis for this processing is Art. 6(1) Sentence 1(f) GDPR. When we use GitHub to create KPI dashboards with anonymised data and store them, we have a legitimate interest in optimising our work and business processes. GitHub processes your data in part in the US. No EU Commission adequacy decision exists for data transfers to the US. We have concluded so-called standard contractual clauses with GitHub in order to commit GitHub to an appropriate level of data protection. A copy is of course available on request. Further information, in particular on the storage period, can be found at: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller”.

Sending customer information

We reserve the right to use the email address of the billing contact or technical contact provided by you when downloading the respective app in accordance with the statutory provisions to send you important messages by email on the following topics, among others:

  • Changes to the data protection provisions
  • Changes to the general terms and conditions
  • Changes in prices and
  • The need to perform an update.

The legal basis for this data processing is Art. 6(1) Sentence 1(b) GDPR and Art. 6(1) Sentence 1(c) GDPR, insofar as we are legally obliged to send the customer information. It is necessary for you to provide your data in order to conclude or execute the contract and you are contractually obliged to provide your data. If you do not provide your data, it will not be possible to conclude and/or execute a contract.

Once the purpose has been achieved (e.g. end of the contractual relationship), the personal data will be blocked for further processing or erased unless we are entitled to keep processing the data on the basis of a consent granted by you, a contractual agreement, a statutory authorisation or on the basis of justified interests (e.g. retention for asserting claims).

We use Mailchimp to send emails, which is an email marketing service provided by Intuit, Inc. (2700 Coast Ave, Mountain View, CA 94043, US; hereinafter referred to as “Mailchimp”); Mailchimp also processes your data in the US. No EU Commission adequacy decision exists for data transfers to the US. Standard data protection clauses have been concluded with Intuit, Inc. in order to commit Intuit, Inc. to an appropriate level of data protection. You can view a copy of the standard data protection clauses on the Mailchimp website at: https://mailchimp.com/de/legal/data-processing-addendum/#2._Rollen_und_Verantwortlichkeiten. For further information, please refer to Intuit, Inc.'s privacy policy at: https://www.intuit.com/privacy/statement/

Your email address will be processed on Mailchimp servers. Mailchimp acts as our processor and is contractually limited in its authority to use your personal data for purposes other than to provide services to us in accordance with the applicable data processing agreement. The legal basis of the processing is Art. 6(1) Sentence 1(f) GDPR. By using an external email marketing service, we have legitimate interests in the optimisation and more targeted control and monitoring of our email content listed above.

You may object to the processing, insofar as it is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

Data processing when using the Customfield Editor Cloud app

The Customfield Editor Cloud app runs within Jira Cloud on the infrastructure of Atlassian. The following data will therefore be stored and processed by Atlassian. Further information on the use of Jira Cloud can be found in Atlassian's privacy information at: https://www.atlassian.com/trust/privacy

When you use the app within Atlassian's Jira Cloud application, certain data that is necessary to use the app, in particular to ensure access to the internet (“access data”) is automatically processed. This includes: IP address, date and time of the server request, time zone difference from Greenwich Mean Time (GMT), log files, content of the request (specific app feature), access status, volume of data transferred in each case, app from which the request comes, device type, operating system used and its interface (Atlassian Marketplace), language and version of the operating system.

In addition, the Customfield Editor Cloud app is linked to your Atlassian account. Before using the app, each user must grant the app the following access permissions:

  • View users and user groups
  • View profile details for the currently logged-in user
  • View permissions
  • View system and custom avatars
  • View application roles
  • Display and delete field options
  • Read field configurations and context configurations for user-defined fields
  • View fields and field default values
  • View project categories and projects
  • Create and update field options and field default values

We do not gain any insight into the aforementioned data unless you contact us directly with a support request and grant us access to the extent necessary to resolve your support request.

The legal basis for our processing of data for support purposes results from Art. 6(1) Sentence 1(b) GDPR, where the data processing is necessary for performing a contract, or Art. 6(1) Sentence 1(f) GDPR.

It is necessary for you to provide your data in order to execute the contract for support purposes and you are contractually obliged to provide your data. If you do not provide your data, it will be impossible for us to provide you with support services. If, for support purposes, we process further personal data that relates to a person who is not our contracting party pursuant to Art. 6(1) Sentence 1(b) GDPR (e.g. further users of the app), then we process this on the basis of our legitimate interest pursuant to Art. 6(1) Sentence 1(f) GDPR. We have a legitimate interest in providing support.

Once the purpose has been achieved (e.g. end of the contractual relationship, completion of the support request), the personal data will be blocked for further processing or erased unless we are entitled to keep processing the data on the basis of a consent granted by you, a contractual agreement, a statutory authorisation or on the basis of justified interests (e.g. retention for asserting claims).

You may object to the processing, insofar as it is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

Data processing when using the Customfield Editor Data Center app

Data processing (e.g. allocation of access rights, storage of usernames, editing of fields, etc.) is carried out exclusively on the infrastructure of our contractual partner, i.e. within its database system. We do not have access to this data.

Contacting our company

When you contact our company, e.g. by email, we will process the personal data you provide in order to respond to your request. The legal basis for the processing is Art. 6(1) Sentence 1(f) GDPR or Art. 6(1) Sentence 1(b) GDPR, if the contact is made with the intention of concluding a contract. If the request is aimed at concluding a contract, it is necessary for you to provide your data in order to conclude a contract. If you do not provide your data, it will not be possible to conclude or execute a contract (in the form of establishing contact or processing the request). The data is only processed for the purposes of conducting the conversation. As soon as processing is no longer necessary, we will erase the data generated in this context or, if statutory retention obligations apply, restrict processing of the data accordingly.

You may object to the processing, insofar as it is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

Processing for contractual purposes

We process your personal data if and to the extent necessary for the initiation, creation, execution and/or termination of a legal transaction with our company. The legal basis for this results from Art. 6(1) Sentence 1(b) GDPR. It is necessary for you to provide your data in order to conclude the contract and you are contractually obliged to provide your data. If you do not provide your data, it will not be possible to conclude and/or execute a contract. Once the purpose has been achieved (e.g. contract processing), the personal data will be blocked for further processing or erased, unless we are entitled to keep processing the data on the basis of a consent granted by you (e.g. consent to the processing of your email address for sending promotional emails), a contractual agreement, a statutory authorisation (e.g. authorisation to send direct marketing) or on the basis of justified interests (e.g. retention for asserting claims). Your personal data will be passed on to third parties if

  • it is necessary for the creation, execution or termination of legal transactions with our company (e.g. when transmitting data to a payment service provider to process a contract with you) (Art. 6(1) Sentence 1(b) GDPR), or
  • a subcontractor or party we use to perform our obligations, which we use exclusively within the framework of providing the offers or services requested by you, needs this data (unless you are expressly informed otherwise, such auxiliary parties are only entitled to process the data insofar as this is necessary for the provision of the offer or service), or
  • there is an enforceable official order (Art. 6(1) Sentence 1(c) GDPR), or
  • there is an enforceable court order (Art. 6(1) Sentence 1(c) GDPR), or
  • this is necessary for the establishment, exercise or defence of legal claims (Art 6(1) Sentence 1(c) GDPR)
  • we are legally obliged to do so (Art. 6(1) Sentence 1(c) GDPR), or
  • the processing is necessary in order to protect the vital interests of the data subject or another natural person (Art. 6(1) Sentence 1(d) GDPR), or
  • this is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (Art. 6(1) Sentence 1(e) GDPR), or
  • we can cite our overriding legitimate interests, or those of a third party, in the disclosure (Art. 6(1) Sentence 1(f) GDPR)

Your personal data will not be transmitted to other persons, companies or bodies unless you have effectively consented to such transmission. The legal basis for the processing is then Art. 6(1) Sentence 1(a) GDPR. In this privacy policy, we draw your attention to the respective recipients when describing each processing operation.

You may object to the processing, insofar as it is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

Copyright by Spirit Legal