Privacy Policy

This Policy covers two categories of processing, which we treat separately below:

• Website visitors. Information collected when you browse ekko.technology, request materials, or contact us. For this processing, Ekko is the data controller.
• App users and administrators. Information processed when your organization installs and uses the App inside its Jira Cloud site. For Personal Data contained in Jira issues, users, and related configuration, your organization is the controller and Ekko acts as a processor on its behalf, subject to the Atlassian Marketplace terms and any separate Data Processing Addendum in place.

Website

• Device and log data such as IP address, user-agent, referring URL, and pages visited, collected through standard server and analytics logs.
• Contact details you submit voluntarily (for example, if you email support or request a call).
• Cookie and local-storage identifiers used for essential site functionality and privacy-friendly analytics. See Section 11.

App

Because the App runs on Atlassian Forge, data access and storage stay within your Atlassian Cloud tenant. The categories below describe what the App reads from Jira and what it stores in Forge storage on your behalf.

• Atlassian account identifiers and profile fields that Jira exposes to the App, such as Atlassian account ID, display name, email address (where scoped), avatar, and group or project memberships.
• Jira content that your users open in the App during normal use — issues, comments, attachments, issue links, sprints, boards, and JQL results — accessed in real time under the user's own Jira permissions. The App does not maintain a parallel copy of this content.
• Configuration and planning metadata that you choose to save in the App: team rosters, capacity settings (hours or story points per person), meeting overhead, PTO and holiday entries, templates for bulk issue creation, and application preferences. This data is stored in Forge storage inside your Atlassian tenant.
• Operational telemetry such as error reports, timing metrics, and anonymized usage counts. Where we collect this for product quality purposes, we do so in a form that does not identify individual end users.

Ekko does not intentionally collect special categories of Personal Data (for example, health, biometric, or precise geolocation data), and we ask that you do not enter such data into Ekko configuration fields.

We use the information described above only for the following purposes:

• To provide, maintain, and improve the Website and the App.
• To authenticate users, enforce Jira permissions, and scope what each user can see or change in the App.
• To render planning, capacity, and bulk-creation features using the configuration you have saved in Forge storage.
• To respond to support requests, evaluate trials, and communicate important service notices.
• To detect, prevent, and investigate security incidents, abuse, and violations of our Terms of Service.
• To comply with applicable law and respond to lawful requests from public authorities.

We do not sell Personal Data, we do not share Personal Data for cross-context behavioral advertising, and we do not train machine-learning models on Customer Data.

If the EU or UK General Data Protection Regulation applies, we rely on the following legal bases:

• Performance of a contract — to provide the Website and App to you or your organization.
• Legitimate interests — to secure and improve the Website and App, measure aggregate usage, and communicate about the product, balanced against your rights and expectations.
• Consent — for optional analytics cookies and marketing communications, where required.
• Legal obligation — to meet tax, accounting, and law-enforcement obligations where applicable.

All Customer Data processed by the App is stored inside Atlassian Cloud infrastructure under Atlassian's Forge platform. Issue data continues to live in your Jira site, and App configuration (rosters, PTO, templates, preferences) is kept in Forge storage that Atlassian allocates to your tenant. Ekko does not operate its own databases, object stores, queues, or log pipelines that hold Customer Data.

Data residency for App data follows the region you have configured for your Atlassian Cloud product. See Atlassian's data residency documentation for details.

We use a small number of service providers. For Customer Data processed through the App, Atlassian is the primary infrastructure processor because Forge is an Atlassian-hosted platform.

• Atlassian, Pty Ltd. — Forge runtime, Forge storage, Jira APIs, authentication, and audit logging.
• Email delivery and customer support tooling — used only for support and transactional communications initiated by you or your organization.
• Analytics for the Website (privacy-friendly, no cross-site tracking).

We maintain data-protection terms with each sub-processor. An up-to-date list, including entity names and locations, is available on request at support@ekko.technology.

We do not sell Personal Data and we do not share it for advertising. We disclose Personal Data only in the following limited circumstances:

• With Atlassian and our other sub-processors listed above, strictly to provide the Website and the App.
• With your organization's Atlassian administrators, who can view and manage App configuration and user access.
• Where required by law, court order, or other lawful request, and where we reasonably believe disclosure is necessary to protect rights, property, or safety.
• In connection with a merger, acquisition, or sale of assets, subject to customary confidentiality protections.

• Website logs are retained for up to 90 days unless we need to keep them longer to investigate a security incident.
• App configuration stored in Forge storage is retained for as long as the App is installed. When the App is uninstalled, Atlassian deletes the associated Forge storage consistent with its platform policies.
• Support correspondence is retained for up to 24 months after the last interaction.
• Aggregated and de-identified data that can no longer reasonably be linked to an individual may be retained indefinitely.

The App inherits the security properties of the Atlassian Forge platform, including sandboxed execution, scoped Jira API access, audit logging, and tenant isolation. Ekko personnel do not have routine access to Customer Data: administrative access to Forge storage is limited, logged, and used only for support cases with your consent.

No online service is perfectly secure. In the event of a Personal Data breach affecting your organization's data, we will notify the relevant Atlassian administrator without undue delay and cooperate with your investigation.

Depending on where you live, you may have the following rights over your Personal Data: access, rectification, erasure, restriction, portability, objection to processing, and withdrawal of consent. California residents have the rights provided by the CCPA/CPRA, including the right to know, delete, correct, and limit the use of sensitive Personal Information, and the right not to be discriminated against for exercising those rights.

For Personal Data that your organization has entered into the App, please contact your organization's Atlassian administrator first — they control the data in their tenant. For data that Ekko controls directly, you can exercise these rights by writing to support@ekko.technology. We will respond within the timeframes required by applicable law.

Where Personal Data is transferred outside your region, we rely on lawful transfer mechanisms such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and adequacy decisions where available. For App data hosted on Atlassian Forge, the applicable transfer terms are those agreed between your organization and Atlassian, supplemented by our Data Processing Addendum.

The Website uses a small number of essential cookies to keep it functioning and, if you consent, a privacy-friendly analytics cookie that measures aggregate page views without cross-site tracking. You can clear or block cookies in your browser at any time. The App itself does not set advertising cookies.

The Website and App are intended for workplace use by adults. They are not directed to children under 16, and we do not knowingly collect Personal Data from children. If you believe a child has provided Personal Data to us, please contact support@ekko.technology and we will delete it.

We may update this Policy to reflect changes in the product, our practices, or applicable law. When changes are material, we will post the updated Policy here with a new "Last updated" date and, where appropriate, notify Atlassian administrators in the App.

Questions, requests, and complaints about this Policy — as well as product support questions — can be sent to support@ekko.technology. If you are in the EEA or UK and believe we have not addressed your concern adequately, you may also contact your local data-protection authority.