Privacy Policy
Effective Date: 25.09.2024
1. Introduction and Scope
Welcome to Firnity! We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we process, use, and safeguard your personal information when you interact with our applications and services, including those available on the Atlassian Marketplace and platforms like Discord (collectively referred to as the “Services”).
Who Does This Policy Apply To?
This Privacy Policy applies to all individuals who interact with our Services, including:
- Users of Our Applications: Individuals who use our applications and services, such as the Discord for Jira application, as part of their organization’s Jira instance or Discord server.
- Visitors to Our Websites: Individuals who browse our websites, submit inquiries, or request support.
What Services Does This Policy Cover?
This policy covers all interactions with our Services, including:
- Cloud Applications: Applications available through platforms like the Atlassian Marketplace and Discord that enhance the functionality of host services like Jira and Discord.
- Websites and Online Platforms: Our official websites and any other digital platforms we manage.
- Support and Communication Channels: Customer service interactions, inquiries, and communications with our support team.
Key Definitions
- Personal Data: Any information relating to an identified or identifiable natural person. This includes names, email addresses, user display names, or any other data that could be linked to you directly or indirectly.
- Data Controller: The entity that determines the purposes and means of processing personal data. In the context of our Services, your organization (e.g., your employer or the company you represent) acts as the Data Controller for the personal data processed through the Discord for Jira application.
- Data Processor: The entity that processes personal data on behalf of the Data Controller. Firnity acts as a Data Processor, processing personal data on behalf of your organization in accordance with their instructions and applicable data protection laws.
Our Role
As a Data Processor, Firnity processes personal data retrieved from your organization’s Jira instance to provide the functionalities of the Discord for Jira application. We do not collect personal data directly from users. Our processing activities are limited to what is necessary to operate and improve the Services as instructed by your organization.
Types of Personal Data Processed
We adhere to the principle of data minimization and process only the data necessary to provide our Services. Specifically, we process the following personal data:
- Jira User Display Names: Fetched from your organization’s Jira instance and displayed within our application and included in notifications sent to Discord channels and direct messages. This facilitates user interactions and notifications between Jira and Discord.
Please note that technical identifiers such as Jira user IDs, Discord user IDs, server IDs, and channel IDs are used solely for the operation of the application and are not considered personal data in this context.
Limitations of This Policy
This Privacy Policy does not apply to:
- Third-Party Services: Any third-party services or websites linked to or integrated with our Services, such as Discord or Atlassian products. These services have their own privacy policies and practices, and we encourage you to review them.
- Your Organization’s Policies: Any data processing activities carried out by your organization beyond the scope of our Services. Please refer to your organization’s privacy policies for more information on how they handle personal data.
Acceptance of This Policy
By using our Services, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. If you do not agree with this Privacy Policy, please refrain from using our Services.
2. Purposes and Legal Basis for Data Processing
Why Do We Process Your Personal Data?
We process your personal data solely to provide and enhance the Services as instructed by your organization, which acts as the Data Controller. Our processing activities are limited to what is necessary to fulfill our contractual obligations and to enable the functionalities of the Discord for Jira application. Specifically, we process your personal data for the following purposes:
Service Provision and Functionality
- Purpose: To enable and facilitate the integration between Jira and Discord as configured by your organization. This includes fetching Jira user display names to display within our application, include in notifications sent to Discord channels and direct messages, include in Jira comments, and support other functionalities that enhance user interactions and collaboration between Jira and Discord.
- Legal Basis: Processing is necessary for the performance of a contract (Article 6(1)(b) GDPR). We process your personal data to fulfill our contractual obligations to your organization in providing the Services.
Customer Support
- Purpose: To provide support and respond to inquiries or issues you report. This may involve processing personal data you provide when contacting us, such as your name and email address.
- Legal Basis: Processing is necessary for our legitimate interests (Article 6(1)(f) GDPR). It is in our legitimate interest to assist users and resolve any issues with our Services. We have assessed that this does not override your rights and freedoms.
Data Minimization and Necessity
We adhere to the principle of data minimization by processing only the minimum amount of personal data necessary to provide our Services effectively. This approach helps protect your privacy and reduces the risks associated with data processing.
No Automated Decision-Making
We do not use your personal data for automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.
Responsibility of the Data Controller
Your organization, as the Data Controller, is responsible for:
- Legal Basis and Consent: Ensuring there is a valid legal basis for the processing of personal data and obtaining any necessary consents under applicable data protection laws.
- Transparency: Providing any required privacy notices or information to data subjects about how their personal data is processed.
- Configuration and Access Control: Configuring the application and controlling who has access to the Discord channels and Jira projects where personal data, such as user display names, may be displayed.
- Compliance: Ensuring that sharing Jira user display names in this manner complies with applicable data protection laws and internal policies.
Your Rights
Please refer to the “Your Rights” section of this Privacy Policy for information on your rights regarding your personal data and how to exercise them.
3. Data Sharing and Disclosure
Who Do We Share Your Personal Data With?
We are committed to protecting your personal data and will only share it under specific circumstances necessary to provide our Services, in accordance with applicable data protection laws. We do not sell or rent your personal data to third parties. However, we may disclose your personal data as follows:
a. Service Providers (Sub-processors)
To deliver our Services effectively, we rely on trusted third-party service providers, known as sub-processors, who process personal data on our behalf. These sub-processors are contractually obligated to protect your data and comply with applicable data protection laws. Our primary sub-processors include:
Microsoft Azure
- Purpose: Provides cloud hosting and infrastructure services for our applications and data storage within the European Union (EU).
Sentry
- Purpose: Offers application monitoring and error tracking services to help us identify and resolve technical issues.
- Purpose: Supplies services for analytics and email communications, helping us understand how our Services are used and to communicate with users.
We ensure that all sub-processors implement appropriate technical and organizational measures to protect your personal data and process it only in accordance with our instructions.
b. Disclosure to Discord
As part of the application’s functionality, Jira user display names are included in notifications sent to Discord channels and direct messages. This means that these personal data are transmitted to Discord’s servers and may be processed by Discord in accordance with their privacy policy and terms of service.
Please note:
- Data Transfer to Discord: Discord may process this data on servers located outside the European Union (EU). Your organization is responsible for ensuring that such data transfers comply with applicable data protection laws.
- Discord’s Privacy Practices: We encourage you to review Discord’s privacy policy to understand how they process personal data.
c. Legal Obligations and Protection of Rights
We may disclose your personal data when required to do so by law or in response to valid legal requests, such as subpoenas, court orders, or government regulations. This includes:
- Compliance with Legal Obligations: If we believe in good faith that disclosure is necessary to comply with a legal obligation.
- Protection of Rights and Interests: To protect our rights, property, or safety, or that of our users or others.
d. Business Transfers
In the event of a merger, acquisition, reorganization, or sale of all or part of our business, your personal data may be transferred as part of the transaction. We will ensure that the recipient agrees to protect your personal data in accordance with this Privacy Policy and applicable data protection laws.
International Data Transfers
While we store and process all personal data within the European Union (EU), please be aware that when Jira user display names are included in notifications sent to Discord, they are transmitted to Discord’s servers, which may be located outside the EU.
Your organization, as the Data Controller, is responsible for:
- Compliance with Data Transfer Requirements: Ensuring that any international data transfers to Discord comply with applicable data protection laws, including the General Data Protection Regulation (GDPR).
- Appropriate Safeguards: Implementing appropriate safeguards for international data transfers, such as entering into Standard Contractual Clauses with Discord or ensuring that Discord is certified under an approved data transfer mechanism.
Data Processing Agreement
We process personal data on behalf of our customers (the Data Controllers) in accordance with our Data Processing Agreement (DPA). This agreement complies with Article 28 of the GDPR and outlines our obligations as a Data Processor, including:
- Processing personal data only on documented instructions from the Data Controller.
- Implementing appropriate technical and organizational measures to ensure data security.
- Assisting the Data Controller in fulfilling obligations regarding data subjects’ rights and compliance with GDPR.
A copy of our standard Data Processing Agreement is available upon request. For more information, please contact us at contact@firnity.com.
Responsibility of the Data Controller
Your organization, as the Data Controller, is responsible for:
- Third-Party Data Sharing: Ensuring that sharing personal data with third parties, such as Discord, complies with applicable data protection laws.
- Informing Users: Providing necessary information to users about the sharing of their personal data with third parties and any international data transfers.
- Obtaining Necessary Consents: Obtaining any required consents from data subjects for the sharing of their personal data with third parties or for international data transfers.
Our Commitment
We are committed to ensuring that your personal data is kept secure and processed in accordance with this Privacy Policy and applicable data protection laws. We take appropriate measures to protect your data from unauthorized access, alteration, disclosure, or destruction.
4. Data Retention and Your Rights
How Long Do We Retain Your Personal Data?
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, to provide our Services, and to comply with legal and contractual obligations. Specifically:
- Service Data: Personal data processed as part of the Services (e.g., Jira user display names) is retained for the duration of the contractual agreement with your organization. Once the contract is terminated or upon instruction from your organization, we will delete or anonymize the personal data within a reasonable timeframe, unless we are required to retain it for legal reasons.
- Support Data: Personal data you provide when contacting us for support is retained for as long as necessary to address your inquiry and improve our Services. Typically, this data is retained for up to 12 months after the resolution of your support request.
- Legal Obligations: We may retain personal data for longer periods if required by law, such as for tax, accounting, or compliance purposes.
Data Deletion and Limitations
We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Upon termination of the Services or upon instruction from your organization (the Data Controller), we will delete or anonymize Personal Data within our control.
Please note that we cannot delete or retrieve Personal Data that has already been transmitted to third parties (such as Discord) as part of the application’s functionality. Once notifications containing Jira user display names are sent to Discord channels or direct messages, the data is subject to Discord’s policies and is managed by your organization and Discord.
Your Organization’s Responsibilities
Your organization, as the Data Controller, is responsible for:
- Managing Data on Third-Party Platforms: Controlling and managing Personal Data that has been transmitted to third-party platforms like Discord.
- User Access and Content Management: Deleting messages, managing user access, or taking other actions within Discord to comply with data protection obligations.
Your Rights Under GDPR
As an individual whose personal data is processed by us on behalf of your organization, you have certain rights under the General Data Protection Regulation (GDPR). These rights include:
a. Right of Access
You have the right to request confirmation as to whether we process your personal data and, if so, to request access to that data. This includes information about:
- The purposes of processing
- The categories of personal data processed
- The recipients or categories of recipients to whom personal data has been or will be disclosed
- The envisaged retention period or criteria used to determine that period
- The existence of your rights to rectification, erasure, restriction of processing, or objection to processing
- The right to lodge a complaint with a supervisory authority
b. Right to Rectification
You have the right to request the correction of inaccurate personal data we hold about you. If your personal data is incomplete, you have the right to have it completed, including by providing a supplementary statement.
c. Right to Erasure (Right to Be Forgotten)
You have the right to request the erasure of your personal data in certain circumstances, such as when:
- The data is no longer necessary for the purposes for which it was collected
- You withdraw your consent (where processing was based on consent) and there is no other legal ground for processing
- You object to the processing and there are no overriding legitimate grounds
- The personal data has been unlawfully processed
- The personal data must be erased to comply with a legal obligation
d. Right to Restrict Processing
You have the right to request the restriction of processing of your personal data when:
- You contest the accuracy of the data, for a period enabling us to verify its accuracy
- The processing is unlawful, and you oppose erasure and request restriction instead
- We no longer need the data, but you require it to establish, exercise, or defend legal claims
- You have objected to processing pending the verification of whether our legitimate grounds override yours
e. Right to Data Portability
Where processing is based on consent or the performance of a contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another data controller.
f. Right to Object
You have the right to object to the processing of your personal data based on legitimate interests. We will cease processing unless we have compelling legitimate grounds that override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.
g. Right to Withdraw Consent
If we process your personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
How to Exercise Your Rights
To exercise your rights, please contact your organization, which acts as the Data Controller for your personal data. They are responsible for managing requests related to your personal data.
Alternatively, you may contact us at contact@firnity.com, and we will coordinate with your organization to address your request in accordance with applicable data protection laws.
Verification of Identity
For security purposes, we may need to verify your identity before fulfilling your request. This helps us ensure that personal data is not disclosed to unauthorized individuals.
Response Time
We aim to respond to all legitimate requests within one month. If your request is particularly complex or if you have made multiple requests, it may take us longer. In such cases, we will notify you and keep you updated.
Right to Lodge a Complaint
If you believe that our processing of your personal data violates data protection laws, you have the right to lodge a complaint with a supervisory authority, i.e. the President of the Personal Data Protection Office with its registered office at ul. Stawki 2 in Warsaw.
Responsibility of the Data Controller
Please note that your organization, as the Data Controller, is primarily responsible for handling requests to exercise your rights under GDPR. We, as the Data Processor, will assist your organization in fulfilling such requests as required by applicable data protection laws.
5. Data Security Measures
How Do We Protect Your Personal Data?
We are committed to safeguarding your personal data and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction. Our security practices are designed to maintain the confidentiality, integrity, and availability of your personal data. Key measures include:
a. Technical Measures
- Data Encryption: We use industry-standard encryption protocols to protect personal data in transit and at rest where appropriate.
- Access Controls: Access to personal data is restricted to authorized personnel who require it for their job responsibilities. We employ authentication mechanisms and enforce the principle of least privilege.
- Secure Hosting Environment: Our Services are hosted on secure servers within the European Union (EU), protected by robust physical and electronic security measures provided by our hosting provider, Microsoft Azure.
- Network Security: We utilize firewalls to protect our networks from unauthorized access and threats.
- Regular Security Updates: We keep our systems and software up-to-date with the latest security patches and updates to mitigate vulnerabilities.
b. Organizational Measures
- Security Policies and Procedures: We have established internal policies and procedures to guide our employees in handling personal data securely and responsibly.
- Confidentiality Agreements: Employees and contractors are bound by confidentiality agreements that obligate them to protect personal data.
- Vendor Management: We carefully select third-party service providers and require them to implement appropriate security measures to protect personal data in accordance with our standards and applicable laws.
Incident Response and Notification
Despite our efforts, no security measures are entirely foolproof. In the event of a personal data breach, we have established incident response procedures to:
- Identify and Contain: Quickly identify the breach, contain it, and mitigate its effects.
- Assess Risks: Evaluate the potential impact on data subjects and determine the likelihood of harm.
- Notify Relevant Parties: Inform your organization (the Data Controller) promptly, so they can fulfill their obligations to notify supervisory authorities and affected data subjects as required by applicable laws.
- Prevent Recurrence: Investigate the cause of the breach and implement measures to prevent similar incidents in the future.
Your Organization’s Responsibilities
As the Data Controller, your organization is responsible for:
- User Access Management: Controlling and managing access rights to Jira and Discord, including the application, to ensure that only authorized users have access to personal data.
- Security of End-User Devices: Ensuring that devices used to access the Services are secure and comply with your organization’s security policies.
- Incident Reporting: Notifying us promptly of any suspected security incidents or breaches related to the Services.
Your Responsibilities
While we take measures to protect personal data, it’s important that users also take steps to safeguard information:
- Protect Credentials: Keep your Jira and Discord account credentials confidential and do not share them with unauthorized individuals.
- Be Vigilant: Be cautious of phishing attempts or suspicious communications requesting personal information.
- Follow Organizational Policies: Adhere to your organization’s security policies and guidelines when using the Services.
Limitations
Please be aware that no method of transmission over the internet or electronic storage is completely secure. While we strive to use commercially acceptable means to protect personal data, we cannot guarantee its absolute security.
6. Cookies and Tracking Technologies
Use of Cookies and Similar Technologies
Our Services may use cookies and similar tracking technologies to enhance user experience, analyze usage patterns, and improve our Services. This section explains how we use these technologies and your choices regarding them.
What Are Cookies?
Cookies are small text files stored on your device (computer or mobile device) when you visit a website or use an application. They help websites and applications remember your actions and preferences over a period of time, so you don’t have to re-enter them whenever you return or navigate from one page to another.
Types of Cookies We Use
a. Necessary Cookies
- Purpose: These cookies are essential for the operation of our Services. They enable core functionalities such as security, network management, and accessibility.
- Legal Basis: Use of necessary cookies is based on our legitimate interest (Article 6(1)(f) GDPR) to ensure the proper functioning of our Services.
b. Analytics and Performance Cookies
- Purpose: These cookies collect information about how users interact with our Services, such as pages visited and any error messages encountered. This information helps us improve the performance of our Services.
- Legal Basis: We use these cookies based on your consent (Article 6(1)(a) GDPR), where required by law.
How We Use Cookies
We may use cookies to:
- Enhance User Experience: Remember your preferences and settings to provide a more personalized experience.
- Analyze Usage: Collect anonymous statistical data to understand how users interact with our Services and identify areas for improvement.
- Security: Help detect and prevent fraud and security risks.
Third-Party Cookies
We do not use third-party cookies for advertising or marketing purposes within our Services. However, our Services may contain links to third-party websites or services that may use cookies. We do not control these third-party cookies, and their use is subject to the respective third party’s privacy policies.
Your Choices Regarding Cookies
Browser Settings
Most web browsers allow you to control cookies through their settings preferences. You can set your browser to refuse cookies or to alert you when cookies are being sent. However, if you disable cookies, some features of our Services may not function properly.
To manage your cookie settings, you can typically find the options in the “Settings” or “Preferences” menu of your browser. Here are links to instructions for popular browsers:
Consent Management
Where required by law, we provide a cookie consent banner when you first use our Services, allowing you to accept or decline non-essential cookies. You can change your cookie preferences at any time by adjusting your browser settings as described above.
Web Beacons and Other Tracking Technologies
We do not use web beacons, pixels, or other tracking technologies within our Services to collect personal data about your online activities over time and across third-party websites or online services.
Do Not Track Signals
Our Services do not currently respond to “Do Not Track” (DNT) signals. DNT is a preference you can set in your web browser to inform websites that you do not want to be tracked.
Changes to This Section
We may update this Cookies and Tracking Technologies section to reflect changes in our practices or legal requirements. We encourage you to review this section periodically to stay informed about how we use cookies and similar technologies.
7. Changes to This Privacy Policy
How Will We Notify You of Changes?
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or how we handle personal data. If we make significant changes to this policy, we will notify your organization (the Data Controller) and, where appropriate, you directly through reasonable means. Notifications may include:
- Email Communications: Sending an email to your organization or to you directly if we have your contact information and you have consented to such communications.
- Website Updates: Posting a notice on our website indicating that the Privacy Policy has been updated.
Effective Date and Acceptance of Changes
The “Effective Date” at the top of this Privacy Policy indicates when the policy was last revised. By continuing to use our Services after any changes become effective, you acknowledge and agree to the updated Privacy Policy. If you do not agree with the changes, you should discontinue using our Services and contact your organization or us to address your concerns.
Encouraging Periodic Review
We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your personal data. Your continued use of the Services constitutes your agreement to this Privacy Policy and any updates.
8. Contact Information
How to Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or your rights related to your personal data, please feel free to contact us. We are committed to addressing your inquiries promptly and transparently.
Contact Details:
- Company Name: Łukasz Wiatrak Firnity
- Registered Address: ul. Zamknięta 10, lok. 1.5, 30-554 Kraków, Poland
- Email: contact@firnity.com
We value your feedback and are here to assist you with any issues or concerns you may have regarding your personal data and our Services.