Customer Privacy Policy

Owned by Alex Zhebryakov
Last updated: Aug 04, 2023 by Vasyl Krokha
11 min read

Last revision date – August 4, 2023.

 

In this Customer Privacy Policy you will find information about how we may process your personal data and what rights you have during the processing when you use our Apps and your company acts as the Customer of Broken Build under the EULA. 

Via Atlassian Marketplace, we provide two types of Apps. We provide Cloud Apps designed to be used with Atlassian’s hosted services. We also provide Software Apps that are downloadable for the Customer’s data center. This Customer Privacy Policy applies to all types of our Apps.

Broken Build mostly processes data of the Customers and End Users of the Apps as a data processor. This applies to the data we receive from your company (our Customer) as the controller. Such practices are strictly limited to those allowed by the Atlassian Marketplace Partner Agreement. Although the data shared with us to provide Services to our Customers may include personal data, accessing personal data is not our main objective. In some instances, access to personal data is purely incidental and therefore very limited in practice. Our rights and obligations, as well as the details on the transferred data are described in detail in our data processing agreement with your company. 

In other cases, Broken Build is the data controller of personal data. This means that we decide what data should be processed, how and why. Such cases are limited to entering into the agreement, certain cases of improvement of our Apps and some marketing activities. For more details please check the tables below and our Marketing Privacy Policy

Who we are

When we refer to Broken Build, we mean Broken Build LLP, a company registered in the United Kingdom (OC445385) with a registered address at 61 Bridge Street, Kington, Herefordshire, HR53DJ, United Kingdom. 

If you have questions, concerns, or complaints, or would like to exercise your rights, we are available at infosec@brokenbuild.net.

You can also complain to the ICO if you are unhappy with how we have used your personal data.

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

Helpline number: 0303 123 1113

Detailed description of how we process your data

In the tables below you will find a detailed information about:

  • our role in data processing and to which Apps it relates;

  • what data we may process;

  • purposes of processing your data;

  • legal basis for the processing of your data (where we act as the controller);

  • retention period of your data; and

  • engaged sub-processors.

 

The data we process is both the data of your company (our Customer under the EULA) and you (End User, for whom the Customer has paid the required fees and to whom access is given to the App). Please keep in mind that we process both “personal data” within the meaning of law (relates to identified or identifiable person) and other data that is not “personal data”. Such non-personal data could still be regarded as “End User Data” within the meaning of the Atlassian Marketplace Partner Agreement. For your convenience, below we describe our processing with regard to all types of data we process, marking separately when the data is personal.

 

The information below is classified by the purpose of data processing:

To implement the Apps functionality

Agile Velocity Chart Gadget

Role of Broken Build: processor

Which Service it relates to: Cloud Apps 

Processing we perform

Data we process

Legal basis for the processing

Implement the App’s functionality.

 

Although data shared to achieve that purpose may include personal data, accessing personal data is not our main objective. In some instances, access to personal data is purely incidental and therefore very limited in practice to:

 

End User data stored (does not contain personal data):

  • Anonymized user ID

  • Jira issue standard fields:

    • Issue key

    • Issue type

    • Issue status

 

End User data processed:

  • Anonymized user ID

  • Jira issue standard fields:

    • Issue key

    • Issue type

    • Issue status

    • Assignee (anonymized user ID, username, full name, URL to avatar, status) - personal data

    • Sprint ID

    • Created date

    • Reporter  (anonymized user ID, username, full name, URL to avatar, status) - personal data

    • Changelog - may contain personal data

  • App (chart) configuration including:

    • Chart title

    • JQL filter - may contain personal data

Not applicable

(data is provided to perform obligations before the Customer under the EULA, as described in the DPA)

 

Data retention period: data may be processed and stored during the term of EULA and up to 12 months after the termination of EULA. 

Sub-processors engaged:

  • AWS Elastic Kubernetes Service (AWS EKS) (Amazon Web Services, Inc.) is aimed to store data necessary for the App to properly function.

  • Amazon RDS for MySQL(Amazon Web Services, Inc.) is also aimed to store data necessary for the App to properly function.

To implement the Apps functionality

Agile Reports and Gadgets

Role of Broken Build: processor

Which Service it relates to: Cloud Apps 

Processing we perform

Data we process

Legal basis for the processing

Implement the App’s functionality.

 

Although data shared to achieve that purpose may include personal data, accessing personal data is not our main objective. In some instances, access to personal data is purely incidental and therefore very limited in practice to:

 

End User data stored (does not contain personal data):

  • Anonymized user ID

  • Jira issue standard fields:

    • Issue key

    • Issue type

    • Issue status

 

End User data processed:

  • Anonymized user ID

  • Jira issue standard fields:

    • Issue key

    • Issue type

    • Issue status

    • Assignee (anonymized user ID, username, full name, URL to avatar, status) - personal data

    • Sprint ID

    • Created date

    • Reporter  (anonymized user ID, username, full name, URL to avatar, status) - personal data

    • Changelog - may contain personal data

  • App (chart) configuration including:

    • Chart title

    • JQL filter - may contain personal data

Not applicable

(data is provided to perform obligations before the Customer under the EULA, as described in the DPA)

 

Data retention period: data may be processed and stored during the term of EULA and up to 12 months after the termination of EULA. 

Sub-processors engaged:

  • AWS Elastic Kubernetes Service (AWS EKS) (Amazon Web Services, Inc.) is aimed to store data necessary for the App to properly function.

  • Amazon RDS for MySQL(Amazon Web Services, Inc.) is also aimed to store data necessary for the App to properly function.

To implement the Apps functionality

Subcomponents for Jira Cloud

Role of Broken Build: processor

Which Service it relates to: Cloud Apps 

Processing we perform

Data we process

Legal basis for the processing

Implement the App’s functionality.

 

Although data shared to achieve that purpose may include personal data, accessing personal data is not our main objective. In some instances, access to personal data is purely incidental and therefore very limited in practice to:

 

End User data stored (does not contain personal data):

  • Anonymized user ID

  • Project ID

  • Project component ID

  • Project version ID

 

End User data processed:

  • Anonymized user ID

  • Jira project details

  • Jira project components

  • Jira project versions

  • App configuration settings including:

    • Feature enablement status

Not applicable

(data is provided to perform obligations before the Customer under the EULA, as described in the DPA)

 

Data retention period: data may be processed and stored during the term of EULA and up to 12 months after the termination of EULA. 

Sub-processors engaged:

  • AWS Elastic Kubernetes Service (AWS EKS) (Amazon Web Services, Inc.) is aimed to store data necessary for the App to properly function.

  • Amazon RDS for MySQL(Amazon Web Services, Inc.) is also aimed to store data necessary for the App to properly function.

To proactively monitor App health and fix issues

Role of Broken Build: processor

Which Service it relates to: Cloud Apps 

Processing we perform

Data we process

Legal basis for the processing

Proactively monitor App health and fix issues (troubleshooting)

End User data processed and stored: 

  • Anonymized user ID

  • App (chart) configuration excluding any data that may potentially be deemed personal data

 

Not applicable

(data is provided to perform obligations before the Customer under the EULA, as described in the DPA)

 

Data retention period:

Data may be processed and stored only for 2 days following the collection of data. 

Sub-processors engaged:

  • Logz.io (LogsHero Ltd.) is aimed to monitor Apps health and troubleshoot. 

To support End Users, to fix issues in the Apps

Role of Broken Build: processor

Which Service it relates to: Cloud and Software Apps 

Nature and purpose(s) of processing

Data we process

Legal basis for the processing (if applicable)

Answer End Users support requests regarding bugs, product usage, feature requests etc.

The data is both processed and stored:

  1. End User’s personal data (if and as provided by data subject):

  • Email address;

  • Full name.

 

2. Personal data related to our Customer:

  • the Customer’s name and/or email (if the Customer is an individual);

  • Technical contact data (email address, full name);

  • Billing contact data (email address, full name).

 

3. End User data: 

  • Anonymized user ID

  • device and browser information (IP address, browser, locale, operating system)

 

4. Non-personal company data, including: company name, license information, Atlassian host ID, Jira version, App version.

 

5. App environment data: Atlassian host ID, Jira version, App version.

 

6. Other information you provide to us in connection with the support matter (screenshots, screen casts, HAR files etc.).

We encourage you not to share sensitive personal data with us, as well as excessive data which we do not need to resolve your issue.

Not applicable

(data is provided to perform obligations before the Customer under the EULA, as described in the DPA)

 

Data retention period:

We will store the data from when the support request was initiated, until we resolve the matter. We intend to store your personal data for up to 12 months afterwards, to make sure the future requests regarding product usage are properly satisfied, taking into account the history of the requests. However, we aim to delete sensitive attachments such as HAR files within 3 months of the closure of your request. 

Sub-processors engaged:

  1. Atlassian Corporation Plc (Jira Service Desk/Management) (Atlassian Pty Ltd) allows us to manage customer support requests.

  2. Segment (Twilio Inc.) captures App usage events.

  3. Intercom, Inc. also allows us to manage customer support requests.

  4. Calendly Inc. is designed to easily book the meeting with us. 

  5. Google Meet, Google Calendar (Google, Inc.) help to book and conduct online meetings with you.

  6. Atlas CRM (Avisi Apps B.V.) is aimed to aggregate support requests under one company account, so that to enrich our support context and provide better support.

To enter into an agreement with the Customer and administer our relationship

Role of Broken Build: 

controller

Which App it relates to:

Cloud and Software Apps

Processing we perform

Data we process

Legal basis for the processing

Enter into an agreement with the Customer under the EULA, including any negotiations between us in order to conclude the agreement, as covered by the Atlassian Marketplace Partner Agreement.

Administer our relationship with the Customer, i.e. send information about our terms and other information that the Customer needs, as allowed by the Atlassian Marketplace Partner Agreement.

 

The data is both processed and stored:

 

  1. Non-personal company data, including: company name, license information, Atlassian host ID.

 

  1. Personal data related to our Customer:

  • the Customer’s name (if the Customer is an individual);

  • Technical contact data (email address, full name);

  • Billing contact data  (email address, full name).

 

Entering into and performance of a contract

(Article 6.1(b) GDPR).

Data retention period:

We will store the data during the term of EULA and for up to 12 months afterwards.

Sub-processors engaged:

  1. Atlassian Marketplace partner admin portal (Atlassian Pty Ltd) helps us to administer relationships with the Customer and provides us with licensing information.

  2. Chart Mogul (Chart Mogul GmbH & Co) is a financial analytics service we use to ensure financial efficiency of our agreements.

  3. Active Campaign, Inc. allows us to send updates, information about our products and other marketing we deem interesting to the Customer (see our Marketing Privacy Policy).

To improve our Apps

Role of Broken Build: controller

Which Service it relates to: Cloud and Software Apps 

Processing we perform

Data we process

Legal basis for the processing

Analyze the Apps to optimize user experience.

 

Test and develop new features and functions.

The data is both processed and stored:

  1. End User’s personal data (if and as provided by data subject):

  • Email address;

  • Full name.

 

2. End user data: 

  • Anonymized user ID

  • device and browser information (IP address, browser, locale, operating system)

 

3. Non-personal company data, including: company name, license information.

 

4. App environment data:

  • Atlassian host ID

  • Jira version

  • App version

 

5. Personal data related to our Customer:

  • the Customer’s name (if the Customer is an individual)

  • Technical contact data (email address, full name);

  • Billing contact data (email address,  full name).

 

6. End User requests and feedback on improving the Apps.

We encourage you not to share sensitive personal data with us, as well as excessive data which we do not need to resolve your issue.

Consent 

(Article 6.1(a) GDPR)

 

Legitimate interest 

(Article 6.1(f) GDPR).

Data retention period:

We will retain your data related to our Customer during the term of EULA and for up to 12 months afterwards. End User data will be deleted 12 months after the last request/communication of the End User. 

Sub-processors engaged:

  1. Atlassian Corporation Plc (Jira Service Desk/Management) (Atlassian Pty Ltd) allows us to manage customer support requests.

  2. Roadmap portal for Jira Service Desk by Amoeboids (Amoeboids Technologies Private Limited) is aimed to let us know about your interest when you submit, vote and comment for features. 

  3. Segment (Twilio Inc.) captures App usage events.

  4. Amplitude, Inc. helps us to improve your usage experience and functionality of the App.

  5. Journy.io BV ensures we could monitor the health of customers (both at company and user levels).

  6. Intercom, Inc. allows us to communicate with End Users regarding the feedback, product updates, and onboarding materials.

  7. Calendly Inc. is designed to easily book the meeting with us.

  8. Google Meet, Google Calendar (Google, Inc.) help to book and conduct online meetings with you.

  9. Atlas CRM (Avisi Apps B.V.) helps us to communicate with End Users regarding the feedback, product updates, customer support cases.

We may also process data to perform legal duties, responsibilities, and obligations and to comply with laws and regulations that apply to us. For example, we could store data about emails and names of subscribers to our newsletters, as well as their choices and consent - to make sure we comply with laws on e-communication. 

Your rights when we process your personal data

GDPR and other countries’ privacy laws provide certain rights for data subjects. A good explanation of them (in English) is available on the website of the United Kingdom’s Information Commissioner’s Office (“ICO”).

You have the following rights with respect to your personal data when we are the controller of such data:

  1. Right of access. You may ask to access and obtain a copy, if required, of the data about you that we collected.

  2. Right to rectification. You may ask to update the data or to correct any inaccuracies.

  3. Right to erasure. You may ask to delete the data we retain in certain circumstances, such as when you withdraw consent we have earlier received from you.

  4. Right to restriction of the processing. You may request to restrict the use of your data in certain circumstances, such as when you have objected to our use. But we will first verify whether we have overriding legitimate grounds to use it.

  5. Right to data portability. You may ask to transfer your data to a third party in a structured, commonly used, and machine-readable format, in circumstances where the data is processed with your consent or by automated means.

  6. Right to object. You may object to our processing of your data in some cases, for example, when we process your data on the basis of our legitimate interest. 

How we share data

We share your data with third parties. We are not in the business of selling any of your data, including personal data, to other third parties or advertisers. 

We may pass on your data to our employees or verified independent contractors (including contracted private entrepreneurs who are based in Ukraine). We always enter into non-disclosure and confidentiality agreements with those who have access to your data to ensure the data protection.

We may also share your data with service providers that help us operate, provide, support and enhance our Services. If a service provider needs to access your data, they do so under appropriate security and confidentiality measures designed to protect your data. You should always check the privacy settings and notices in these third-party services to understand how those third parties may use your data. You may find a complete list of service providers (sub-processors) we involve following this link.

In exceptional circumstances, we may disclose data with law enforcement agencies, courts, fraud prevention agencies, or other third parties, where we think it is necessary to comply with applicable laws or regulations or to defend our legal rights (where possible, we will notify you of this type of disclosure).

International data transfers

When we use and share your data, it may be transferred to and processed in countries other than your country or residence. We process and store data in the countries you may check in the list of service providers we involve following this link.

Where we transfer your data, we put safeguards in place to ensure your data remains protected. For individuals in the UK or EEA, this means that your personal data may be transferred outside of the UK or EEA. When this is the case, it will be transferred to countries where we have compliant transfer mechanisms in place, in particular, the implemented European Commission’s Standard Contractual Clauses to agreements with entities and independent contractors the data is transferred to or other appropriate legal mechanisms to safeguard the transfer.

How we secure and store data 

We are committed to keeping our customers’ personal data safe. We use industry-standard security measures appropriate for all user data and our processing activities, adequate to preserve data confidentiality and security. 

You may read a more detailed description on how we protect your data in DPA Annex 1(C) available via the link.