Privacy Policy

Fabian Eichfeldt
Margaretenweg 10, 95447 Bayreuth, Germany
info@clean-backlog.com

We process only the minimum data required to provide the service:

• Email address — collected when you create an account, used solely for authentication. Art. 6(1)(b) GDPR — contract
• Jira API token — stored encrypted at rest using AES-256-GCM. Used to read your Jira backlog and apply transitions on your behalf. Never logged or transmitted to any third party. Art. 6(1)(b) GDPR — contract
• Jira base URL & email �� stored to identify your Jira workspace. No Jira content is read beyond the active refinement session. Art. 6(1)(b) GDPR — contract
• Ticket IDs and vote results — we store Jira issue keys (e.g. PROJ-42) and the anonymised votes cast in each session. No ticket titles, descriptions, comments, assignees, reporters, or any other Jira content is stored. Art. 6(1)(b) GDPR — contract
• Anonymous voter session cookie — when you join a refinement session without logging in, a randomly generated identifier (voter_id) is stored as an HttpOnly browser cookie. This ensures your votes are correctly attributed to you within the session and prevents duplicate votes. The cookie contains no personal data — only a random UUID. It expires after 30 days. Art. 6(1)(f) GDPR — legitimate interest
• Browser local storage — your browser stores the IDs of refinement sessions you have participated in. This is used solely to restore your session state. Art. 6(1)(f) GDPR — legitimate interest

We explicitly do not collect or store any of the following:

• Not stored Ticket titles, descriptions, or comments from your Jira
• Not stored Assignees, reporters, or any other people data from Jira tickets
• Not stored Analytics, usage tracking, or behavioural data
• Not stored IP addresses beyond what standard server logs capture transiently

All data is stored on servers located in Germany, within the European Union. Processing is subject to the General Data Protection Regulation (GDPR).

Sensitive credentials (Jira API tokens) are encrypted using AES-256-GCM before being written to the database. Encryption keys are stored separately from the data.

Supabase is used for user authentication (sign-up, sign-in, and session management). Your email address is processed by Supabase to send authentication emails. Supabase processes data within the EU. See supabase.com/privacy.

No other third-party services, analytics tools, or advertising networks are used.

All intellectual property contained in your Jira backlog — ticket content, project structure, product strategy, and any related information — belongs entirely to you and your organisation. Clean Backlog claims no rights whatsoever over your data and will never use it for any purpose beyond operating the service for you.

Account data (email, Jira credentials) is retained for as long as your account is active. You may request deletion at any time by writing to info@clean-backlog.com.

Refinement session data (ticket IDs and vote results) is retained until you delete the session or request account deletion.

To exercise any of these rights, contact info@clean-backlog.com. We will respond within 30 days.

You have the right to lodge a complaint with the competent data protection supervisory authority. The authority responsible for Bavaria is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 27, 91522 Ansbach
www.lda.bayern.de