Legal
Privacy Policy
How we collect, process, and protect your data.
Last updated: March 20, 2026
The short version
- Forge-native — app and data run on Atlassian infrastructure; AI prompts sent to selected providers (Cerebras, Vertex AI)
- Smart anonymization — known Jira user identifiers are replaced with anonymous codes; system identifiers (account IDs, emails, project keys) are stripped; user-entered prompt text is sent as-is — avoid including sensitive data
- No training on your data — Cerebras: zero retention; Vertex AI: no training, up to 90-day abuse monitoring (opt-out with BYOK)
- EU data residency — available via Google Vertex AI (6 US + 6 EU regions)
- Admin controls — disable AI models, monitor usage, toggle analytics
1. Overview
SuperTemplates (“we”, “our”, or “us”) is an Atlassian Forge app for AI-powered and manual bulk task creation in Jira, providing both Manual Features and AI-Powered Features as defined in Section 2 of our Terms of Service. If AI-Powered Features are unused or disabled, no Jira issue content or user-entered content is sent to third-party AI providers. This Privacy Policy explains how we collect, use, and safeguard your information when you use our App or visit our website (supertemplates.ai).
Our app is built on Atlassian Forge — it runs entirely on Atlassian's infrastructure with no external servers or databases. All persistent data (templates, preferences, sessions) is stored in Forge Key-Value Storage, which follows your Atlassian Cloud data residency region per Atlassian's Forge data residency policies.
SuperTemplates is a product of Konkret.dev, a registered business in Poland. Data Controller contact: privacy@supertemplates.ai. For full company details including registered address and tax identification, see our Contact page.
2. Data Controller and Processor
For App Users: Your Atlassian organization is the data controller. We act as a data processor, processing data only as necessary to provide the App's functionality per your instructions. Our processing obligations are defined in our Data Processing Agreement (DPA).
For Website Visitors: We are the data controller for personal data collected through our website (supertemplates.ai).
3. Data We Collect
Data you provide (App Users)
- Task descriptions and prompts you input for AI generation
- Template configurations and saved variables
- Account preferences and app settings
- BYOK (Bring Your Own Key) API keys (stored encrypted in Forge Secrets)
Data we process from Jira (with your permission)
- Project context: issue type names, priority names, field definitions
- User display names (anonymized before AI processing)
- Sprint names and board structure
Data we never access
- Existing Jira issue content (titles, descriptions, comments, attachments)
- Authentication credentials or API tokens
- Project keys or board names (stripped before AI calls)
- Atlassian account IDs or email addresses
Website visitor data
- Page views, referral sources, and visitor behavior (Google Analytics)
- Company-level identification from IP addresses — not individual visitors (Snitcher)
- No personal data is sold or shared with third parties for advertising
See our Analytics & Cookies page for full details and opt-out options.
Legal basis: Consent (GDPR Art. 6(1)(a) and ePrivacy Directive Art. 5(3)). Analytics scripts are only loaded after you grant explicit consent via our cookie banner. You may withdraw consent at any time by clearing your browser cookies.
Correspondence
- Name and email address when you contact us at privacy@supertemplates.ai
- Content of your message and any attachments
- Purpose: responding to inquiries, fulfilling data subject requests, and providing support
- Legal basis: Contractual necessity (Art. 6(1)(b)) or Legitimate interest (Art. 6(1)(f)) in responding to inquiries
- Retention: kept for the duration of the inquiry plus 12 months, then deleted
4. Legal Basis for Processing (GDPR)
For App Users (we are a data processor):
Your Atlassian organization (the data controller) determines the legal basis for processing. We process data solely on your organization's instructions under our Data Processing Agreement.
For Website Visitors (we are the data controller):
- Contractual necessity (Art. 6(1)(b) GDPR) — to provide the website and respond to inquiries
- Legitimate interest (Art. 6(1)(f) GDPR) — to improve and secure the website, diagnose issues
- Consent (Art. 6(1)(a) GDPR) — for analytics cookies (Google Analytics, Snitcher) and marketing communications
- Legal obligation (Art. 6(1)(c) GDPR) — to comply with applicable laws
5. How We Protect Your Data
Smart Anonymization
Before data is sent to AI providers, we automatically replace known Jira user identifiers — display names from your project's member list are substituted with anonymous codes (e.g., “User_1”), and system identifiers such as Atlassian account IDs, email addresses, project keys, and board names are stripped. AI providers never see these identifiers. In GDPR terms, this process constitutes pseudonymization (Art. 4(5)), not full anonymization — the mapping between codes and original identifiers exists within your Jira instance.
Important: Free-text content you enter in prompts (task descriptions, meeting notes, requirements) is sent to AI providers as written. If you include personal names not in your Jira project's user list, confidential information, or sensitive data directly in your prompt text, we cannot automatically detect or remove it. You are responsible for not including sensitive personal data in AI generation prompts.
Encryption
All data in transit is encrypted using TLS 1.2+. Data at rest is encrypted using AES-256 via Atlassian Forge infrastructure. BYOK API keys are stored using Forge Secrets storage with additional encryption.
EU Data Residency
Google Vertex AI regional endpoints (currently available in EU regions including Netherlands, Belgium, Paris, Madrid, Warsaw, and Finland) provide EU data residency with contractual guarantees. ML processing happens locally in the same region. Cerebras processes data transiently in memory with zero retention. Vertex AI processes data within your selected region with no training on your data.
Model and region availability: AI models are periodically updated, retired, or replaced by their providers. When we adopt a newer model (e.g., moving from one Gemini version to the next), the set of available regions is determined by Google/Vertex AI and may differ from the previous model. We will always select an EU endpoint when one is available, but we cannot guarantee that every specific region will be supported for every model version. If a model change materially affects data residency options, we will notify site administrators before the change takes effect.
No-Training Guarantee
All AI providers used by SuperTemplates have no-training policies for API data. Your prompts are not used to train AI models. Cerebras processes data transiently with zero retention. Vertex AI may retain flagged prompts for up to 90 days for abuse monitoring (opt-out available when using your own API key via BYOK).
These provider policies are current as of March 2026. We review our AI providers' terms periodically and when renewing or changing providers. If any provider materially changes their data handling practices, we will promptly notify site administrators, update this policy, and if necessary disable providers that no longer meet our data protection standards.
6. AI Transparency (EU AI Act)
Under the EU AI Act, SuperTemplates is classified as a limited-risk AI system (content generation tool). We comply with transparency obligations as follows:
- AI interaction disclosure — the App clearly indicates when content is generated by AI. All AI-generated tasks are presented in a review interface before creation.
- Human oversight — no AI-generated content is created in Jira without explicit human review and approval (human-in-the-loop).
- No autonomous decisions — the App does not make automated decisions that produce legal or similarly significant effects on individuals (GDPR Article 22). It is a productivity tool that assists human decision-making, not replaces it.
7. Data Retention
We retain data only as long as necessary for the purposes described in this policy.
| Data Type | Retention Period |
|---|---|
| Templates & preferences | Until you delete them or uninstall the App |
| AI generation sessions | Transient — cleared after task creation or session end |
| AI provider data | Cerebras: zero retention; Vertex AI: no training, up to 90-day abuse monitoring (opt-out with BYOK); see provider terms |
| BYOK API keys | Until admin revokes or App is uninstalled |
| Usage analytics | Aggregated, no personal data retained |
| App data after uninstall | Deleted per Atlassian Forge data retention policies |
8. Sub-processors
We use the following third-party AI providers. All hold SOC 2 Type II attestation.
| Provider | Type | Data Retention |
|---|---|---|
| Atlassian (Forge) | App hosting, data storage, authentication | Per your Atlassian data residency region |
| Cerebras | AI Included | Zero retention |
| Google Vertex AI | AI Included | No training; 90-day abuse monitoring (opt-out with BYOK); EU residency (regions depend on model version) |
| PostHog | In-app analytics (admin can disable) | SOC 2 Type II; no personal data stored |
| Vercel | Website hosting (cookieless) | Aggregated, anonymized |
| Google Analytics | Website analytics (consent required) | Per GA4 retention settings |
| Snitcher | Website B2B identification (consent required) | EU-based; GDPR compliant |
BYOK Providers (Controller-directed)
The following AI providers are available when a site administrator configures their own API key (BYOK). SuperTemplates acts solely as a technical conduit — the provider processes data under your direct instructions using your own account and API credentials. The Controller configures their own API credentials, selects the provider, and maintains a direct contractual relationship with the provider. SuperTemplates executes the Controller's documented instructions to route pseudonymized prompts via the Controller's own account — it does not independently determine the purposes or essential means of processing for BYOK providers. Their own privacy policy and terms of service apply to your data.
| Provider | Data Retention |
|---|---|
| OpenAI | No training on API data |
| Anthropic | No training on API data |
| Google Gemini | No training on API data |
BYOK providers are inactive by default and require the site admin to supply their own API key. The App does not hold keys for these providers.
9. Admin Controls
Site administrators can:
- Disable specific AI models from the admin panel
- View per-user AI usage statistics
- Manage BYOK API keys (add, revoke, rotate)
- Disable analytics egress at the site level (app functions normally without analytics)
- Export or delete all app data for their organization
10. Your Rights (GDPR)
App users (Jira)
Your Atlassian organization is the data controller for all data processed through the App. SuperTemplates is a Forge-native app — all data is stored on Atlassian's infrastructure, not on our servers. We do not have independent access to your organization's data.
To exercise GDPR rights regarding your Jira data (access, erasure, portability, etc.), contact your Atlassian site administrator. They can export or delete all app data directly, or uninstall the App to remove all stored data per Atlassian's Forge data retention policies.
In-app analytics (PostHog) track only anonymous product usage events (e.g., feature clicks, page views) with no personal identifiers. Your site administrator can disable analytics entirely from the admin panel.
Website visitors (supertemplates.ai)
We are the data controller for analytics data collected through our website. This data is limited to what Google Analytics and Snitcher collect after you grant cookie consent (see Analytics & Cookies).
Under GDPR, you have the right to:
- Access — request a copy of personal data we hold about you
- Rectification — correct inaccurate personal data
- Erasure — request deletion of your data from our analytics providers (clearing cookies alone only stops future tracking)
- Restrict processing — limit how we process your data
- Object — object to processing based on legitimate interests
- Withdraw consent — revoke cookie consent at any time via the cookie banner or by clearing your browser cookies; withdrawal stops future data collection but does not affect data already processed
- Lodge a complaint — with the Polish Data Protection Authority (Prezes Urzędu Ochrony Danych Osobowych, uodo.gov.pl) or another supervisory authority in your jurisdiction
To request backend data deletion or exercise any other right, contact us at privacy@supertemplates.ai. We will respond within one calendar month per GDPR Article 12(3).
11. California Privacy Rights (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:
- Right to know — what personal information we collect, use, or share
- Right to delete — request deletion of your personal information
- Right to opt-out — of the sale of personal information (we do not sell personal data)
- Right to non-discrimination — for exercising your CCPA rights
We do not sell personal information. We do not share personal information for cross-contextual behavioral advertising.
12. International Data Transfers
App data is stored on Atlassian Forge infrastructure and follows your Atlassian Cloud data residency region. AI prompts may be sent to providers outside the EEA.
Transfer safeguards by provider:
- Google Vertex AI — EU regional endpoints available (Netherlands, Belgium, Paris, Madrid, Warsaw, Finland); when an EU endpoint is selected, data does not leave the EEA. For US endpoints, transfers are covered by Google's EU-US Data Privacy Framework certification and Standard Contractual Clauses in the Cloud Data Processing Addendum
- Cerebras — US-based; transfers are governed by the EU Standard Contractual Clauses (SCCs, Module 3: Processor to Sub-processor) with UK Addendum, as incorporated in the Cerebras DPA. A Transfer Impact Assessment (TIA) has been conducted. Supplementary measures include zero data retention (prompts are processed transiently in memory and never stored) and a contractual prohibition on using API data for model training
For BYOK providers, your organization directs the transfer under your own API credentials. The applicable transfer mechanism depends on your provider agreement.
13. Children's Privacy
The App is not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us at privacy@supertemplates.ai and we will promptly delete it.
14. Data Protection Contact
After assessing our processing activities against GDPR Article 37, we have determined that a Data Protection Officer (DPO) is not required. Our core activities do not involve large-scale systematic monitoring of individuals or large-scale processing of special category data.
For all privacy inquiries, data subject requests, or concerns about our data processing, please contact our Data Protection Lead: privacy@supertemplates.ai
15. Changes to This Policy
We may update this policy when we add new AI providers or features. Material changes will be communicated through the App or via email to site administrators with at least 14 days' advance notice.
16. Contact
For privacy-related questions or data requests, contact us at privacy@supertemplates.ai