Privacy Policy

Effective date: 2026-04-27 · Contact: contact@threadmaker.dev

Threadmaker ("we", "our", "us") provides a two-way comment-sync integration between Slack workspaces and Jira Cloud projects. This policy explains what we collect, why we need it, and how you can request deletion.

Plain-English summary

What we collect: Slack workspace IDs, bot tokens (stored in Cloudflare D1 with platform-level AES-256 encryption at rest), channel-to-project mappings, comment-sync metadata, and a 90-day audit log of sync attempts.

What we don't: message bodies (we only forward them), Jira API tokens (Atlassian's Forge platform handles auth on our behalf), or any data for AI / ML training.

Your control: uninstall anytime — we delete your workspace data within 30 days. Full GDPR / CCPA rights below; DPA available on request.

Where data lives: on Cloudflare's global network (primary region in the United States, region code wnam). EU customer data is transferred to the USA under the EU-US Data Privacy Framework (DPF) and EU Standard Contractual Clauses Module 2 — see §9 below.

1. Data we store

We store the minimum data required to deliver the integration:

Slack workspace data: team ID, bot user ID, bot access token, channel IDs you explicitly map to Jira projects, the thread timestamp of anchor messages, and an installation-specific connection token (UUID).
Forge proxy metadata: a per-installation proxy URL and shared HMAC secret used to route Jira operations through the Atlassian Forge plugin. We do not store Jira API tokens.
Comment mapping: pairs of (jira_comment_id, slack_message_ts) so edits and deletes on one side can be reflected on the other.
Operational metadata: short-lived dedup markers (consumed within seconds), a 90-day audit log of sync attempts (direction, issue key, success/failure, error message), and a retry queue of pending deliveries.

We do not intentionally retain message bodies or comment text beyond the period reasonably necessary to relay them to the destination system (including delivery, retries, incident handling, and short-term operational recovery). Audit log entries record metadata only.

Whose data we process (categories of data subjects). Depending on how the Service is used, we process Personal Data relating to: workspace and Jira-site administrators who install, configure, or manage the Service; end users whose messages or comments are synced through the Service; individuals who contact us for support, operational, or business purposes; and visitors to threadmaker.dev and related websites.

2. Legal basis for processing (GDPR Art. 6)

For Customer Personal Data subject to GDPR, we rely on the following legal bases. The "purpose" column maps each processing activity to the relevant Art. 6 legal basis.

Processing activity	Purpose	Legal basis
Storing Slack workspace identifiers, bot token, channel-to-project mappings, anchor message timestamps	Performing the sync service the customer subscribed to	Art. 6(1)(b) — contract performance
Routing comment / message content between Slack and Jira	Performing the sync service the customer subscribed to	Art. 6(1)(b) — contract performance (acting as processor on the controller's instructions; see §8)
Maintaining audit logs (sync attempts, errors), retry queue, metric counters	Service operation, debugging, abuse detection, accountability	Art. 6(1)(f) — legitimate interests (operating a reliable B2B service); Art. 6(1)(c) — legal obligation (record-keeping under GDPR Art. 30 / Art. 32)
Caching Slack ↔ Jira user identity (email → account ID) for 24h to render `@mentions` across systems	Cross-system mention rendering	Art. 6(1)(f) — legitimate interests (productivity feature essential to the integration; minimised by aggressive 24h TTL)
Internal administrative access via `tm-admin` for support, security investigations, capacity monitoring (§5)	Service operation and abuse response	Art. 6(1)(f) — legitimate interests; Art. 6(1)(c) — legal obligation (incident response)
Replying to direct GDPR / CCPA data subject requests (access / erasure / portability / etc.)	Honouring statutory rights of the data subject	Art. 6(1)(c) — legal obligation

We do not rely on Art. 6(1)(a) consent as a primary legal basis: the Service is a B2B integration installed by a workspace administrator, not by end users individually, and the lawful processing flows from the contract between the controller-customer and us as processor.

3. Data we do not collect

We do not sell or share data with advertisers.
We do not, and do not permit any subprocessor to, use Customer Data to train, fine-tune, or evaluate AI or machine-learning models, including foundation models, retrieval indexes, or recommender systems.
We do not access channels, private groups, or Jira projects you have not explicitly mapped via /jira-map or the project settings page.

4. Sub-processors and host platforms

The list distinguishes parties engaged by Threadmaker as Sub-processors (we contract them, instruct them, and pay them) from host platforms that the customer is independently contracted with — these are listed for transparency and to disclose the data flow, but Threadmaker does not engage them as Sub-processors within the meaning of GDPR Art. 28; the customer's primary contract with each platform governs.

Engaged by Threadmaker as Sub-processors:

Cloudflare, Inc. (USA, region wnam) — Workers runtime · D1 tenant database · KV (TENANT_SHARDS) routing cache · R2 (daily AES-256-GCM-encrypted full-database snapshots; 90-day rolling retention production / 30-day staging) · Cloudflare Access (operator-only admin portal SSO).
Functional Software, Inc. (Sentry, USA) — error reporting (scrubbed payloads only; no message bodies, no comment text; PII-substring scrubber strips emails, tokens, and secrets before egress).
Atlassian, Inc. — Atlassian Marketplace billing only (Atlassian collects subscription fees and remits to Threadmaker net of Atlassian's revenue share).

Host platforms (customer's primary contract governs; not engaged by Threadmaker as Sub-processors):

Atlassian, Inc. — Forge plugin runtime. Hosts the Threadmaker Jira plugin inside the customer's licensed Atlassian tenant; Jira data does not leave Atlassian's infrastructure.
Slack Technologies LLC (Salesforce) — source and sink for synced message data via the OAuth grant the customer's workspace administrator provided.

For granular roles, data categories, and transfer mechanisms, see the canonical Sub-processor list.

5. Subprocessor changes

We will provide at least 30 days' advance notice before adding or replacing a subprocessor that materially affects how Customer Personal Data is processed. Notice is given by (i) updating the Sub-processor list with the proposed change and effective date, AND (ii) at least one of the following, in order: the procurement-contact email subscribed by sending dpo@threadmaker.dev with subject "Sub-processor notice subscription", OR the email address associated with the Atlassian Marketplace billing account. We may additionally display the change in the Slack App Home tab or the Forge plugin admin page in Jira; such in-product notices are operational fallbacks only and do not substitute for written notice. During the notice window, you may object in writing to dpo@threadmaker.dev; an unresolved objection is grounds for terminating the Service with a pro-rata refund of any pre-paid Atlassian Marketplace fees.

6. Internal access by CT Core personnel

Threadmaker operates today as a sole-proprietor entity with no employees and no third-party personnel access to production systems. Authorized Threadmaker personnel — currently the sole operator, plus any contractor that may be engaged in the future under written confidentiality and standard due-diligence obligations — may access Customer Data through an internal administrative tool ("tm-admin") solely to: (i) provide customer support in response to your request; (ii) investigate security incidents; (iii) monitor service health and capacity; or (iv) comply with legal obligations. All such access is authenticated, logged for two years in our admin_audit_log table, and limited to the minimum data needed for the task. We do not access message bodies (we do not store them in any case). We do not access Customer Data for marketing, product analytics, or AI / ML model training.

6.1 Operator-side data minimization

The tm-admin portal applies pseudonymization at the display layer for personal data shown to Threadmaker internal staff:

Pseudonymous identifiers (Slack user IDs U…, Jira account IDs 557058:…) are masked by default in the per-tenant /triage audit timeline. The operator must explicitly click 👁 to reveal a specific row; the reveal action is recorded as a distinct debug.reveal_actor entry in admin_audit_log so a subsequent customer access request under GDPR Art. 15 can answer precisely which identifiers a staff member viewed and when.
Debug-logging toggles are per-tenant, namespace-scoped (the operator picks specific code paths, e.g. mentions.resolve, rather than fleet-wide), and TTL-capped at 60 minutes (hard limit enforced server-side). When the TTL expires, debug emission stops automatically — no operator action required, no possibility of "left on overnight" exposure.
All operator portal accesses (page views, toggle flips, reveal clicks) write rows to admin_audit_log, retained for 2 years per §7. Customers exercising their Art. 15 access right can request the subset of these rows that referenced their workspace by emailing dpo@threadmaker.dev.

These controls are defense-in-depth measures, not anonymization in the GDPR sense (see Recital 26 vs Art. 4(5)) — the underlying data remains in scope of this Policy and the customer's DPA. They reduce the blast radius of an operator-account compromise and the temptation of casual staff browsing without legitimate need.

7. Retention and deletion

Data	Retention
`audit_log` (sync events)	90 days
`metric_events` (counters; no PII in tags)	30 days
`retry_queue` — completed entries	7 days
`retry_queue` — failed entries	30 days
`retry_queue` — abandoned pending entries	7 days
`message_origins` (echo-prevention)	10 minutes
`slack_users_cache` (email→accountId mapping for @mention rendering)	Cache value refreshed on demand every 24 hours; row deleted 30 days after last refresh, OR immediately on workspace uninstall, OR within 30 days of an operator-handled data-subject erasure request
`rate_limits` (per-tenant + per-IP counters)	Rolling 1-hour window (auto-reset)
`admin_audit_log` (internal CT Core staff access via tm-admin)	2 years (calibrated to GDPR Art. 28(3)(h) Sub-Processor accountability and the typical 12–18 month claim-emergence window for commercial disputes)
Workspace, channel mappings, comment mappings (`workspaces`, `channel_project_map`, `issue_threads`, `comment_map`, `comment_attachment_map`, `reaction_sync_map`, `project_settings`)	Deleted on uninstall (typically within minutes of `app_uninstalled` event); SLA upper bound 30 days for DSR erasure
`workspace_deletions` (compliance tombstone — workspace ID + deletion timestamp + DSR ticket reference, no content)	Retained for as long as reasonably necessary to demonstrate compliance with deletion obligations and defend against legal claims

To request immediate deletion of all your workspace data, email dpo@threadmaker.dev with subject "Data deletion request" — we will purge within 30 days per GDPR Art. 17.

8. Security

All traffic is transported over TLS 1.3.
Slack request signatures are verified with HMAC-SHA256 (Web Crypto, constant-time).
Inter-component traffic (Cloudflare ↔ Forge) is HMAC-signed.
Database access is restricted to the Worker's D1 binding; no public endpoint.
No Jira API tokens are ever stored; all Jira REST calls flow through the Atlassian-hosted Forge plugin via api.asApp().
Encryption at rest: Cloudflare D1 platform-level AES-256.

Cookies. The public website and the Service use only a single strictly-necessary cookie — a short-lived (10-minute), HttpOnly CSRF-protection token set during the Slack OAuth installation flow and scoped to that callback path. We set no analytics, advertising, profiling, or cross-site tracking cookies, and we use no third-party tracking technologies. Because the only cookie is strictly necessary for a security function you request (secure installation), no consent banner is required under the ePrivacy Directive as implemented in Polish law (Prawo telekomunikacyjne).

Personal-data breach notification. If a Personal Data breach as defined in GDPR Art. 4(12) occurs and is likely to result in a risk to the rights and freedoms of data subjects, we will notify affected workspace administrators (in their capacity as controllers) without undue delay and in any event within 72 hours of becoming aware, via the procurement-contact email registered under §5 (or, in its absence, the Atlassian Marketplace billing-account email), with dpo@threadmaker.dev copied. The notice will provide information sufficient to enable the controller to meet its obligations under GDPR Arts. 33 and 34. The 72-hour clock runs from our awareness, not the time of the underlying incident, consistent with EDPB Guideline 09/2022.

9. International data transfers

Customer Personal Data is hosted on Cloudflare's global edge network with the primary D1 region in the United States (region code wnam). Subprocessors (§4) are also US-headquartered. Transfers from the EEA, UK, or Switzerland to the United States rely, in this priority order:

EU-US Data Privacy Framework (DPF) — Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 (C(2023) 4745). All four of our US-based subprocessors — Cloudflare, Atlassian, Slack (Salesforce), and Sentry (Functional Software) — are self-certified DPF participants (current participation status verifiable at dataprivacyframework.gov). We rely on DPF as the primary transfer mechanism for transfers to those subprocessors.
EU Standard Contractual Clauses (SCCs) Module 2 (controller-to- processor) — Commission Implementing Decision (EU) 2021/914 of 4 June 2021. SCCs Module 2 forms part of our DPA (§5 of the DPA) and applies automatically as a fallback if DPF coverage lapses.
UK Addendum to the SCCs (UK ICO Addendum, version B1.0, 17 Mar 2022) and the Swiss FDPIC supplementary measures apply to UK and Swiss-origin transfers respectively.

For granular roles and per-vendor regions, see the Sub-processor list and the DPA at /dpa.

10. Data-processing roles and DPA (GDPR Art. 28)

For Personal Data routed through the Service (message and comment content), Threadmaker acts as a data processor on your behalf; you are the controller. For the limited installation metadata described in §1 (workspace identifiers, mapped channels, comment-mapping records), Threadmaker acts as a data controller. A Data Processing Addendum (DPA) incorporating the European Commission's Standard Contractual Clauses (SCCs) Module 2 applies to all EU/UK/EEA customers and is published at /dpa; a counter-signed paper or PDF counterpart is available on request to dpo@threadmaker.dev. The DPA is deemed incorporated by reference for any Customer who is a controller under GDPR Art. 4(7) and uses the Service in production.

11. Your rights (GDPR / CCPA)

If you are in the EEA, UK, or California, you have these statutory rights in relation to your Personal Data:

Access — receive a copy of the data we hold about you (GDPR Art. 15).
Rectification — correct inaccurate or incomplete data (GDPR Art. 16).
Erasure — request deletion ("right to be forgotten", GDPR Art. 17), subject to legal-hold exceptions.
Restriction of processing — limit how we process your data (GDPR Art. 18).
Data portability — receive your data in a structured, machine-readable format (GDPR Art. 20).
Object to processing — withdraw consent or opt out of processing based on legitimate interest (GDPR Art. 21).
Not be subject to automated decision-making — including profiling (GDPR Art. 22). We may use automated systems to support the operation, security, and functionality of the Service, but we do not make decisions based solely on automated processing that produce legal or similarly significant effects on you within the meaning of Art. 22.

Requests can be sent to dpo@threadmaker.dev and will be answered within 30 days. Customers outside the EU/EEA/UK should consult their local data-protection regulator; we apply the same operational measures globally.

Right to lodge a complaint with a supervisory authority (GDPR Art. 13(2)(d) and Art. 77). If you believe our processing of your Personal Data infringes the GDPR, you may lodge a complaint with the Polish lead supervisory authority — Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw, Poland; https://uodo.gov.pl; tel. +48 22 531 03 00 — or with the supervisory authority of your EU/EEA member state of habitual residence, place of work, or place of the alleged infringement. UK residents may complain to the UK Information Commissioner's Office (ICO); Swiss residents to the Federal Data Protection and Information Commissioner (FDPIC).

12. Eligibility

Threadmaker is a B2B service. Access is granted exclusively through a Slack workspace or Jira site administered by an employer or organisational entity that has agreed to the upstream Slack Customer Terms of Service or Atlassian Cloud Terms of Service. Those upstream agreements require the workspace administrator to be of majority age in their jurisdiction and to ensure that authorised end users are of working age. Threadmaker does not provide self-serve consumer signup, does not contract directly with end users, and does not perform separate age verification.

Where statutory age limits apply to data subjects' consent capacity (e.g. GDPR Art. 8 as implemented in Poland by the Polish Data Protection Act of 10 May 2018, Art. 4 — age 16), Threadmaker relies on the upstream platforms' admin onboarding and acceptable-use controls to enforce them.

13. Changes

We will update the "Effective date" at the top of this page when we make material changes. Installed workspaces will receive an in-product notice in the App Home tab for any change that expands the categories of data we collect.

14. Contact

Privacy contact / DSR / privacy questions / breach notification: dpo@threadmaker.dev
Security disclosure: security@threadmaker.dev
Operational support: support@threadmaker.dev
Legal notices: legal@threadmaker.dev
General inquiries: contact@threadmaker.dev