Privacy Policy

Effective date: 2026-04-27 · Contact: contact@cinderlab.io

Threadmaker ("we", "our", "us") provides a two-way comment-sync integration between Slack workspaces and Jira Cloud projects. This policy explains what we collect, why we need it, and how you can request deletion.

Plain-English summary

What we collect: Slack workspace IDs, bot tokens (stored in Cloudflare D1 with platform-level AES-256 encryption at rest), channel-to-project mappings, comment-sync metadata, and a 90-day audit log of sync attempts.

What we don't: message bodies (we only forward them), Jira API tokens (Atlassian's Forge platform handles auth on our behalf), or any data for AI / ML training.

Your control: uninstall anytime — we delete your workspace data within 30 days. Full GDPR / CCPA rights below; DPA available on request.

Where data lives: on Cloudflare's global network (primary region in the United States, region code wnam). EU customer data is transferred to the USA under the EU-US Data Privacy Framework (DPF) and EU Standard Contractual Clauses Module 2 — see §9 below.

1. Data we store

We store the minimum data required to deliver the integration:

Slack workspace data: team ID, bot user ID, bot access token, channel IDs you explicitly map to Jira projects, the thread timestamp of anchor messages, and an installation-specific connection token (UUID).
Forge proxy metadata: a per-installation proxy URL and shared HMAC secret used to route Jira operations through the Atlassian Forge plugin. We do not store Jira API tokens.
Comment mapping: pairs of (jira_comment_id, slack_message_ts) so edits and deletes on one side can be reflected on the other.
Operational metadata: short-lived dedup markers (consumed within seconds), a 90-day audit log of sync attempts (direction, issue key, success/failure, error message), and a retry queue of pending deliveries.

We do not store message bodies or comment text beyond the time required to relay them to the destination system. Audit log entries record metadata only.

2. Legal basis for processing (GDPR Art. 6)

For Customer Personal Data subject to GDPR, we rely on the following legal bases. The "purpose" column maps each processing activity to the relevant Art. 6 legal basis.

Processing activity	Purpose	Legal basis
Storing Slack workspace identifiers, bot token, channel-to-project mappings, anchor message timestamps	Performing the sync service the customer subscribed to	Art. 6(1)(b) — contract performance
Routing comment / message content between Slack and Jira	Performing the sync service the customer subscribed to	Art. 6(1)(b) — contract performance (acting as processor on the controller's instructions; see §8)
Maintaining audit logs (sync attempts, errors), retry queue, metric counters	Service operation, debugging, abuse detection, accountability	Art. 6(1)(f) — legitimate interests (operating a reliable B2B service); Art. 6(1)(c) — legal obligation (record-keeping under GDPR Art. 30 / Art. 32)
Caching Slack ↔ Jira user identity (email → account ID) for 24h to render `@mentions` across systems	Cross-system mention rendering	Art. 6(1)(f) — legitimate interests (productivity feature essential to the integration; minimised by aggressive 24h TTL)
Internal administrative access via `tm-admin` for support, security investigations, capacity monitoring (§5)	Service operation and abuse response	Art. 6(1)(f) — legitimate interests; Art. 6(1)(c) — legal obligation (incident response)
Replying to direct GDPR / CCPA data subject requests (access / erasure / portability / etc.)	Honouring statutory rights of the data subject	Art. 6(1)(c) — legal obligation

We do not rely on Art. 6(1)(a) consent as a primary legal basis: the Service is a B2B integration installed by a workspace administrator, not by end users individually, and the lawful processing flows from the contract between the controller-customer and us as processor.

3. Data we do not collect

We do not sell or share data with advertisers.
We do not, and do not permit any subprocessor to, use Customer Data to train, fine-tune, or evaluate AI or machine-learning models, including foundation models, retrieval indexes, or recommender systems.
We do not access channels, private groups, or Jira projects you have not explicitly mapped via /jira-map or the project settings page.

4. Sub-processors and host platforms

The list distinguishes parties engaged by Threadmaker as Sub-processors (we contract them, instruct them, and pay them) from host platforms that the customer is independently contracted with — these are listed for transparency and to disclose the data flow, but Threadmaker does not engage them as Sub-processors within the meaning of GDPR Art. 28; the customer's primary contract with each platform governs.

Engaged by Threadmaker as Sub-processors:

Cloudflare, Inc. (USA, region wnam) — Workers runtime · D1 tenant database · KV (TENANT_SHARDS) routing cache · R2 (daily AES-256-GCM-encrypted full-database snapshots; 90-day rolling retention production / 30-day staging) · Cloudflare Access (operator-only admin portal SSO).
Functional Software, Inc. (Sentry, USA) — error reporting (scrubbed payloads only; no message bodies, no comment text; PII-substring scrubber strips emails, tokens, and secrets before egress).
Atlassian, Inc. — Atlassian Marketplace billing only (Atlassian collects subscription fees and remits to Threadmaker net of Atlassian's revenue share).

Host platforms (customer's primary contract governs; not engaged by Threadmaker as Sub-processors):

Atlassian, Inc. — Forge plugin runtime. Hosts the Threadmaker Jira plugin inside the customer's licensed Atlassian tenant; Jira data does not leave Atlassian's infrastructure.
Slack Technologies LLC (Salesforce) — source and sink for synced message data via the OAuth grant the customer's workspace administrator provided.

For granular roles, data categories, and transfer mechanisms, see the canonical Sub-processor list.

5. Subprocessor changes

We will provide at least 30 days' advance notice before adding or replacing a subprocessor that materially affects how Customer Personal Data is processed. Notice is given by (i) updating the Sub-processor list with the proposed change and effective date, AND (ii) at least one of the following, in order: the procurement-contact email registered at /dpa-contact, OR the email address associated with the Atlassian Marketplace billing account. We may additionally display the change in the Slack App Home tab or the Forge plugin admin page in Jira; such in-product notices are operational fallbacks only and do not substitute for written notice. During the notice window, you may object in writing to dpo@cinderlab.io; an unresolved objection is grounds for terminating the Service with a pro-rata refund of any pre-paid Atlassian Marketplace fees.

6. Internal access by CT Core personnel

Threadmaker operates today as a sole-proprietor entity with no employees and no third-party personnel access to production systems. Authorized Threadmaker personnel — currently the sole operator, plus any contractor that may be engaged in the future under written confidentiality and standard due-diligence obligations — may access Customer Data through an internal administrative tool ("tm-admin") solely to: (i) provide customer support in response to your request; (ii) investigate security incidents; (iii) monitor service health and capacity; or (iv) comply with legal obligations. All such access is authenticated, logged for two years in our admin_audit_log table, and limited to the minimum data needed for the task. We do not access message bodies (we do not store them in any case). We do not access Customer Data for marketing, product analytics, or AI / ML model training.

7. Retention and deletion

Data	Retention
`audit_log` (sync events)	90 days
`metric_events` (counters; no PII in tags)	30 days
`retry_queue` — completed entries	7 days
`retry_queue` — failed entries	30 days
`retry_queue` — abandoned pending entries	7 days
`message_origins` (echo-prevention)	10 minutes
`slack_users_cache` (email→accountId mapping for @mention rendering)	Cache value refreshed on demand every 24 hours; row deleted 30 days after last refresh, OR immediately on workspace uninstall
`rate_limits` (per-tenant + per-IP counters)	Rolling 1-hour window (auto-reset)
`admin_audit_log` (internal CT Core staff access via tm-admin)	2 years (calibrated to GDPR Art. 28(3)(h) Sub-Processor accountability and the typical 12–18 month claim-emergence window for commercial disputes)
Workspace, channel mappings, comment mappings (`workspaces`, `channel_project_map`, `issue_threads`, `comment_map`, `comment_attachment_map`, `reaction_sync_map`, `project_settings`)	Deleted on uninstall (typically within minutes of `app_uninstalled` event); SLA upper bound 30 days for DSR erasure
`workspace_deletions` (compliance tombstone — workspace ID + deletion timestamp + DSR ticket reference, no content)	Indefinite (audit trail that the Article 17 erasure was performed)

To request immediate deletion of all your workspace data, email dpo@cinderlab.io with subject "Data deletion request" — we will purge within 30 days per GDPR Art. 17.

8. Security

All traffic is transported over TLS 1.3.
Slack request signatures are verified with HMAC-SHA256 (Web Crypto, constant-time).
Inter-component traffic (Cloudflare ↔ Forge) is HMAC-signed.
Database access is restricted to the Worker's D1 binding; no public endpoint.
No Jira API tokens are ever stored; all Jira REST calls flow through the Atlassian-hosted Forge plugin via api.asApp().
Encryption at rest: Cloudflare D1 platform-level AES-256.

Personal-data breach notification. If a Personal Data breach as defined in GDPR Art. 4(12) occurs and is likely to result in a risk to the rights and freedoms of data subjects, we will notify affected workspace administrators (in their capacity as controllers) without undue delay and in any event within 72 hours of becoming aware, via the procurement-contact email registered under §5 (or, in its absence, the Atlassian Marketplace billing-account email), with dpo@cinderlab.io copied. The notice will provide information sufficient to enable the controller to meet its obligations under GDPR Arts. 33 and 34. The 72-hour clock runs from our awareness, not the time of the underlying incident, consistent with EDPB Guideline 09/2022.

9. International data transfers

Customer Personal Data is hosted on Cloudflare's global edge network with the primary D1 region in the United States (region code wnam). Subprocessors (§4) are also US-headquartered. Transfers from the EEA, UK, or Switzerland to the United States rely, in this priority order:

EU-US Data Privacy Framework (DPF) — Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 (C(2023) 4745). All four of our US-based subprocessors — Cloudflare, Atlassian, Slack (Salesforce), and Sentry (Functional Software) — are self-certified DPF participants (current participation status verifiable at dataprivacyframework.gov). We rely on DPF as the primary transfer mechanism for transfers to those subprocessors.
EU Standard Contractual Clauses (SCCs) Module 2 (controller-to- processor) — Commission Implementing Decision (EU) 2021/914 of 4 June 2021. SCCs Module 2 forms part of our DPA (§5 of the DPA) and applies automatically as a fallback if DPF coverage lapses.
UK Addendum to the SCCs (UK ICO Addendum, version B1.0, 17 Mar 2022) and the Swiss FDPIC supplementary measures apply to UK and Swiss-origin transfers respectively.

For granular roles and per-vendor regions, see the Sub-processor list and the DPA at /dpa.

10. Data-processing roles and DPA (GDPR Art. 28)

For Personal Data routed through the Service (message and comment content), Threadmaker acts as a data processor on your behalf; you are the controller. For the limited installation metadata described in §1 (workspace identifiers, mapped channels, comment-mapping records), Threadmaker acts as a data controller. A Data Processing Addendum (DPA) incorporating the European Commission's Standard Contractual Clauses (SCCs) Module 2 applies to all EU/UK/EEA customers and is published at /dpa; a counter-signed paper or PDF counterpart is available on request to dpo@cinderlab.io. The DPA is deemed incorporated by reference for any Customer who is a controller under GDPR Art. 4(7) and uses the Service in production.

11. Your rights (GDPR / CCPA)

If you are in the EEA, UK, or California, you have these statutory rights in relation to your Personal Data:

Access — receive a copy of the data we hold about you (GDPR Art. 15).
Rectification — correct inaccurate or incomplete data (GDPR Art. 16).
Erasure — request deletion ("right to be forgotten", GDPR Art. 17), subject to legal-hold exceptions.
Restriction of processing — limit how we process your data (GDPR Art. 18).
Data portability — receive your data in a structured, machine-readable format (GDPR Art. 20).
Object to processing — withdraw consent or opt out of processing based on legitimate interest (GDPR Art. 21).
Not be subject to automated decision-making — including profiling (GDPR Art. 22). Threadmaker does not perform automated decisions affecting you.

Requests can be sent to dpo@cinderlab.io and will be answered within 30 days. Customers outside the EU/EEA/UK should consult their local data-protection regulator; we apply the same operational measures globally.

Right to lodge a complaint with a supervisory authority (GDPR Art. 13(2)(d) and Art. 77). If you believe our processing of your Personal Data infringes the GDPR, you may lodge a complaint with the Polish lead supervisory authority — Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw, Poland; https://uodo.gov.pl; tel. +48 22 531 03 00 — or with the supervisory authority of your EU/EEA member state of habitual residence, place of work, or place of the alleged infringement. UK residents may complain to the UK Information Commissioner's Office (ICO); Swiss residents to the Federal Data Protection and Information Commissioner (FDPIC).

12. Eligibility

Threadmaker is a B2B service. Access is granted exclusively through a Slack workspace or Jira site administered by an employer or organisational entity that has agreed to the upstream Slack Customer Terms of Service or Atlassian Cloud Terms of Service. Those upstream agreements require the workspace administrator to be of majority age in their jurisdiction and to ensure that authorised end users are of working age. Threadmaker does not provide self-serve consumer signup, does not contract directly with end users, and does not perform separate age verification.

Where statutory age limits apply to data subjects' consent capacity (e.g. GDPR Art. 8 as implemented in Poland by the Polish Data Protection Act of 10 May 2018, Art. 4 — age 16), Threadmaker relies on the upstream platforms' admin onboarding and acceptable-use controls to enforce them.

13. Changes

We will update the "Effective date" at the top of this page when we make material changes. Installed workspaces will receive an in-product notice in the App Home tab for any change that expands the categories of data we collect.

14. Contact

Data-protection officer / DSR / privacy questions / breach notification: dpo@cinderlab.io
Security disclosure: security@cinderlab.io
Operational support: support@cinderlab.io
Legal notices: legal@cinderlab.io
General inquiries: contact@cinderlab.io