Effective date: 13 Apr 2026
Last updated: 13 Apr 2026

This Privacy Policy explains how AOBRAIN (“we”, “us”, “our”) processes data when you use EpicStory for Jira Cloud (the “App”), submit a request through our marketing website, and interact with our consent-based website analytics and advertising tools.

1. Who we are

AOBRAIN SYSTEMS SL
NIF: B24833048
Avenida de Rius i Taulet, 13
Sant Cugat del Vallés, 08172
Barcelona, Spain

Email: privacy@aobrain.com

2. Scope

This policy covers:

• EpicStory app processing inside Jira Cloud and Forge runtime
• AI generation flows used by the app
• Operational telemetry and support communications
• Marketing website contact requests
• Website analytics and advertising measurement that only activates after consent

Atlassian may act as an independent controller for Atlassian platform operations and as infrastructure sub-processor for Forge-hosted app runtime services.

Trust resources

For EpicStory trust, privacy, support, and data-handling information, use these documents as the current reference set:

• Data Processing Addendum
• Support Policy and Service Availability
• Responsible Disclosure Policy
• Terms of Service
• AI Model & Data Policy
• Documentation

3. Data we process

3.1 Jira content used to provide EpicStory

To generate and publish stories/subtasks, EpicStory processes Jira issue content and metadata provided by your Jira site (for example epic descriptions, prompts, generated stories, issue keys, and related project context).

Epic/issue content, including LLM input prompts and output content, is processed transiently within active application runtime flows in the EpicStory frontend and Forge backend. This content is not intentionally printed to EpicStory application logs and is not intentionally sent as telemetry payload.

3.2 Atlassian identifiers

• cloudId: used for per-tenant token limits and tenant-level metering. It is stored in Jira Forge KVS storage and sent as part of telemetry with token usage statistics.
• accountId: used only in Jira Forge KVS storage for per-user token limits and internal access control.

accountId is not intentionally exported outside the app, is not intentionally printed to app logs, and is not intentionally included in external telemetry.

3.3 Telemetry

For operational monitoring and token usage tracking, we send limited telemetry to New Relic. The intended payload is:

• cloudId
• token usage/cost metrics
• operation-level technical metadata (for example duration, status, model/provider identifiers)

We do not intentionally send to New Relic:

• accountId
• usernames or email addresses
• Jira issue text, prompts, descriptions, comments, or generated content

3.4 Support data

If you contact support, we process the information you provide (for example email address and ticket content) to respond to your request.

3.5 Marketing website analytics and advertising measurement

If you accept analytics cookies on aobrain.com, we process aggregated website usage data through Google Analytics 4. If you accept marketing cookies, we may also process advertising measurement data through Google Ads conversion tracking.

Cloudflare Web Analytics may also process privacy-first, aggregated website measurement without setting tracking cookies.

We do not intentionally send contact-form message contents, email addresses, or other direct form inputs to Google Analytics or Google Ads for website measurement.

4. Purposes and legal bases

We process data for the following purposes:

1. Provide app functionality (story generation and publish flows).
   Legal basis: contract performance and/or legitimate interests.
2. Meter usage and enforce app credit policy.
   Legal basis: legitimate interests and contract performance.
3. Maintain service reliability and monitor abuse/errors using minimal telemetry.
   Legal basis: legitimate interests.
4. Provide customer support.
   Legal basis: legitimate interests and contract performance.
5. Measure website usage and marketing effectiveness where consent is required.
   Legal basis: consent for non-essential cookies/measurement, and legitimate interests for strictly necessary website security and privacy-preserving aggregate measurement.

5. Where data is processed and stored

1. Atlassian Cloud / Forge
   Primary app state and storage are handled in Atlassian infrastructure (Jira + Forge runtime/storage).

2. AI inference providers
   Jira content required for generation may be processed by configured AI providers (for example AWS Bedrock) solely to deliver requested output.

Processing location depends on configured provider endpoints and runtime routing behavior. Current public disclosures should not be interpreted as a guarantee that processing always remains in the same region as the customer Jira site.

3. Telemetry provider (New Relic)
   Operational telemetry is sent with tenant-level identifier (cloudId) and token usage/technical metrics as described above.

4. Website analytics and advertising providers
   For the marketing website, this can include Cloudflare Web Analytics, Google Analytics 4, Google Ads, and Cloudflare Turnstile for bot protection on forms.

6. Data sharing and recipients

We may share/process data with:

• Atlassian (platform/runtime)
• AI infrastructure providers used by the app
• New Relic (telemetry)
• Cloudflare (hosting, web analytics, and Turnstile)
• Google (Google Analytics 4 and Google Ads, when consented)
• competent authorities where required by law

We do not sell personal data.

7. International transfers

Where data processing or access involves countries outside the EEA, we rely on appropriate safeguards required by applicable law, such as contractual safeguards where relevant.

This can become relevant through configured AI provider endpoints, telemetry infrastructure, or support/access workflows, depending on the operating configuration and incident context.

8. Retention

We keep data only as long as needed to provide the service, operate billing/metering, meet legal obligations, and resolve incidents.

• Epic/issue content and LLM prompt/output content is handled as transient runtime processing data and is not intentionally retained for telemetry or analytics purposes.
• In-app usage/accounting data (including internal accountId usage counters) is retained according to service operational needs and then deleted or anonymized.
• Telemetry retention follows configured retention in our observability stack and is kept separate from customer Jira content.
• Support communications are retained as needed to resolve requests and maintain support history.

9. Security

We apply technical and organizational controls appropriate to the risk, including access controls, encryption in transit, and least-privilege operational practices.

10. GDPR/CCPA role context

For customer Jira data processed through EpicStory, your organization is typically the controller/business, and AOBRAIN acts as processor/service provider under customer instructions.

For direct interactions with us (for example support communications), AOBRAIN may act as controller for that interaction data.

11. Your rights

Depending on applicable law, you may have rights of access, correction, deletion, objection, restriction, and portability.

To exercise rights: privacy@aobrain.com

If a request concerns data controlled by your Jira organization, we may direct you to your Jira administrator/controller.

12. Changes to this policy

We may update this policy when product, legal, or processing changes require it. We will update the “Last updated” date.

13. Contact

privacy@aobrain.com