Draca BV Effective Date: February 11, 2026 Last Updated: February 11, 2026
1. Introduction
Draca BV (“Draca”, “we”, “us”, or “our”) develops applications (“Apps”) for the Atlassian Marketplace that run on the Atlassian Forge platform. This Privacy Policy describes how we collect, use, store, and protect personal data when you use our Apps.
We are committed to protecting your privacy and processing personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection laws.
2. Data Controller
Draca BV acts as a data processor on behalf of your organization (the data controller) when our Apps process data within your Atlassian Cloud instance. For data we collect independently (e.g., support requests), Draca BV acts as the data controller.
Contact: Email: privacy@draca.be
3. Hosting and Infrastructure
All our Apps are built on the Atlassian Forge platform. This means:
- Our Apps run entirely within Atlassian’s cloud infrastructure.
- Customer data remains within your Atlassian Cloud instance at all times.
- We do not operate our own servers or external infrastructure for app functionality.
- Data residency is determined by your Atlassian Cloud instance configuration.
For more information about Atlassian’s infrastructure and security practices, please refer to Atlassian’s Trust Center .
4. Data We Collect and Process
4.1 Data Processed Within Your Atlassian Instance
Our Apps may access and process the following data within your Atlassian Cloud instance, depending on the App’s functionality:
- Atlassian Product Data: Content and metadata from Jira, Confluence, or other Atlassian products as required by the App’s functionality. All access is governed by Atlassian’s permission model, meaning users can only access data they are authorized to see.
- Macro and App Configuration: Settings and preferences configured by users or administrators, stored via Atlassian Forge’s built-in storage mechanisms (Forge KVS and macro configuration).
This data never leaves your Atlassian Cloud instance and is not accessible to Draca.
4.2 Data We Collect Independently
We may collect limited personal data outside of the Atlassian platform in the following scenarios:
- Support Requests: When you contact us for support, we may collect your name, email address, organization name, and any information you provide in your request.
- License and Installation Data: Atlassian provides us with basic license and installation information (such as organization name and license status) through the Atlassian Marketplace. This is governed by the Atlassian Marketplace Terms .
4.3 Data We Do NOT Collect
- We do not use analytics or telemetry services (e.g., Google Analytics, Mixpanel, Amplitude).
- We do not use external error tracking services (e.g., Sentry, Bugsnag).
- We do not track user behavior or usage patterns.
- We do not use cookies in our Apps.
- We do not transmit any data to external third-party services.
- We do not store personally identifiable information (PII) in our App storage.
5. Legal Basis for Processing
We process personal data under the following legal bases as defined by the GDPR:
| Legal Basis | Application |
|---|---|
| Contract Performance (Art. 6(1)(b)) | Processing necessary to deliver App functionality as described in the Atlassian Marketplace listing. |
| Legitimate Interest (Art. 6(1)(f)) | Processing support requests and maintaining App security and reliability. |
| Legal Obligation (Art. 6(1)(c)) | Compliance with applicable laws and regulations. |
6. Data Storage and Retention
6.1 In-App Data
All App configuration and operational data is stored within Atlassian’s infrastructure using Forge KVS (Key-Value Storage) and Forge macro configuration. This data:
- Is stored in the same region as your Atlassian Cloud instance.
- Is subject to Atlassian’s data retention and deletion policies.
6.2 Support Data
Support-related data is retained inside our Atlassian instance and can be deleted on request.
6.3 License Data
License information provided by Atlassian is governed by the Atlassian Marketplace Terms .
7. Sub-Processors
Since our Apps run entirely on the Atlassian Forge platform, the primary sub-processor is:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Atlassian Pty Ltd | Cloud infrastructure, App hosting, data storage | Per your instance’s data residency settings |
We do not engage additional sub-processors for the processing of customer data within our Apps.
8. Data Security
We implement and maintain appropriate technical and organizational measures to protect personal data, including:
- All App code runs in Atlassian Forge’s sandboxed environment with restricted permissions.
- API calls to Atlassian services are executed with the minimum required scopes.
- All data in transit is encrypted via TLS (enforced by the Atlassian platform).
- Access to App administration is governed by your Atlassian instance’s permission model.
- Optional diagnostic logging, when available, is disabled by default and auto-disables after a configurable time period to prevent accidental data exposure.
9. Your Rights Under the GDPR
If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:
- Right of Access (Art. 15): Request a copy of the personal data we hold about you.
- Right to Rectification (Art. 16): Request correction of inaccurate personal data.
- Right to Erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”).
- Right to Restrict Processing (Art. 18): Request limitation of how we process your data.
- Right to Data Portability (Art. 20): Receive your personal data in a structured, machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interests.
- Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time.
- Right to Lodge a Complaint: File a complaint with your local data protection authority.
To exercise any of these rights, contact us at privacy@draca.be . We will respond to your request within 30 days.
For data processed within your Atlassian instance, please contact your organization’s Atlassian administrator, as your organization is the data controller for that data.
10. International Data Transfers
Our Apps process data exclusively within the Atlassian Forge platform. Data residency is determined by your Atlassian Cloud instance configuration. We do not independently transfer data across borders.
For information about Atlassian’s data transfer practices, refer to Atlassian’s Privacy Policy .
11. Children’s Privacy
Our Apps are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@draca.be and we will promptly delete it.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes:
- We will update the “Last Updated” date at the top of this document.
- For significant changes, we will provide notice through the Atlassian Marketplace listing or other appropriate channels.
We encourage you to review this Privacy Policy periodically.
13. Contact Us
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us:
Draca BV Email: privacy@draca.be
For data protection inquiries, you may also contact your local data protection authority.