Privacy Policy
Last Updated: May 11, 2026
Table of Contents
1. Important Information and Who We Are
Sync-o ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This privacy policy will inform you as to how we look after your personal data when you visit our website or use our Atlassian Marketplace application ("App") and tell you about your privacy rights and how the law protects you.
Controller
Philip Amato, trading as Sync-o, is the controller and responsible for your personal data.
Contact Details
If you have any questions about this privacy policy or our privacy practices, please contact us in the following ways:
- Data Controller: Philip Amato (Libero Professionista, P. IVA IT18526001005)
- Email address: [email protected]
- Postal address: Piazza di Villa Fiorelli 5, 00182 Rome, Italy
Jurisdiction
This policy is governed by the laws of Italy and applicable EU regulations (GDPR).
2. The Data We Collect About You
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:
- Identity Data: includes first name, last name, username or similar identifier.
- Contact Data: includes email address and telephone number.
- Technical Data: includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this App.
- Usage Data: includes information about how you use our App (e.g., number of documents processed, API usage metrics).
2.1 Detailed Data Breakdown
To be fully transparent, here is exactly what we process:
Information You Provide
- Configuration Settings: AI provider selection and notification preferences.
- Credentials: API keys for "Bring Your Own Model" (BYOM) providers (stored encrypted).
- Account Information: Atlassian site URL (tenant identifier) and User account IDs.
Information We Process Automatically
- Jira Ticket Data: Key, title, description, status, comments, and reporter/assignee metadata.
- Confluence Page Data: Page IDs, titles, differences (diffs), and content required for context retrieval.
- License Information: We access your Atlassian subscription status (edition type, user count) to determine feature availability. This data is not stored beyond the session.
- Processing Metadata: Relevance scores, timestamps, and error logs.
2.2 Information We Do NOT Collect
- No Model Training Data: We do not use your data to train our own AI models.
- No Tracking Cookies: We do not use advertising cookies or third-party tracking pixels in the App.
- Exclusions: We do not collect payment information (handled by Atlassian) or precise location data.
3. How We Use Your Personal Data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- To provide the Service (updating your Confluence pages based on Jira tickets).
- To manage our relationship with you (support, billing).
- To improve our App and services.
3.1 AI Processing & Sub-processors
Sync-o acts as an intermediary (Data Processor) between your Atlassian data and the AI models:
- Default AI processing: Unless you configure BYOM, all inference runs through Google Vertex AI (Gemini) in Belgium (europe-west1). Vertex AI's enterprise contract explicitly prohibits the use of customer prompts and responses for training Google models.
- Data Transmission: Ticket and page content is sent securely (TLS 1.2+) to the AI provider in use (default Vertex AI, or your selected BYOM provider: OpenAI, Anthropic, or Azure OpenAI).
- BYOM (Bring Your Own Model): If you provide your own API key, you have a direct relationship with that AI provider; Sync-o merely facilitates the transmission. Each major commercial provider's default API contract excludes API data from model training.
- Retention: Sync-o is designed to minimize persistent storage of content. Full bodies of your Jira tickets and Confluence pages are processed in memory only and are never persisted in our databases. To power the Smart Picker semantic-search feature, Sync-o persists short section-level content excerpts (≤1,800 characters per chunk) and their vector embeddings in AWS DynamoDB (eu-west-1) with a 90-day time-to-live, plus immediate deletion on app uninstall. See our Data Processing Addendum §3 and §6 for the contractual detail.
3.2 Infrastructure & Sub-processors
The list below is authoritative for this Privacy Policy and matches our DPA Annex 2 and Atlassian Marketplace privacy declaration.
| Provider | Purpose | Region | Engagement |
|---|---|---|---|
| Amazon Web Services, Inc. | Cloud hosting, data storage, serverless compute (Lambda, DynamoDB, SQS, CloudWatch) | Ireland (eu-west-1) | Always |
| Google LLC (Vertex AI) | AI content generation + embedding generation (Gemini, text-embedding-004). Generated vectors are stored in AWS DynamoDB above. | Belgium (europe-west1) | Default AI provider |
| OpenAI, OpCo, LLC | AI content generation | United States | Optional — when you select OpenAI in BYOM |
| Anthropic PBC | AI content generation | United States | Optional — when you select Anthropic Claude in BYOM |
| Microsoft Corporation (Azure OpenAI) | AI content generation | United States (legal entity); your selected Azure region for processing | Optional — when you select Azure OpenAI in BYOM |
4. International Transfers
We process data within the European Economic Area (EEA). However, when you use third-party AI providers (like OpenAI, Anthropic, or Azure OpenAI) via BYOM, data may be processed outside the EEA (e.g., in the US or your selected Azure region) under their respective Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs).
5. Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. Access to your personal data is limited to those employees, agents, contractors and other third parties who have a business need to know.
Security Controls
- Encryption: AWS KMS AES-256 for data at rest (configuration, content excerpts, embeddings, encrypted API keys). TLS 1.2+ (TLS 1.3 where supported by client) for all data in transit.
- Access Control: Production-system access is limited to two authorized individuals (the owner and one authorized technical contributor), each protected by multi-factor authentication. Access is governed by strict least-privilege IAM policies and any access to customer content (e.g., for support or debugging) is logged via AWS CloudTrail.
6. Data Retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.
- Configuration: Retained while the App is installed.
- Logs: System logs are retained for up to 90 days.
- Deletion: We automatically delete end user data immediately upon uninstallation. All configuration data and encrypted keys are deleted immediately upon uninstallation.
7. Your Legal Rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data, including the right to receive a copy of the personal data we hold about you and the right to make a complaint at any time to the relevant supervisory authority.
To exercise these rights, please contact us at [email protected].