AltaClario

Privacy Policy

Effective 2026-06-03

This Privacy Policy explains what information AltaClario collects and how we use, share, and protect it.

What we collect

  • Account data — name, email, your hashed password (managed by our authentication provider), and the timestamp at which you accepted our Terms.
  • Workspace data — the organization name, memberships, roles, and provider configuration you create.
  • Provider data — issues, sprints, and related metadata fetched from Jira or Azure DevOps under your credentials, held in memory to render your dashboards.
  • Product telemetry — page views, performance samples, and error events used to keep the Service reliable.

AltaClario can’t see the contents of your tickets, releases, or workspaces, won’t use them to train models, and never distributes them to third parties. We process only the metadata required to render your dashboards.

How we use it

  • To operate, secure, and improve the Service.
  • To authenticate you and scope data by organization.
  • To communicate with you about your account, updates, and incidents.

Cookies & analytics

We use two categories of cookies and storage:

  • Essential — for signing in, security (two-factor, CSRF protection), and remembering your interface preferences. These are always on; without them the site does not function.
  • Analytics (opt-in) — a single Google Analytics cookie, used to understand which pages are visited and how the site performs in aggregate. We minimise what it collects: Google Analytics 4 does not store full IP addresses, we never attach your user ID, we disable Google Signals and ad-personalization, and we strip share-link and authentication tokens from URLs before they ever leave your browser. Google Analytics does assign a pseudonymous client identifier (a cookie) to distinguish sessions; we never combine it with information that would identify you, and we never share analytics data with third parties for their own purposes.

Analytics cookies are off by default. On your first visit we show a banner asking you to accept or decline; the choice is stored on your device and respected until you change it. You can re-open the choice at any time from the “Cookie preferences” link in the site footer.

We honor the Global Privacy Control (GPC) signal. If your browser or an extension sends GPC, we treat it as an opt-out: analytics stays off and we don't show the banner. You can still deliberately opt in via “Cookie preferences” if you choose to.

How we protect it

Provider credentials are encrypted with AES-GCM at rest. HTTPS is enforced in production. We maintain per-tenant scoping so another organization cannot see your data. See the Security page for details.

Legal basis for processing (EEA / UK)

For visitors in the European Economic Area, the United Kingdom, and other jurisdictions with similar laws, we process personal data on the following legal bases:

  • Contract — account creation, sign-in, billing, and delivering the dashboards and analytics you signed up for.
  • Legitimate interests — operating and securing the Service (rate-limiting, audit logging, abuse prevention, error monitoring), provided your interests do not override ours.
  • Consent — the anonymous-analytics cookie described above, and any optional AI features you choose to enable. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Legal obligation — retaining records we are required to keep (tax invoices, abuse-report logs, DMCA notices).

Sharing & subprocessors

We do not sell your data, and we do not share it for the marketing purposes of third parties. We do engage a small number of subprocessors to run the Service — hosting, database, payments, email delivery, error monitoring, and (with your consent) analytics. Each operates under a written data-processing agreement with us. The current list, the categories of data each one handles, and the country each one operates in is published at our subprocessors page.

International data transfers

AltaClario is operated from the United States and our primary hosting, database, and payments providers are US-based. When you access the Service from the EEA, the UK, Switzerland, or another jurisdiction outside the United States, your personal data is transferred to the United States. Where required by law we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum / Swiss equivalents) with our subprocessors as the transfer mechanism, together with the technical measures described in our Security page.

Retention

We hold personal data only as long as necessary for the purpose it was collected, then delete or anonymize it. Indicative periods:

  • Account & workspace data — for the life of the account, plus up to 30 days in a soft-deleted state after you close it (so a wrongful deletion can be undone). After that, purged.
  • Audit log — for the life of the workspace, then deleted when the workspace is deleted.
  • Consent log — for the life of the account; deleted alongside the account.
  • Abuse reports & DMCA notices — retained at least one year so we can produce them if challenged.
  • Billing records — retained for the period required by tax law (typically 7 years in the US).
  • Anonymous-analytics events — Google's default retention (currently 14 months); we do not extend it.

Your rights

Subject to applicable law, you have the right to access, correct, export, delete, restrict, or object to the processing of your personal data, and to withdraw any consent you previously gave. Most of these are self-serve from account settings — close-account runs a hard cascade, and the cookie banner's “Cookie preferences” link in the footer lets you change your analytics consent at any time. For any request that the settings UI doesn't cover, use our contact form and choose “Other safety concern.”

If you are in the EEA or UK and believe we have not handled your data lawfully, you have the right to lodge a complaint with your local supervisory authority (in the UK: the Information Commissioner's Office; in the EU: your member state's data-protection authority, listed at edpb.europa.eu).

Children

The Service is intended for use by people aged 16 and over. We do not knowingly collect personal data from anyone under 16 (or, where a lower age of digital consent applies, under that age). If you believe a child has provided us with personal data, please contact us and we will delete it.

California residents (CCPA / CPRA)

If you are a California resident, you have the right to know the categories of personal information we have collected about you, to request deletion or correction, to opt out of any “sale” or “sharing” of personal information as those terms are defined under the California Privacy Rights Act, and to be free of retaliation for exercising those rights. We do not sell personal information for monetary consideration, and we do not share personal information for cross-context behavioral advertising — but if that changes, this section will be updated and an opt-out affordance will be added. We also honor the Global Privacy Control (GPC) signal as a valid opt-out request, as required by the CPRA and similar laws in Colorado and Connecticut.

Changes

We will notify you of material changes to this Policy by email or an in-product notice. Each material change bumps the Policy version recorded against your stored cookie-consent choice, so the audit trail reflects exactly which version you consented to.

Contact

For any privacy question or request, please contact us and choose the relevant category — your message reaches us without exposing a personal address on this page.