This privacy policy describes how Auditforge (the "app") collects, uses, stores, and shares information. Auditforge is operated by Sathvic Kollu, Bangalore, India. Contact: support@auditforge.sathvickollu.com.
Summary
Auditforge is built so that we never see your data. The app runs entirely inside your Atlassian Cloud tenancy on Atlassian's Forge platform. We operate no external servers. We do not collect, store, or process customer data on infrastructure under our control.
The only third-party data flow is from your Atlassian tenant to your own Anthropic account, which you configure with your own API key.
What data Auditforge accesses
Inside your Atlassian Cloud tenant only, with your explicit OAuth consent:
- Jira issue data (summary, description, status, assignee, updated timestamp) for issues you select via JQL search
- The current user's display name, account ID, and email (used to attribute audit log entries)
- App settings you configure (Anthropic API key, model preference, organization name, auditor email)
- The narratives Auditforge generates, plus the append-only audit log of approvals and rejections
This data is stored in Forge Storage, which is hosted on Atlassian's infrastructure and is encrypted at rest. Each customer workspace has its own isolated storage. We cannot read your storage.
Where data goes
When you click "Generate audit narrative":
- The selected Jira issue summaries and the control text are sent from your Forge function over TLS to
api.anthropic.com - The request is authenticated with the Anthropic API key you configured
- Anthropic returns a narrative draft, which is stored in your Forge Storage
Anthropic's data handling for API calls is governed by Anthropic's Commercial Terms. Anthropic does not train models on API data unless you explicitly opt in via the Anthropic console. We recommend leaving the default (no training) for compliance use cases.
No data is sent to any Auditforge-operated servers because Auditforge operates no servers.
What data we collect about you
Because Auditforge does not operate external infrastructure, we have no direct telemetry. We do not:
- Run analytics inside the app (no Google Analytics, no Mixpanel, no Segment)
- Track users across sessions
- Collect device fingerprints
- Use cookies (the app is rendered by Atlassian Forge, which manages its own session)
The only thing we see is the support email you send us, if you contact us. We retain that email for two years for support history then delete it.
Data retention
- All app data (settings, narratives, audit log) lives in your Forge Storage and stays as long as the app is installed
- If you uninstall the app, Atlassian retains the data for 30 days then deletes it per their standard data lifecycle. You can also delete it manually before uninstall by clearing each control's narratives from within the app
- Support emails: 2 years from last reply
Your rights
If you are based in the EU, UK, India, or California, you have the right to:
- Access the data we hold about you (which is essentially only your support email correspondence; everything else lives in your Atlassian tenant)
- Request deletion of that data
- Request a copy in a portable format
- Object to processing
Email support@auditforge.sathvickollu.com to exercise any of these rights. We will respond within 30 days.
Subprocessors
Auditforge uses these subprocessors:
| Subprocessor | Purpose | Where data is sent |
|---|---|---|
| Atlassian | Hosting (Forge runtime, Storage, OAuth) | Atlassian region of your site |
| Anthropic | AI narrative generation | api.anthropic.com (typically US-East) |
| Hostinger / Cloudflare | Hosting auditforge.sathvickollu.com marketing site (no customer data) | Global edge network |
We do not use any other subprocessors. We will update this list and notify customers at least 30 days in advance of any change.
International data transfers
The Forge runtime hosts your data in the Atlassian region you selected when you set up your Cloud site. AI calls to Anthropic typically route through Anthropic's US infrastructure. By using Auditforge you consent to this transfer.
EU customers seeking strict data residency should configure Anthropic via the Anthropic console to use EU endpoints when available.
Security
See the security overview for the security overview, including encryption (TLS in transit, encrypted at rest), access controls (Forge-scoped, no admin access from us), vulnerability disclosure, and incident notification commitments.
Changes to this policy
We will post any material changes to this policy here at least 30 days before they take effect. Continued use of the app after the change constitutes acceptance.
Contact
For privacy questions: privacy@auditforge.sathvickollu.com.
For all other questions: support@auditforge.sathvickollu.com.
Operator: Sathvic Kollu, Bangalore, India.