1. Introduction and scope

We process personal data in compliance with the Israeli Privacy Protection Law, 5741-1981, and, where applicable, the EU General Data Protection Regulation (GDPR) and similar laws.

This Privacy Policy explains how PTIAS ("we," "us," or "our") collects, uses, discloses, and protects personal information when you use PTIAS Jira Companion, including our public websites, authenticated web applications, hosted APIs, optional desktop software, and related services (the "Service"). Our public website and business name for identification is https://www.ptias.com. It applies whether you access the Service as an individual or on behalf of an organization.

By using the Service, you acknowledge this Policy together with our Terms of Service. If you do not agree, do not use the Service.

2. Categories of information we collect

Depending on how you use the Service, we may collect:

• Identifiers and account data: name, email address, internal user or profile identifiers, organization or customer identifiers, and role (for example Super Admin, administrator, Team Leader, or end user). When you connect Jira using the desktop application, we also store limited fields returned by Atlassian during the OAuth authorization step—your Atlassian account ID (for example account_id), email address, and display name—so we can bind your PTIAS profile to your Jira identity and operate account features. We do not store your Jira OAuth access tokens, refresh tokens, or long-lived API secrets on PTIAS servers; those credentials are handled by your installed client and by Atlassian as part of the standard OAuth flow (see Section 3). For web access to our own sites and admin tools, our hosting and identity providers process web session data (for example Supabase-authenticated sessions) as needed for login and security.
• Usage and device data: sign-in timestamps, feature usage needed to operate the product (including reminders and reporting), IP address, approximate location derived from IP, browser or client type, operating system, diagnostic logs, crash reports, and security telemetry.
• Billing and subscription data: plan, subscription status, invoices or receipts, payment-related references, and usage metrics used for billing (such as monthly active users), as processed by our payment provider.
• Communications: messages you send to support, feedback you provide, and records of consent or preferences where we collect them.

We do not intentionally collect special categories of personal data (such as health data) through the Service. Please do not submit such information unless a feature explicitly requires it and you have a lawful basis to do so.

3. What we do not collect (Jira and desktop client)

We want to be clear about categories of information we do not ingest or retain on PTIAS systems in the ordinary operation of the Service:

• Jira work item content: We do not collect or store Jira ticket data—such as issue keys, titles or summaries, descriptions, comments, attachments, epics, stories, tasks, work logs, or time entries—for use as an application database on PTIAS servers. That information flows between your desktop application and your organization's Jira (Atlassian) environment; it is not copied into our databases as part of providing the desktop experience.
• Jira OAuth tokens on our servers: We do not persist your Jira access or refresh tokens (or equivalent long-lived API credentials for Jira) on PTIAS servers. They remain with your device and Atlassian under the OAuth model. That separation is intentional: a compromise of PTIAS-hosted systems would not, by itself, expose those tokens from us to take over your Jira account.

Nothing in this section changes your responsibilities under Atlassian's terms or your organization's policies when you use Jira; it describes what we deliberately do not centralize on our infrastructure.

4. Sources of information

We obtain information directly from you (for example when you register or contact support), automatically when you use the Service (for example logs and device data), from your organization or its administrators (for example provisioning and role assignment), from Atlassian when you complete Jira authorization (limited profile identifiers as described in Section 2), and from payment processors in connection with purchases.

5. How we use information

We use personal information to:

• Provide, operate, secure, and improve the Service, including authentication, authorization, enabling the desktop client to work with Jira according to your settings, and delivery of reminders and administrative features.
• Process payments, manage subscriptions, detect fraud, and communicate about billing.
• Provide support, respond to requests, and send transactional or service-related messages.
• Monitor and analyze reliability, performance, and aggregated usage trends (including de-identified or aggregated statistics).
• Comply with law, enforce our terms, and protect rights, safety, and security.

6. Legal bases (EEA, UK, and similar jurisdictions)

Where GDPR or similar laws apply, we rely on appropriate bases such as: performance of a contract; legitimate interests that are not overridden by your rights (for example fraud prevention, security, and product improvement); consent where required; and legal obligation. You may have rights to access, rectify, erase, restrict, or object to certain processing, to data portability, and to lodge a complaint with a supervisory authority. Contact contact@ptias.com to exercise rights.

7. How we disclose information

We do not sell personal information as that term is commonly defined in U.S. state privacy laws. We may disclose information:

• To Atlassian when your desktop client or browser communicates with Jira or Atlassian APIs from your environment, according to your configuration and Atlassian policies. PTIAS does not receive or store your Jira issue bodies, descriptions, comments, or worklog contents as application data on our servers; that traffic is between you and Atlassian (see Section 3).
• To service providers who assist with hosting, databases, authentication, email delivery, payments, analytics, or security, subject to contractual obligations.
• To your organization and its administrators for administration, reporting, and compliance consistent with their role.
• For legal reasons: to comply with law, regulation, legal process, or governmental requests, or to protect rights, safety, and security.
• In connection with a merger, acquisition, financing, or sale of assets, with notice where required.

8. Subprocessors and international transfers

Core account and operational data for the Service may be processed in and transferred to the State of Israel, where we are established. The European Commission has determined that the State of Israel provides an adequate level of protection for personal data originating in the European Union (Commission Implementing Decision 2011/61/EU, as may be updated or replaced). That adequacy finding can support transfers from the EU to Israel without additional safeguards in many cases; where other jurisdictions or data flows require them, we use mechanisms such as Standard Contractual Clauses as described below.

We use infrastructure and service providers that may process data on our behalf. Non-exhaustive examples include Supabase (hosted database and related authentication services), Paddle (merchant of record and payment processing), Resend (transactional email), and cloud hosting used to run our web application and APIs. Providers may operate in the United States, Israel, and other countries.

Where we transfer personal data from the EEA, UK, or Switzerland to countries not covered by an adequacy decision or other permitted basis, we use appropriate safeguards such as Standard Contractual Clauses or other mechanisms permitted by law.

9. Security and retention

We implement administrative, technical, and organizational measures designed to protect personal information, including encryption in transit where supported and access controls. No system is perfectly secure; you should use strong passwords and protect your devices.

We retain information for as long as necessary to provide the Service, comply with law, resolve disputes, and enforce agreements. Retention periods vary by data category; some logs may be retained for a shorter period than account records.

10. Cookies and similar technologies (web)

When you use our website or web-based admin experience, we and our vendors may use cookies, local storage, or similar technologies that are strictly necessary for authentication, session management, security, load balancing, and preferences. We do not use third-party advertising cookies on the Service for cross-site behavioral targeting.

The desktop application may store Jira OAuth tokens, session material, and local configuration using operating-system secure storage on your device rather than browser cookies; those secrets are not stored on PTIAS servers (see Section 3).

11. Analytics and product telemetry

We may collect product telemetry and error reports to diagnose crashes, measure feature usage in aggregate, and improve stability. Where feasible, we use aggregated or de-identified data for analytics. If we introduce optional analytics that are not strictly necessary, we will describe them and, where required by law, obtain consent.

12. Your choices and privacy rights

Depending on your location, you may have rights to access, correct, delete, or export personal information, or to restrict or object to certain processing. You may opt out of marketing emails using an unsubscribe link where provided. To submit a request, contact contact@ptias.com. We may need to verify your identity and may deny requests where permitted by law (for example if information is needed for legal claims).

13. U.S. state privacy notices (summary)

Certain U.S. states grant residents specific privacy rights. This summary does not list every requirement for every state. Depending on applicable law, you may have rights to know categories and specific pieces of personal information collected, to delete personal information, to correct inaccuracies, to opt out of sale or certain sharing (we do not sell personal information in the conventional sense), and to appeal our response to a request. Submit requests via contact@ptias.com. We will not discriminate against you for exercising rights permitted by law.

14. Marketing communications

We may send product updates or promotional messages where permitted. You can opt out of marketing emails using the unsubscribe mechanism in those messages. Transactional and security-related messages may continue as needed to operate the Service.

15. Automated decision-making

We do not use personal information for solely automated decisions that produce legal or similarly significant effects about you within the meaning of the GDPR. Certain product rules (for example billing metrics or access control based on subscription status) may automatically affect account features.

16. Children

The Service is not directed to children under 13 (or the age required in your jurisdiction to consent to processing without parental authorization). We do not knowingly collect personal information from children. If you believe we have collected such information, contact us and we will take appropriate steps to delete it.

17. Changes to this Policy

We may update this Policy from time to time. We will post the revised version and update the Last updated date. Where changes are material, we will provide additional notice as appropriate.

18. Account deletion (self-service)

If you have a PTIAS web login, you may request deletion of your user account from https://www.ptias.com/delete_account. You must be signed in to use that page. Organization owners (administrators) may need to cancel billing or transfer ownership first, as explained on the page. The page also summarizes retention (including a limited period after closure for billing, abuse prevention, and legal obligations) and how third-party integration tokens are handled.

19. Contact

Privacy inquiries and requests to exercise your rights (including access, deletion, portability, and other rights described in this Policy) should be directed to the PTIAS data protection contact at contact@ptias.com.