Recoup — Privacy Policy

Effective date: [TO FILL — date you publish this] Last updated: [TO FILL — same as effective for v1.0]

This privacy policy describes how Recoup ("we", "us", "the app") handles your data. Recoup is an Atlassian Marketplace app distributed via the Atlassian Forge platform. By installing Recoup, you agree to this policy.

Summary in plain English

• All data stays inside Atlassian's infrastructure for the core scan flow. We never see your data unless you opt into AI features with your own Anthropic API key.
• We don't operate any servers. Recoup runs on Atlassian Forge — Atlassian hosts every function call and storage write.
• API keys you supply are encrypted at rest in Forge's Key Value Store. They are never logged, never returned in API responses, and never sent to any third party except Atlassian itself or Anthropic (when AI is enabled).
• AI features are opt-in and use your own Anthropic API key. When enabled, anonymised user signals (accountId, display name, email pattern, login history boolean) are sent directly from Atlassian's Forge runtime to Anthropic Claude for classification. We never see this data.

1. Data we access

When you install Recoup and run a scan, the app accesses the following data via Atlassian's APIs:

From your Atlassian organisation (via your org-admin API key, when configured)

• User account IDs, display names, email addresses
• Account type (managed Atlassian account, app account, customer)
• Last-active timestamps per product (Jira, Confluence, JSM, JPD)
• Product access lists

From your Atlassian site (via Forge asApp() calls)

• User lists from /rest/api/3/users/search
• Issue activity from /rest/api/3/search/jql (assignee, reporter, updated timestamp; we never read issue contents)

From your own input

• Per-seat cost configuration (numeric inputs)
• Inactivity thresholds (numeric inputs)
• Optional Anthropic API key (for AI features)

2. Where data is stored

Recoup stores the following entities in Forge Key Value Store, hosted and encrypted by Atlassian:

• User records (one per Atlassian account discovered)
• Recommendation records (one per detection)
• Scan run history (metadata only — no full user list snapshots)
• Audit log entries (one per admin action, immutable)
• Settings (thresholds, per-seat costs, encrypted API keys, AI toggles)

Forge Key Value Store data is encrypted at rest by Atlassian using AES-256 and tied to your Atlassian Cloud site. Recoup operates as a tenant inside this storage; we cannot access the data without going through Forge's authenticated APIs invoked by an admin user of your org.

Data residency: Forge storage follows Atlassian's data residency commitments. If your Atlassian site is in a specific data region, Recoup's storage stays in that region.

3. Data we share with third parties

Recoup shares data with exactly two external services, both of which are explicitly allow-listed in our Forge manifest:

api.atlassian.com (Atlassian Admin API)

• What: Org user data (list, lifecycle/disable) using your org-admin API key
• When: During scans, and when you take an action like deactivate-user
• Why: Atlassian's own admin API is the source of truth for org user data and the only path to programmatically deactivate users

api.anthropic.com (Anthropic Claude)

• What: Anonymised user signals — accountId, display name, whether the user has ever logged in interactively, products they have access to. No issue contents, no comments, no PII beyond what's necessary for the classifier.
• When: Only when both aiEnabled.classifier (or aiEnabled.summary) is true AND you have provided your own Anthropic API key
• Why: To classify users as human / service / bot / shared / unknown (preventing accidental deactivation of automation accounts) and to generate the dashboard executive summary

You can disable AI features at any time in Settings. When disabled, no data is ever sent to Anthropic.

We do not share data with any other third party. Recoup has no analytics provider, no error reporting service, no marketing tools embedded.

4. Data we do NOT collect

• Issue contents, comments, attachments
• Document contents (Confluence pages, JSM tickets, JPD ideas)
• User passwords or authentication tokens beyond the org-admin API key you explicitly provide
• Behavioral or telemetry data about how admins use Recoup
• IP addresses or geolocation
• Cookies (Recoup runs inside Atlassian's iframe — Atlassian's cookies apply, not ours)

5. Data retention

• User records, recommendations, scan runs: retained until you uninstall Recoup or explicitly clear data via the in-app "Clear all data" developer tool
• Audit log entries: immutable, retained for the life of the install (no built-in deletion path — they exist for accountability)
• API keys and settings: retained until you clear them in Settings or uninstall Recoup

On uninstall: Atlassian automatically purges all Forge storage associated with the app within 30 days per Atlassian's Forge data lifecycle policy.

6. Your rights

You have the right to:

• Access the data Recoup stores — visible in the in-app Users, Audit log, and Settings screens
• Export the audit log as CSV at any time
• Delete all data via the in-app "Clear all data" developer tool, or by uninstalling Recoup
• Stop AI processing at any time by disabling the AI toggles or clearing the Anthropic API key

For requests under GDPR, CCPA, or similar regulations, contact us at support@tryrecoup.app.

7. Children's privacy

Recoup is a business administration tool for Atlassian Cloud organisations. It is not intended for, marketed to, or used by individuals under 18. We do not knowingly collect data about minors.

8. Changes to this policy

We may update this policy when materially new features ship. The "Last updated" date at the top reflects the most recent change. Material changes will be communicated via the Marketplace listing and any in-app notice we deem appropriate.

9. Contact

For privacy questions:

• Email: support@tryrecoup.app
• Website: https://tryrecoup.app
• Address: [TO FILL — your business address, required for some jurisdictions]