Last Updated: March 20, 2026
The responsible person within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is:
Thorsten Büring
Bommershöfer Weg 46
40670 Meerbusch
Germany
E-Mail: LinkMap@buering.net
The data protection officer is identical with the responsible person listed above.
As a matter of principle, we process personal data of our users only to the extent that this is necessary to provide a functional add-on based on the Atlassian Connect Framework and Atlassian Forge platform. The processing of personal data of our users is regularly carried out only after the consent of the user. An exception applies in those cases where obtaining prior consent is not possible for factual reasons and the processing of the data is permitted by legal regulations.
In so far as we obtain the consent of the data subject for processing operations of personal data, Art. 6 (1) lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis.
When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.
To the extent that processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6 (1) lit. c GDPR serves as the legal basis.
In the event that vital interests of the data subject or another natural person make processing of personal data necessary, Art. 6 (1) lit. d GDPR serves as the legal basis.
If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not override the former interest, Art. 6 (1) lit. f GDPR serves as the legal basis for the processing.
The personal data of the data subject shall be deleted or blocked as soon as the purpose of the storage no longer applies. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. Blocking or deletion of the data will also take place if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.
LinkMap operates as a hybrid application combining Atlassian Forge (frontend) and Atlassian Connect (backend remote):
Hosting Provider: Heroku (Salesforce), European region
Atlassian as Sub-Processor: For Forge components, Atlassian acts as a sub-processor. Atlassian's data processing practices are governed by the Atlassian Forge Data Processing Addendum. See: Forge DPA
No Other Third Parties: We do not share collected data with any other third-party organizations, services, or processors beyond Heroku (hosting) and Atlassian (Forge platform).
Each time our add-on is called up, our system automatically collects data and information from the calling Atlassian Cloud instance and from the computer system of the calling computer.
The following data is collected and processed:
a) Installation and Authentication Data (stored until app uninstallation):
b) Personal Data - User Account Information (stored until app uninstallation or account closure):
c) Application Configuration Data (stored until app uninstallation or user deletion):
d) Log Files (stored for 7 days maximum):
Data Categories Summary:
| Data Type | Personal Data? | Storage Location | Retention |
|---|---|---|---|
| Atlassian Account ID | Yes (online identifier) | Heroku PostgreSQL (EU) | Until uninstall or account closure |
| Instance authentication keys | No | Heroku PostgreSQL (EU) | Until uninstall |
| Saved layouts and settings | No (associated with Account ID) | Heroku PostgreSQL (EU) | Until uninstall or user deletion |
| Application logs | No (anonymized) | Heroku (EU) | 7 days maximum |
The legal basis for the storage and processing of authentication data and log files is Art. 6 para. 1 lit. f GDPR (legitimate interest in providing and securing the service).
The legal basis for storing the Account ID and associated configuration data is Art. 6 para. 1 lit. b GDPR (performance of contract to provide personalized app functionality).
The storage of authentication data is necessary to enable delivery of the add-on functionality and to establish secure communication between your Atlassian instance and our service.
The storage of the Account ID is necessary to provide personalized features including saved layouts and individual settings that persist across sessions.
The storage in log files is done to ensure the functionality, security, and reliability of the add-on. We use the data to optimize the add-on and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place.
In these purposes also lies our legitimate interest in data processing according to Art. 6 para. 1 lit. f GDPR.
Account ID and User Settings: Your Account ID and associated configuration data (saved layouts, settings) are stored until:
Authentication Data: Instance authentication data is deleted when the app is uninstalled from your Atlassian instance.
Log Files: Application logs are automatically deleted after 7 days maximum. Anonymized logs may be retained longer for security analysis.
LinkMap uses the Atlassian Personal Data Reporting API to ensure GDPR compliance:
Current Implementation: All data collected by the Connect Remote backend is stored in the European region via Heroku's European data centers. However, LinkMap does not currently support Atlassian's Data Residency feature for automatic migration when customers move their Atlassian instance to different regions.
Forge Framework: For data processed by Forge components, Atlassian automatically handles data residency according to the customer's Atlassian instance location. See Forge Data Residency documentation for details.
The collection of authentication data for the provision of the add-on is mandatory for the operation of the add-on.
The storage of Account ID is necessary to provide personalized functionality (saved layouts and settings). If you wish to use the app without storing personal data, you may choose not to use the save functionality. Alternatively, you may request deletion of your Account ID and associated data at any time by contacting us at LinkMap@buering.net, though this will result in loss of all saved layouts and settings.
LinkMap requests the following permission scopes from Atlassian. Each scope is necessary for specific functionality and follows the principle of least privilege:
| Scope | Purpose and Justification |
|---|---|
read:jira-work |
Essential: Read issue and link data for visualization (core functionality) |
read:connect-jira |
Required: Validate JQL queries |
read:jql:jira |
Essential: Execute JQL searches to define issue scope for layouts |
delete:issue-link:jira |
Required: Allow users to delete links (user-initiated action only, respects permissions) |
read:sprint:jira-software |
Feature: Apply LinkMap to sprint issues in Jira Software |
read:app-user-token |
Architecture: Enable remote backend to invoke Atlassian APIs with user permissions (Forge remote requirement) |
report:personal-data |
GDPR Compliance: Use Personal Data Reporting API to identify closed accounts for data deletion |
All data access through LinkMap is performed in the context of the authenticated user. The app respects your Atlassian instance's permission configuration, meaning users can only access and visualize data they are already authorized to see in Jira or Confluence.
Our add-on does not set or use cookies for tracking, analytics, or any other purpose.
The Atlassian Connect Framework and Forge platform may set cookies necessary for authentication and secure communication. For information about cookies set by Atlassian, please see:
Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. When a user accesses a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.
LinkMap does not use any tracking or analytics services such as Google Analytics. We do not track, monitor, or analyze user behavior within the application. We do not collect data about which features you use, how often you use them, or any usage patterns.
LinkMap does not employ any automated decision-making processes or profiling as defined in Article 22 of the GDPR. No decisions with legal effects or similarly significant effects are made about users based solely on automated processing of personal data.
If contact is made via the e-mail address provided on our website or documentation, the user's personal data transmitted with the e-mail will be stored.
In this context, the data is not passed on to third parties. The data is used exclusively for the processing of the conversation.
The legal basis for the processing of the data, if the user has given his consent, is Art. 6 para. 1 lit. a GDPR.
The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 para. 1 lit. f GDPR. If the e-mail contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR.
In the case of contact by e-mail, the processing of the data serves solely to process the contact.
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. For the personal data sent by e-mail, this is the case when the respective conversation with the user is ended. The conversation is ended when it can be inferred from the circumstances that the matter concerned has been conclusively clarified.
The user has the option at any time to revoke his consent to the processing of personal data via email. If the user contacts us by email, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.
All personal data stored in the course of contacting us will be deleted in this case.
If personal data of yours is processed, you are a data subject within the meaning of the GDPR and you are entitled to the following rights against the controller:
You may request confirmation from the controller as to whether personal data concerning you are being processed by us.
If such processing is taking place, you may request information from the controller about:
You have a right of rectification and/or completion vis-à-vis the controller if the personal data processed concerning you are inaccurate or incomplete. The controller shall carry out the rectification without undue delay.
Note: The Account ID is assigned by Atlassian and cannot be modified. If you believe your Account ID is incorrect, please contact Atlassian support.
Under the following conditions, you may request the restriction of the processing of personal data concerning you:
If the processing of personal data concerning you has been restricted, such data may - apart from being stored - only be processed with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State.
a) Obligation to Delete
You may request the controller to erase the personal data concerning you without undue delay, and the controller shall be obliged to erase such data without undue delay, if one of the following reasons applies:
How to exercise this right: To delete your personal data (Account ID and associated configurations), please contact us at LinkMap@buering.net. We will process your request within 30 days. Alternatively, data is automatically deleted when the app is uninstalled or when your Atlassian account is closed.
b) Exceptions
The right to erasure does not exist to the extent that the processing is necessary:
You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. You have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided:
How to exercise this right: Contact us at LinkMap@buering.net to request a copy of your Account ID and associated configuration data in JSON format.
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions.
The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.
You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
Competent Supervisory Authority (Germany):
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2-4
40213 Düsseldorf
Germany
Website: https://www.ldi.nrw.de
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
All personal data is stored and processed within the European Union (Heroku European region). However, as Heroku is operated by Salesforce (a U.S. company), the following safeguards apply to ensure GDPR compliance:
For Forge components, Atlassian's data transfer safeguards apply. See Atlassian DPA for details.
We reserve the right to update this Privacy Policy to reflect changes in our data processing practices or legal requirements. If we make material changes that reduce your rights, we will notify you by:
We encourage you to review this Privacy Policy periodically. Continued use of the app after changes constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact:
Thorsten Büring
LinkMap@buering.net
Bommershöfer Weg 46
40670 Meerbusch
Germany
Atlassian, as provider of the Jira Cloud Service as well as the Connect Framework and Forge platform used, provides the following documentation on data privacy and cloud security: