Privacy Policy

Last updated: March 16, 2026

1. Introduction

Dead Viking Software ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect information when you use OdinFlow and related services.

This policy applies to OdinFlow, a Jira Cloud automation application that integrates with Atlassian Jira via official APIs.

2. Data Controller

Dead Viking Software is the data controller responsible for your personal data collected through OdinFlow.

Contact Information:

  • Email: privacy@deadvikingsoftware.com
  • Website: deadvikingsoftware.com

3. Information We Collect

3.1 Account and Authentication Data:

  • Atlassian account ID and email address (via OAuth 2.0)
  • OAuth access tokens and refresh tokens (securely stored with restricted access)
  • Jira Cloud instance URL and site information

3.2 Jira Data Accessed via API:

  • Jira issue data is accessed transiently during query execution and bulk updates but is not stored long-term. We store Jira field metadata (field names, types, allowed values, project configurations) for up to 7 days to enable query building
  • User information: display names, email addresses, account IDs (for assignment and audit purposes)
  • Workflow and transition data (metadata only)

3.3 OdinFlow Configuration Data:

  • JQL queries you create
  • Update payload configurations
  • Scheduled automation events and schedules
  • Automation execution logs and history
  • Conversation history (your commands and assistant responses) — retained for the duration of your active subscription
  • Natural language inputs and AI-parsed results (intents, entities, field mappings) used for query building
  • Learned keyword preferences and custom field mappings
  • Field visibility settings and exclusions
  • Language translation preferences

3.4 Usage and Technical Data:

  • Usage metrics: number of queries executed, tickets updated, events scheduled
  • Error logs and diagnostic information
  • Activity timestamps and interaction history
  • Compute resource usage (including GPU inference time) per account for billing and capacity management
  • Server access logs (IP addresses, user agent strings) for security monitoring and troubleshooting

3.5 Billing and Subscription Information:

  • Subscription tier and billing cycle
  • Atlassian account ID for subscription management (billing is processed by Atlassian Marketplace)
  • For optional add-ons (such as increased ticket quotas or scheduled event slots), payment information may be processed by Stripe or other payment processors; we do not store credit card numbers

3.6 Contact Form Data:

  • Name, email address, and message content submitted via our website contact form
  • This data is stored to respond to your inquiry and is retained for up to 12 months

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

  • Contract Performance: Processing is necessary to provide OdinFlow services under our Terms of Service, including OAuth authentication to access your Jira instance
  • Legitimate Interests: We have legitimate interests in improving our services, preventing fraud, ensuring security, and analyzing usage patterns
  • Legal Obligations: We may process data to comply with legal requirements, such as tax laws or law enforcement requests
  • Consent: For specific processing activities, such as optional AI-assisted natural language query building, where you actively choose to use these features

5. How We Use Your Information

We use collected data for the following purposes:

  • Service Delivery: To authenticate you, access your Jira instance, build JQL queries, execute bulk updates, and run scheduled automations
  • Account Management: To manage your subscription, billing, and account settings
  • Communication: To send service notifications, respond to support inquiries, and provide updates about OdinFlow
  • Improvement and Analytics: To analyze usage patterns, improve features, diagnose issues, and optimize performance
  • AI-Assisted Processing: To provide natural language query building, intent classification, and entity extraction using machine learning models. Your natural language inputs are processed by AI/NLP models to parse queries, identify Jira fields, and generate JQL — this processing is automated but all results are presented for your review before execution
  • Security: To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues
  • Compliance: To comply with legal obligations and enforce our Terms of Service

Automated Decision-Making (GDPR Article 22): OdinFlow uses AI-powered natural language processing to interpret your commands and build JQL queries. This automated processing assists you but does not make decisions with legal or similarly significant effects. All generated queries and bulk update payloads are presented for your review and explicit confirmation before execution. You may opt out of AI-assisted features and use manual form-based query building instead.

We do not:

  • Sell your personal data or Jira data to third parties
  • Use your Jira data for marketing or advertising purposes
  • Share your data with third parties except as described in Section 7

6. Data Storage and Retention

6.1 Storage Location:

Your data is stored on Fly.io infrastructure in the United States (Virginia region). Fly.io maintains SOC 2 Type II certification and industry-standard security controls.

We use PostgreSQL as our primary relational database for persistent storage of account data, configurations, and execution logs. We use Redis as an in-memory data store for temporary caching (such as Jira metadata) and session management. Both are hosted within our Fly.io infrastructure.

6.2 Retention Periods:

  • Jira Data: Jira field metadata (schemas, configurations) is cached for up to 7 days, then automatically deleted. Actual issue content is only accessed transiently and not stored
  • Configuration Data: JQL queries, update payloads, scheduled events, conversation history, and learned preferences are retained while your subscription is active, plus 30 days after cancellation
  • Execution Logs: Automation execution logs are retained during your active subscription and for 30 days after account closure to support troubleshooting and continuity
  • Account Data: Personal identifiers (email, display name) are removed within 30 days of account deletion; anonymized account records may be retained for billing compliance (unless longer retention is required by law)
  • Billing Records: Managed by Atlassian Marketplace. We retain subscription tier information for 7 years to comply with tax and accounting regulations

7. Data Sharing and Third-Party Services

We share your data with the following third parties only as necessary to provide the Service:

  • Atlassian: OdinFlow accesses your Jira Cloud instance via Atlassian's APIs. Data is transmitted to and from Atlassian servers. Base subscription billing is also processed through the Atlassian Marketplace. See Atlassian's Privacy Policy for how they handle data
  • Cloud Infrastructure Providers: We use Fly.io for hosting and data storage in the United States (Virginia). Fly.io maintains SOC 2 Type II certification and industry-standard security controls
  • Payment Processors: Base subscription billing is processed through the Atlassian Marketplace. We may introduce optional add-on features in the future (such as increased ticket quotas or additional scheduled event slots). If introduced, payment for add-ons may be processed via third-party payment processors such as Stripe, and additional terms will apply. We do not store credit card details

We may also disclose data if required by law, court order, or government request, or to protect our rights, safety, or property.

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such change in ownership.

8. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in Transit: Data is encrypted in transit using TLS 1.2 or higher when transmitted between your browser and our servers, and between our services and Atlassian APIs
  • Secure Authentication: We use OAuth 2.0 for secure authentication with Atlassian, eliminating the need to store Jira passwords. Access tokens are short-lived and automatically refreshed
  • Access Controls: Access to production systems is restricted to authorized personnel with token-based authentication and service-to-service authorization
  • Security Monitoring: We actively monitor for security threats, unauthorized access attempts, and anomalous activity through structured logging and health monitoring
  • Additional Protections: Our infrastructure includes SSRF protection, rate limiting, request validation, and security headers to protect against common web vulnerabilities

Encryption at Rest: Sensitive credentials, including OAuth access tokens and refresh tokens, are encrypted at rest using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256). Encryption keys are managed securely and rotated periodically.

Multi-Tenant Data Isolation: All user data is scoped by Atlassian account ID and cloud ID. Strict tenant isolation ensures that users from one Jira Cloud instance cannot access data belonging to another instance. Database queries enforce tenant boundaries at the application layer.

Data Breach Notification: In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Articles 33–34. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

Continuous Improvement: We are continuously improving our security posture. Planned enhancements include role-based access controls and regular third-party security audits.

Despite our efforts, no system is 100% secure. If you become aware of a security vulnerability or incident, please contact us immediately at security@deadvikingsoftware.com.

9. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data ("right to be forgotten")
  • Portability: Request a copy of your data in a structured, machine-readable format
  • Restriction: Request that we limit processing of your data
  • Objection: Object to processing based on legitimate interests or for direct marketing
  • Withdraw Consent: Withdraw consent for processing where consent is the legal basis

To exercise these rights, contact us at privacy@deadvikingsoftware.com. We will respond within 30 days of receiving your request, as required by applicable data protection laws.

Note: Privacy rights requests are handled separately from general support inquiries. For general support, see our Terms of Service for tier-specific response times.

You also have the right to lodge a complaint with a data protection authority in your jurisdiction.

10. California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information:

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions
  • Right to Opt-Out of Sale: We do not sell your personal information to third parties
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights

To exercise these rights, contact us at privacy@deadvikingsoftware.com. We will verify your identity before processing your request and respond within 45 days.

11. Atlassian Data Processing

Because OdinFlow integrates with Jira Cloud, Atlassian also processes your Jira data according to their own privacy policies and data processing agreements. We comply with Atlassian's data processing requirements for third-party applications.

Atlassian's Privacy Policy: https://www.atlassian.com/legal/privacy-policy

We do not control Atlassian's data processing practices. For questions about how Atlassian handles your data, please contact Atlassian directly.

Data Processing Agreement (DPA): A Data Processing Agreement is available upon request for customers who require one for GDPR compliance or internal procurement requirements. Contact privacy@deadvikingsoftware.com to request a copy.

12. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including countries that may not have data protection laws equivalent to those in your jurisdiction.

Data is stored on Fly.io infrastructure in the United States (Virginia region). When we transfer data internationally, we rely on appropriate safeguards including:

  • Standard Contractual Clauses (SCCs): EU-approved Standard Contractual Clauses as adopted by the European Commission, which provide contractual guarantees for the protection of personal data transferred outside the EEA
  • Security Certifications: Our hosting provider maintains SOC 2 Type II certification and industry-standard security controls
  • Technical Safeguards: Encryption in transit (TLS 1.2+) and at rest (Fernet/AES-128-CBC), access controls, and audit logging

13. Cookies and Tracking Technologies

Our marketing website (deadvikingsoftware.com) does not set any cookies.

The OdinFlow application uses minimal cookies as follows:

  • OAuth Session Cookie: A temporary server-side session cookie (Flask session) is used during the OAuth 2.0 authentication flow to store the oauth_state parameter. This cookie is short-lived and is cleared once authentication is complete

OdinFlow does not use authentication cookies for ongoing sessions — user identity is obtained via the Atlassian Connect framework. We do not use preference cookies, analytics cookies, or advertising cookies.

14. Data Deletion and Account Closure

You may request account deletion at any time by contacting us at privacy@deadvikingsoftware.com.

Upon account deletion:

  • OAuth tokens are invalidated and will not be refreshed, terminating access to your Jira instance
  • Personal identifiers (email, display name) are removed within 30 days
  • Your OdinFlow configuration data (queries, payloads, schedules, conversation history) is deleted within 30 days
  • Cached Jira metadata is deleted within 7 days
  • Subscription tier information is retained for 7 years to comply with tax and accounting regulations
  • Anonymized usage metrics may be retained for service improvement purposes

15. Children's Privacy

OdinFlow is not intended for use by individuals under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13, we will delete it promptly.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. We will notify you of material changes by posting the updated policy on our website with a new "Last Updated" date.

For significant changes that affect your rights, we will make reasonable efforts to notify you via the contact information associated with your Atlassian account.

Continued use of OdinFlow after changes become effective constitutes acceptance of the updated Privacy Policy.

17. Contact Us

For questions, concerns, or requests related to this Privacy Policy or your personal data, contact us:

  • Email: privacy@deadvikingsoftware.com
  • Website: deadvikingsoftware.com

We will respond to your inquiry within 30 days.