Privacy Policy

4.1 Personal Data You Provide

When you register, use, or interact with our Service, we collect:

• Account Information: Email address, full name, username, password (encrypted), company name, job title
• Profile Information: Profile photo, bio, professional information, time zone preferences
• Contact Information: Phone number, billing address, shipping address (city, state/province, postal/ZIP code, country)
• Payment Information: Billing contact details (payment card details are processed by our PCI-DSS compliant payment processors and are not stored on our servers)
• Communication Data: Content of messages sent through our Service, support inquiries, feedback, and correspondence with our team
• User-Generated Content: Project data, task descriptions, comments, file uploads, documentation, and other information you choose to input into the Service

4.2 Usage Data

We automatically collect information about how you interact with our Service:

• Device Information: IP address, device type, operating system, browser type and version, unique device identifiers
• Log Data: Access times and dates, pages viewed, features used, clickstream data, referring/exit pages, search queries
• Performance Data: Application performance metrics, error reports, diagnostic data, crash logs
• Session Information: Session duration, authentication events, user actions within the platform

4.3 Location Data

With your explicit consent, we may collect and process information about your approximate or precise geographic location. Location data may be derived from:

• GPS coordinates (with device permission)
• IP address geolocation
• Time zone settings
• Information you voluntarily provide

You can enable or disable location services at any time through your device settings or within your GitScrum account preferences.

4.4 Cookies and Tracking Technologies

We use cookies, web beacons, pixel tags, and similar tracking technologies to enhance user experience, analyze usage patterns, and deliver personalized content. Categories include:

• Strictly Necessary Cookies: Essential for Service functionality, authentication, and security
• Functional Cookies: Enable enhanced features and personalization based on your preferences
• Analytics Cookies: Help us understand how users interact with our Service to improve performance and user experience
• Marketing Cookies: Used to deliver relevant advertisements and track campaign effectiveness

For detailed information about cookies we use and how to manage your preferences, please refer to our Cookie Policy.

5.1 Contractual Necessity (GDPR Article 6(1)(b))

Processing is necessary to perform our contract with you, including:

• Creating and managing your account
• Providing access to the Service features
• Processing transactions and payments
• Delivering customer support
• Communicating service updates, security alerts, and administrative messages

5.2 Legitimate Interests (GDPR Article 6(1)(f))

Processing is necessary for our legitimate business interests, provided these interests do not override your fundamental rights:

• Improving and optimizing our Service
• Detecting and preventing fraud, security threats, and technical issues
• Conducting analytics to understand user behavior
• Marketing our services to existing customers
• Enforcing our terms and policies

5.3 Consent (GDPR Article 6(1)(a))

You have provided explicit, informed, and freely given consent for specific processing activities:

• Marketing communications and newsletters
• Non-essential cookies and tracking technologies
• Location data collection
• Processing sensitive data (when applicable)

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

5.4 Legal Obligation (GDPR Article 6(1)(c))

Processing is necessary to comply with legal obligations, including:

• Tax and accounting requirements
• Regulatory compliance and reporting
• Responding to lawful requests from authorities

5.5 Vital Interests (GDPR Article 6(1)(d))

Processing is necessary to protect vital interests in emergency situations.

6.1 Service Provision and Performance

• Creating, maintaining, and securing user accounts
• Enabling core platform functionality (project management, collaboration, task tracking)
• Processing payments and managing subscriptions
• Providing customer support and technical assistance
• Communicating service updates, security alerts, and administrative messages

6.2 Service Improvement and Development

• Analyzing usage patterns to enhance user experience
• Developing new features and functionality
• Conducting research and testing
• Troubleshooting technical issues and bugs
• Optimizing performance and reliability

6.3 Security and Fraud Prevention

• Detecting, preventing, and investigating security incidents
• Protecting against malicious, deceptive, fraudulent, or illegal activity
• Enforcing our Terms and Conditions
• Verifying user identity and authentication

6.4 Marketing and Communications

• Sending promotional materials about new features, products, and services (only with your consent for marketing communications)
• Conducting surveys and gathering feedback
• Analyzing marketing campaign effectiveness
• Personalizing content and recommendations

Opt-Out: You can opt out of marketing communications at any time by clicking the "unsubscribe" link in any marketing email, adjusting your account preferences, or contacting privacy[at]gitscrum.com.

6.5 Legal Compliance and Protection

• Complying with applicable laws and regulations
• Responding to legal processes and government requests
• Establishing, exercising, or defending legal claims
• Protecting rights, property, and safety of GitScrum, users, and the public

7.1 Service Providers and Data Processors

We engage trusted third-party service providers to perform functions on our behalf. These processors have access to Personal Data only to perform specific tasks and are contractually obligated to:

• Process data only according to our documented instructions
• Implement appropriate technical and organizational security measures
• Maintain confidentiality
• Assist with data subject rights requests
• Delete or return data upon contract termination

Categories of processors include: Cloud infrastructure and hosting providers, Payment processors (PCI-DSS compliant), Customer support platforms, Analytics and monitoring services, Email and communication services, Security and fraud prevention services. A complete list of subprocessors is available upon request and is governed by our Data Processing Agreement.

7.2 Business Transfers

In the event of a merger, acquisition, reorganization, asset sale, or bankruptcy, Personal Data may be transferred as part of the business transaction. We will notify you via email and/or prominent notice on our Service before your Personal Data is transferred and becomes subject to a different privacy policy.

7.3 Legal Requirements and Protection

We may disclose Personal Data when required or permitted by law:

• To comply with legal obligations, court orders, or lawful government requests
• To enforce our Terms and Conditions and other agreements
• To protect the rights, property, or safety of GitScrum, our users, or the public
• To detect, prevent, or address fraud, security, or technical issues
• To respond to claims of illegal content or violation of third-party rights

7.4 With Your Consent

We may share your information with third parties when you have provided explicit consent for specific disclosures.

7.5 Aggregated and De-identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you, for research, marketing, analytics, or other purposes without restriction.

8.1 Transfers from the EEA

When we transfer Personal Data from the European Economic Area (EEA) to Third Countries, we ensure appropriate safeguards are in place in compliance with GDPR Chapter V:

• Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses (2021) with supplementary measures as required by the Schrems II decision
• Adequacy Decisions: We transfer data to countries recognized by the European Commission as providing adequate data protection
• EU-U.S. Data Privacy Framework: For transfers to certified U.S. entities (where applicable and valid)
• Transfer Impact Assessments (TIAs): We conduct assessments of the legal framework in destination countries to ensure effective data protection

You may request additional information about the safeguards we use for international transfers by contacting dpo[at]gitscrum.com.

8.2 Data Storage Locations

Your data is processed and stored in Amazon Web Services (AWS) data centers with global redundancy across multiple geographic regions, including the European Union, United States, and other locations. AWS maintains SOC 2 Type II, ISO 27001, and other industry-leading certifications. We select infrastructure based on security certifications, data protection standards, GDPR compliance, and disaster recovery capabilities.

9.1 Retention Criteria

Retention periods are determined based on:

• The nature and sensitivity of the data
• Purposes for which we collected and process the data
• Legal, regulatory, accounting, or reporting requirements
• Need to defend or establish legal claims
• Legitimate business interests

9.2 Specific Retention Periods

• Account Data: Retained for the duration of your active account plus 30 days after account closure or deletion request
• Transaction Records: Retained for 7 years to comply with tax and financial regulations as required by GDPR and EU financial directives
• Usage Data and Logs: Retained for 24 months for security, analytics, and troubleshooting purposes
• Marketing Communications: Retained until you opt out or withdraw consent
• Support Communications: Retained for 3 years to provide ongoing support and improve service quality

9.3 Data Deletion

Upon expiration of applicable retention periods, or upon your request (where legally permissible), we will securely delete or anonymize your Personal Data using industry-standard data destruction methods.

10.1 Right to Access (GDPR Article 15)

You have the right to request confirmation of whether we process your Personal Data and obtain a copy of that data.

10.2 Right to Rectification (GDPR Article 16)

You have the right to request correction of inaccurate or incomplete Personal Data.

10.3 Right to Erasure / "Right to be Forgotten" (GDPR Article 17)

You have the right to request deletion of your Personal Data under certain circumstances:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Deletion is required to comply with legal obligations

10.4 Right to Restriction of Processing (GDPR Article 18)

You have the right to request restriction of processing under certain circumstances:

• You contest the accuracy of the data
• Processing is unlawful but you oppose erasure
• We no longer need the data but you require it for legal claims
• You have objected to processing pending verification of our legitimate grounds

10.5 Right to Data Portability (GDPR Article 20)

You have the right to receive your Personal Data in a structured, commonly used, machine-readable format and transmit it to another controller.

10.6 Right to Object (GDPR Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

10.7 Rights Related to Automated Decision-Making (GDPR Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

10.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.

10.9 CCPA-Specific Rights (California Residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of categories and specific pieces of personal information collected
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information (Note: GitScrum does not sell personal information)
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your CCPA rights
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use of Sensitive Personal Information: Request limitation on use of sensitive personal information
• Do Not Sell or Share My Personal Information: GitScrum does not sell or share your personal information for advertising purposes. No opt-out mechanism is required.

10.10 Exercising Your Rights

To exercise any of these rights, please:

• Submit a request via email to: privacy[at]gitscrum.com or dpo[at]gitscrum.com

We will respond to your request within 30 days (GDPR - may be extended by 2 months for complex requests with notification) or 45 days (CCPA - may be extended by 45 days with notification). We may require verification of your identity before processing requests to protect your privacy and security.

11.1 Technical Safeguards

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Multi-factor authentication (MFA) support
• Regular security assessments and penetration testing
• Intrusion detection and prevention systems
• Automated vulnerability scanning and patch management
• Secure software development lifecycle practices
• Regular data backups with encryption

11.2 Organizational Safeguards

• Access controls based on least privilege principles
• Background checks for personnel with data access
• Comprehensive employee security training
• Confidentiality agreements with all personnel
• Incident response and business continuity plans
• Regular security policy reviews and updates
• Third-party security audits

For more detailed information, please refer to our Security Policy at /legal/security.

Security Limitations: While we employ industry-standard security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we commit to promptly notifying you and relevant authorities of any data breaches as required by law.

12.1 Third-Party Integrations

GitScrum offers integrations with third-party services (e.g., Slack, Google Workspace, Microsoft Teams). When you authorize these integrations:

• You grant GitScrum permission to share specific data with the third-party service
• The third-party's privacy policy governs their use of your data
• You can revoke integration permissions at any time through your account settings

12.2 Analytics Services

We use third-party analytics services, including Google Analytics, to monitor and analyze Service usage. These services may use cookies and similar technologies to collect information about your use of the Service. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

15.1 Cookie Consent

In compliance with the EU ePrivacy Directive and GDPR, we obtain your explicit consent before placing non-essential cookies on your device.

• When you first visit GitScrum:
• You will see a cookie consent banner
• Non-essential cookies are blocked until you provide consent
• You can accept all, reject non-essential, or customize your preferences
• Your consent choices are recorded and can be updated at any time

15.2 Managing Cookie Preferences

You can manage cookie preferences through:

• Our cookie consent management tool (accessible via banner or account settings)
• Your browser settings (note: blocking necessary cookies may impair functionality)
• Third-party opt-out tools (e.g., Google Analytics Opt-out, Network Advertising Initiative)

For detailed information about cookies we use, their purposes, and retention periods, please refer to our Cookie Policy at /legal/cookie-policy.