Privacy Policy
Effective date: January 1, 2025
This Privacy Policy describes how Gruion ("Company", "we", "us", or "our") collects, uses, and protects your personal information when you use the AIgileCoach platform ("Service"). We are committed to protecting your privacy and handling your data with transparency.
1. Data We Collect
We collect only the data necessary to provide and operate the Service:
| Data Type | Purpose | Storage |
|---|
| Email address | Authentication, account communication | Plaintext (for login) |
| Display name | User identification within your organization | Plaintext |
| Password | Authentication | Hashed with bcrypt (never stored in plaintext) |
| Organization name | Tenant identification | Plaintext |
| Jira server URL | Connecting to your Jira instance | Plaintext |
| Jira API tokens | Authenticating with Jira | Encrypted with AES-256-GCM |
| AI provider API keys | Connecting to AI services (OpenAI, Anthropic, Ollama) | Encrypted with AES-256-GCM |
| Team configurations | Sprint, ceremony, and RACI settings | Plaintext |
| Billing information | Subscription management | Processed by Stripe (not stored by us) |
2. Data We Do NOT Collect
We want to be clear about what we do not store:
- Jira issue data: We do not store your Jira issues, epics, sprints, or any project data on our servers. All Jira data is fetched in real-time from your Jira instance and rendered directly in the browser. It is never persisted in our database.
- Source code or repositories: We have no access to your code repositories.
- Browser history or personal files: We do not track your browsing behavior outside the Service.
- Location data: We do not collect or process geolocation data.
3. How We Use Your Data
We use the data we collect for the following purposes:
- Authentication: To verify your identity and manage access to your account
- Jira connectivity: To connect to your Jira instance and fetch project data in real-time on your behalf
- AI coaching: To send requests to your configured AI provider using your API keys (we do not store AI conversation history on our servers)
- Billing: To manage your subscription through Stripe
- Service operation: To monitor system health, troubleshoot issues, and improve the Service
- Communication: To send you important service updates, security notifications, and billing receipts
4. Data Storage and Encryption
4.1 Encryption at Rest
All sensitive credentials are encrypted before storage:
- Jira API tokens and AI provider keys: Encrypted with AES-256-GCM using per-tenant encryption keys
- Passwords: Hashed with bcrypt (one-way; cannot be reversed)
- Database: PostgreSQL with encrypted storage volumes
4.2 Encryption in Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. API communications with Jira and AI providers are also encrypted in transit.
4.3 Infrastructure
Our managed SaaS infrastructure runs in secure cloud environments with access controls, monitoring, and regular security updates.
5. Third-Party Services
We share data with the following third parties only as necessary to provide the Service:
- Stripe: Processes subscription payments. Stripe receives your payment method details directly and is PCI DSS compliant. See Stripe's Privacy Policy.
- Your Jira instance: We connect to your Jira using credentials you provide. Data flows directly between our Service and your Jira instance.
- Your AI provider: If you configure an AI provider (OpenAI, Anthropic, Ollama), requests are sent to that provider using your API keys. We do not share your data with AI providers on our own initiative.
We do not sell, rent, or trade your personal data to any third party. We do not use third-party analytics, advertising, or tracking services.
6. Data Retention
- Active accounts: Your data is retained for as long as your account is active.
- After cancellation: Your data is retained for 30 days after account cancellation to allow for reactivation or data export. After 30 days, all data is permanently deleted.
- Audit logs: For Enterprise plans, audit logs are retained for 90 days (or longer if configured).
- Server logs: Operational logs (which may contain IP addresses and request metadata) are retained for 30 days for security and debugging purposes.
7. Your Rights
You have the following rights regarding your data:
- Access: You may request a copy of all personal data we store about you.
- Export: You may export your configuration data, team settings, and RACI matrices from the settings page at any time.
- Correction: You may update your personal information (name, email) through your account settings.
- Deletion: You may request deletion of your account and all associated data by contacting us at contact@aigilecoach.io. Deletion will be completed within 30 days.
- Portability: You may request your data in a machine-readable format (JSON).
- Objection: You may object to any processing of your data. If you object, we will cease processing unless we have compelling legitimate grounds.
To exercise any of these rights, contact us at contact@aigilecoach.io.
8. Cookies and Local Storage
The AIgileCoach application uses:
- JWT tokens in localStorage: Used for authentication. These tokens are issued upon login and stored in your browser's localStorage. They contain your user ID and tenant ID but no sensitive data.
- No tracking cookies: We do not use any third-party tracking cookies, advertising cookies, or analytics cookies.
- No cross-site tracking: We do not participate in any cross-site tracking or advertising networks.
9. On-Premise Deployment
For customers using the on-premise deployment option (Enterprise plan or self-hosted open-source edition):
- No data leaves your network: All data remains on your own infrastructure. We have no access to your instance, your data, or your credentials.
- No telemetry: The self-hosted version does not send any telemetry, usage data, or analytics to our servers.
- Your responsibility: You are responsible for securing and maintaining your own deployment, including database encryption, backups, and access controls.
10. GDPR Compliance
For users in the European Economic Area (EEA), we comply with the General Data Protection Regulation (GDPR):
- Lawful basis: We process your data based on contractual necessity (providing the Service you signed up for) and legitimate interest (service operation and security).
- Data minimization: We collect only the data strictly necessary to operate the Service.
- Purpose limitation: We use your data only for the purposes described in this policy.
- Data protection officer: For GDPR inquiries, contact us at contact@aigilecoach.io.
- Supervisory authority: You have the right to lodge a complaint with your local data protection authority if you believe your data is being processed unlawfully.
- Data transfers: If your data is transferred outside the EEA, we ensure appropriate safeguards are in place (such as Standard Contractual Clauses).
11. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice in the Service at least 30 days before the changes take effect. The "Effective date" at the top of this page indicates when the policy was last updated.
13. Contact
If you have any questions about this Privacy Policy or how we handle your data, please contact us:
Email: contact@aigilecoach.io
Company: Gruion
Website: aigilecoach.io