Privacy Policy
Effective date: 2 April 2026 · Version 1.0
1. Who We Are
SprintHelm (“we”, “us”, or “our”) operates the sprint planning platform at app.sprinthelm.com and the marketing website at sprinthelm.com.
For the purposes of the UK GDPR and EU GDPR, SprintHelm is the data controller for personal data collected through the Service. For questions or to exercise your rights, contact us at privacy@sprinthelm.com.
2. Data We Collect
Account data
- Email address (required for all sign-up methods)
- Full name (collected during onboarding, optional)
- Organisation name (collected during onboarding)
- Sign-in method (email/password, magic link, or Google OAuth)
Sprint planning data
- Ticket titles and identifiers you submit
- Ticket attributes: effort estimates, impact scores, type, and epic grouping
- Team configuration: team name, number of developers, seniority level
- Scoring weight preferences
- Sprint history (plans you save or export)
Note: Please avoid including personal names, email addresses, or other personal information of your team members in ticket titles or descriptions. Sprint planning data should describe work items, not individuals.
Technical data
- IP address and approximate location (country/region)
- Browser type and version
- Session tokens and authentication cookies (managed by Supabase Auth)
- Basic usage logs (page visits, feature usage) for service improvement
Google OAuth data (if used)
If you sign in with Google, we receive your email address, display name, and profile picture from Google. We use the email address for account identification and the display name for personalisation. We do not receive access to your Google Drive, Calendar, or other Google services.
Jira (Atlassian) integration data (if used)
If you connect your Jira workspace to SprintHelm via Account → Connect Jira Workspace, we receive and store the following from Atlassian on your behalf:
- Atlassian account identifier — the opaque account ID Atlassian provides during OAuth authorisation. We do not receive your Atlassian name, email, or profile photo through this flow.
- OAuth access and refresh tokens — stored encrypted at rest using AES-256-GCM envelope encryption. Encryption keys are managed per environment and never leave our server-side infrastructure. The encrypted tokens are never sent to your browser.
- Connection audit log — we record an event log entry for each connection-related action (connect, disconnect, token refresh, sprint import). Each entry contains event type, timestamp, and a reference to your connection. We do not log the contents of any Jira ticket or sprint in this audit table.
- Jira ticket and sprint data you choose to import — when you import a sprint, the ticket data you select is copied into your SprintHelm account so the simulator can analyse it. This data is owned by your SprintHelm account and is governed by the same retention and deletion rules as any other ticket data you enter into SprintHelm.
See section 4a below for the full Jira integration data lifecycle, lawful basis, and erasure pathway.
3. How We Use Your Data
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing and operating the Service | Contract performance (Art. 6(1)(b)) |
| Sending authentication emails (magic links, confirmation) | Contract performance (Art. 6(1)(b)) |
| Generating AI executive summaries from sprint data | Contract performance (Art. 6(1)(b)) |
| Improving the Service (aggregated analytics) | Legitimate interests (Art. 6(1)(f)) |
| Sending product update emails (if opted in) | Consent (Art. 6(1)(a)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. Third-Party Sub-Processors
We share your data with the following third-party services to operate the platform. Each is bound by appropriate data processing agreements.
Supabase
Database, authentication, and file storage. Data is stored in EU (West Europe) region servers.
Data: account data, sprint planning data, session tokens
Anthropic (Claude API)
AI language model used to generate executive summaries of your sprint plan. When you request an AI summary, your sprint data (ticket titles, scores, team configuration, and sprint statistics) is transmitted to Anthropic's API for processing.
Data transmitted: ticket titles, effort scores, priority scores, team name, team size, capacity metrics, Monte Carlo results. Not transmitted: your email, name, or account details.
Anthropic's privacy policy applies to this processing: anthropic.com/privacy
Atlassian (Jira)
If you connect your Jira workspace, SprintHelm uses Atlassian's OAuth 2.0 API to read sprint and ticket data on your behalf. We receive your Atlassian account identifier plus the OAuth tokens needed to make those API calls; tokens are envelope-encrypted at rest.
Data: Atlassian account ID, encrypted OAuth access + refresh tokens, connection audit log, Jira ticket/sprint data you choose to import. Not transmitted to Atlassian: your SprintHelm email, name, or sprint analytics.
Atlassian's privacy policy applies to data processing on Atlassian's side: atlassian.com/legal/privacy-policy
Vercel
Hosting and edge network for the web application. May process request metadata (IP address, headers).
Data: request logs, IP addresses
Google (OAuth only)
If you choose “Continue with Google”, Google authenticates your identity and shares your email and name with us. Google's privacy policy governs that exchange.
Data: email address, display name (sign-in only)
We do not sell your data to any third party. We do not share your data with advertisers or data brokers.
4a. Jira Integration — Data Lifecycle and Erasure
This section applies only if you have connected a Jira workspace to your SprintHelm account. It explains in full detail what we store on Atlassian's behalf, why we are permitted to store it under UK GDPR / EU GDPR, and how you can remove it.
What we store
- Atlassian account identifier. The opaque account ID Atlassian provides during OAuth authorisation. Atlassian considers this identifier personal data even though it is not a name or email, because it identifies you within Atlassian's systems. We store it solely to match incoming Jira events to your SprintHelm account.
- OAuth access and refresh tokens issued by Atlassian. We store these tokens encrypted at rest using AES-256-GCM envelope encryption. Encryption keys are managed per environment (staging and production use different keys) and never leave our server-side infrastructure. Encrypted tokens are never sent to your browser and are not visible to other users.
- Connection audit log entries. For each connection-related action (connect, disconnect, token refresh, sprint import) we store an event-type label, a timestamp, and a reference to your connection. The audit log does not contain the contents of any Jira ticket, sprint, or user-identifying detail beyond your internal SprintHelm user ID.
- Jira ticket and sprint data you actively import.When you choose to import a Jira sprint or backlog, the ticket data you select is copied into your SprintHelm account. This data then lives under the same retention rules as any other ticket data you enter into SprintHelm directly.
Lawful basis
We process the data above on the basis of legitimate interest under UK GDPR / EU GDPR Article 6(1)(f). The Jira integration cannot function without these data items, and you actively choose to enable it by clicking Connect Jira Workspace. You may withdraw the processing at any time by disconnecting (see “How to erase” below).
How to erase your Jira data
You can permanently remove all the data above without contacting us:
- Sign in to SprintHelm and open your Account page.
- Find the “Jira Integration” section.
- Click Disconnect Jira Workspace.
When you disconnect:
- Your encrypted OAuth token rows are hard-deleted immediately.
- Your workspace connection row is marked as “disconnected” and is purged within 30 days.
- Connection audit log entries are retained for 12 months for security and incident-response purposes, then automatically purged. You can request expedited audit-log purge by emailing privacy@sprinthelm.com.
- Jira ticket and sprint data you imported is NOT automatically deleted; it remains in your SprintHelm account under the standard retention rules and is deleted on full account deletion or on request.
Sub-processor relationship
Atlassian Pty Ltd (the operator of Jira) is a sub-processor for this feature under our Data Processing Addendum (DPA). Atlassian's own privacy policy governs any processing that occurs on Atlassian's side of the integration: atlassian.com/legal/privacy-policy.
Personal data reporting
SprintHelm operates an internal endpoint that lets our support team look up which Atlassian account identifiers we hold data about, in order to fulfil right-to-erasure requests promptly. The endpoint requires a per-environment shared secret known only to authorised SprintHelm personnel and is not publicly callable. We use it to honour your requests, not to share data with third parties.
5. International Data Transfers
Your account data and sprint data are stored on Supabase servers in the EU (West Europe region).
When AI executive summaries are generated, sprint data is transmitted to Anthropic's API, which is operated from the United States. This constitutes an international transfer under GDPR. This transfer is covered by Anthropic's Standard Contractual Clauses (SCCs) with their EU customers. By using the AI summary feature, you consent to this transfer.
Vercel's global CDN may process request data at edge locations worldwide. This is limited to technical routing data and does not include your account or sprint planning data.
If you connect a Jira workspace, Atlassian's OAuth servers and Jira API may be operated from the United States or other regions depending on your Atlassian site location. This constitutes an international transfer under GDPR; you actively consent to it by clicking Connect Jira Workspace. Atlassian's own data-transfer disclosures apply at atlassian.com/legal/privacy-policy.
6. Data Retention
- Active accounts: Data retained for as long as your account is active
- Deleted accounts: Personal data permanently deleted within 30 days of account deletion
- Jira integration tokens: Hard-deleted immediately when you click Disconnect Jira Workspace
- Jira connection metadata: Marked disconnected on Disconnect and purged within 30 days
- Jira connection audit log: Retained 12 months after disconnect for security and incident-response purposes, then automatically purged. Expedited purge available on request to privacy@sprinthelm.com.
- Anonymised aggregate data (e.g. usage statistics with no personally identifiable information) may be retained indefinitely for service improvement
- Legal obligations: Some data may be retained longer where required by applicable law (e.g. financial records)
7. Your Rights
Under UK GDPR and EU GDPR, you have the following rights:
- Access: Request a copy of the personal data we hold about you
- Rectification: Request correction of inaccurate or incomplete data
- Erasure: Request deletion of your personal data (“right to be forgotten”)
- Portability: Request your data in a machine-readable format
- Object: Object to processing based on legitimate interests
- Restrict processing: Request that we limit how we use your data
- Withdraw consent: Withdraw consent for any consent-based processing (e.g. marketing emails)
To exercise any of these rights, email privacy@sprinthelm.com. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (in the UK: the ICO at ico.org.uk).
8. California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- The right to know what personal information is collected, used, shared, or sold
- The right to delete personal information
- The right to opt out of the sale of personal information
- The right to non-discrimination for exercising your CCPA rights
We do not sell personal information. We do not share personal information for cross-context behavioural advertising.
9. Cookies
SprintHelm uses the following cookies:
- Authentication cookies (essential): Set by Supabase Auth to maintain your signed-in session. These are HTTP-only, SameSite=Lax cookies and cannot be accessed by JavaScript. Required for the Service to function.
- Vercel analytics (if enabled): Aggregated, anonymised page view data with no cross-site tracking. No cookie is set for analytics unless you consent.
We do not use advertising cookies, third-party tracking pixels, or fingerprinting.
10. Security
We implement appropriate technical and organisational measures to protect your data:
- All data transmitted over HTTPS/TLS
- Authentication session tokens stored in HTTP-only cookies (not accessible to JavaScript)
- Passwords hashed using bcrypt (Supabase Auth)
- Database access restricted to authenticated service roles
- Regular dependency security reviews
No system is completely secure. If you discover a security vulnerability, please disclose it responsibly to security@sprinthelm.com.
11. Children
The Service is not directed at persons under 18 years of age. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, contact us at privacy@sprinthelm.com and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting a notice on the Service at least 14 days before changes take effect. The “Effective date” at the top of this page indicates when the policy was last updated.
13. Contact
For privacy-related enquiries: privacy@sprinthelm.com
For general enquiries: hello@sprinthelm.com