PRIVACY POLICY

Introduction

This privacy policy ("Privacy Policy") applies to all visitors and users ("User", "you", "your") of the TicketToKB platform and website (collectively, "TicketToKB," "Platform," or "Services") at tickettokb.com, offered by TicketToKB ("we," "us," or "our"). It describes how we collect, use, disclose, and otherwise process your personal data in connection with our Services, including through the use of cookies and related technologies. It also informs you about your data protection rights under applicable law, including the General Data Protection Regulation (GDPR).

By accessing or using any part of the Services, you acknowledge you have read and understood this Privacy Policy.

Data Controller

TicketToKB

Contact Email: support@tickettokb.com

TicketToKB is the data controller responsible for the processing of your personal data collected through the Services.

Applicability of this Privacy Policy

This Privacy Policy applies to personal data we collect from you as a customer or visitor when using our Services.

If you are using the Services as an employee, contractor, or other representative of one of our customers (e.g., your employer subscribes to TicketToKB), that customer is typically the data controller for the Jira Content processed via the service, and we act as a data processor on their behalf for that specific processing. Please direct privacy inquiries or rights requests concerning the underlying Jira Content to the corresponding customer in such cases. This policy primarily covers data where we are the controller (e.g., account information, usage analytics).

Personal Data We Collect

We collect personal data that you provide directly to us and data collected automatically through your use of the Services.

Data You Provide:

• Account Information: When you sign up for an account (e.g., via email/password or OAuth through NextAuth), we collect information such as your name, email address, and hashed password. If provided via OAuth or profile settings, we may also collect your profile picture URL. (Basis: Performance of Contract)
• Payment Information: When you subscribe to a paid service (Basic, Pro, Enterprise plans), we collect billing details necessary to process the payment via our payment processor, Stripe. This may include your name and billing address. Full payment instrument details (like credit card numbers) are processed directly by Stripe and are not stored on our servers. We store associated subscription details like your Stripe Customer ID, Stripe Subscription ID, chosen plan ID, subscription status, current period start/end dates, and cancellation status. (Basis: Performance of Contract)
• Jira Content: To use the core functionality, you provide content originating from your connected Jira instance ("Jira Content"), such as issue keys, potentially issue descriptions, comments, and related metadata, as input to the Service's generation features. (Basis: Performance of Contract - processing this is necessary to provide the service you requested. Your organization is likely the controller for this data.)
• Communications: Information you provide when you contact us for support, provide feedback, or otherwise communicate with us (e.g., your name, email address, content of the message). (Basis: Legitimate Interests in responding and improving service; Performance of Contract if related to service delivery).
• Jira Integration Data: When connecting your Jira account, we may store necessary identifiers like your Jira Cloud ID or access/refresh tokens (handled securely, often via OAuth) to maintain the connection. (Basis: Performance of Contract).

Data Collected Automatically:

Like most online services, we automatically collect certain information when you visit or interact with our Services:

• Technical & Device Information: Your device's internet protocol (IP) address, device type, operating system, browser type, unique device identifiers (if applicable), language settings, and general geographic location information (e.g., city, country inferred from IP address).
• Usage Data: Information about your interaction with our Services, such as pages visited, features used (including generation requests initiated), content viewed, time spent on pages, referral URLs, clicks, generation metadata (including associated user ID, Jira issue key, input/output token counts, timestamps), subscription generation counts, and other activity data. We use PostHog for collecting some of this analytics data.
• Security Data: To protect our services from spam and abuse, we use tools like Google reCAPTCHA. This service collects hardware and software information, such as device and application data, the results of integrity checks (e.g., your interaction with the reCAPTCHA prompt), and potentially unique identifiers. This data is sent to Google for analysis.
• Cookies and Similar Technologies: We use cookies (small text files stored on your device) and similar technologies (like web beacons or pixels) to collect some of the automatically collected data, operate the service (e.g., session management), remember preferences, and potentially for analytics. See the "Cookies and Your Choices" section below.

We process automatically collected data based on our legitimate interests in understanding how our Services are used, improving user experience, ensuring the functionality and security of our Services, and preventing fraud and abuse. For data collected via non-essential cookies or similar technologies (like analytics cookies), we rely on your consent, typically obtained via a cookie banner.

Information We Do Not Intentionally Collect

We do not intentionally collect sensitive or special category personal data (as defined under GDPR, e.g., health data, genetic data, biometric data for unique identification, information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership). We request that you do not submit such data to us, including within Jira Content processed by the Service.

Our Services are not directed to children. We do not knowingly collect personal data from individuals under the age of 18. If we learn we have collected personal data from a child under 18 without verification of parental consent, we will take steps to delete that information promptly. If you believe we might have any information from or about a child under 18, please contact us.

How We Use Your Personal Data and Lawful Bases

We use your personal data for the following purposes, relying on the specified lawful bases under GDPR:

• Provide, Maintain, and Improve Services: To operate the Platform, authenticate users (via NextAuth), deliver the services you request (including processing Jira Content through LLMs to generate output), manage subscriptions and enforce generation limits. (Lawful Basis: Performance of Contract; Legitimate Interests in maintaining and improving services).
• Process Transactions: To complete subscription payments via our payment processor, Stripe. (Lawful Basis: Performance of Contract).
• Account Management & Administration: To manage your account, send necessary service-related communications (e.g., security alerts, policy updates, subscription status changes, support messages). (Lawful Basis: Performance of Contract; Legitimate Interests in managing the service).
• Respond to Inquiries & Provide Support: To respond to your comments, questions, and requests for customer support. (Lawful Basis: Legitimate Interests in user support; Performance of Contract if related to service delivery).
• Analyze Usage: To monitor and analyze trends, usage patterns (using PostHog and internal logs), and activities to understand how users interact with our Services, diagnose technical issues, and improve the Platform. (Lawful Basis: Legitimate Interests in service improvement and optimization; Consent for analytics relying on non-essential cookies).
• Security and Fraud Prevention: To detect, investigate, prevent, and address technical issues, fraud, spam, abuse, security incidents, and potential violations of our Terms (e.g., using Google reCAPTCHA and analyzing logs). (Lawful Basis: Legitimate Interests in protecting our Services, users, and business; potentially Legal Obligation).
• Personalization: To personalize your experience modestly (e.g., remembering settings or preferences). (Lawful Basis: Legitimate Interests in enhancing user experience; Consent for certain personalization cookies).
• Legal Compliance: To comply with applicable laws, regulations, legal processes (like court orders or subpoenas), or governmental requests. (Lawful Basis: Legal Obligation).
• Enforce Terms & Protect Rights: To enforce our Terms and Conditions and protect our rights, privacy, safety, or property, and/or that of yours or others. (Lawful Basis: Legitimate Interests).

Specific Technologies and Services We Use

We utilize various third-party services to provide and operate TicketToKB:

• Hosting: Vercel - Provides the infrastructure to host our application and store data.
• Database: Vercel Postgres / Neon / Supabase - Stores application data like user accounts, subscriptions, generation metadata.
• Authentication: NextAuth - Facilitates user login via email/password and potentially OAuth providers (e.g., Google, GitHub - specify if configured).
• Payment Processing: Stripe - Securely handles subscription payments and stores payment method details.
• Analytics: PostHog - Helps us understand user behavior and service usage.
• AI / LLM Provider(s): OpenAI / Anthropic - Processes Jira Content to generate output. Data submitted to these providers is subject to their respective privacy policies and terms.
• Jira / Atlassian: Essential for the core service integration via their APIs.
• Security: Google reCAPTCHA - Helps protect against automated abuse.
• Email Delivery: Resend - Sends transactional and potentially marketing emails.

Sharing Your Personal Data

We do not sell your personal data. We may share your personal data with the following categories of recipients under specific circumstances and based on lawful grounds:

• Service Providers: Third-party vendors, consultants, and other service providers who perform services on our behalf and require access to personal data to do that work. This includes the providers listed in the section above (Hosting, Database, Authentication, Payment Processing, Analytics, LLM Providers, Security, Email Delivery). These providers only have access to personal data needed to perform their functions and are typically bound by contractual obligations to protect it and use it only for the purposes for which it was disclosed. (Basis: Performance of Contract; Legitimate Interests).
• LLM Providers: Critically, when you use the generation feature, the Jira Content you provide as input is sent to our third-party LLM Provider(s) for processing. Metadata about the generation (like token counts) is stored by us, but the input/output content is processed by the LLM provider subject to their terms and privacy policies. You should review the relevant LLM provider's policies. (Basis: Performance of Contract - necessary to provide the core generation service).
• Affiliated Organizations, Employees, Contractors: Our personnel and affiliated entities (if any) who need the information to help us provide the Services or process it on our behalf, provided they are bound by confidentiality obligations. (Basis: Legitimate Interests in efficient operation).
• Professional Advisors: Lawyers, bankers, auditors, and insurers providing consultancy, banking, legal, insurance, and accounting services, where necessary for the operation of our business. (Basis: Legitimate Interests in managing our business; Legal Obligation).
• Legal Requirements & Law Enforcement: Government authorities, courts, regulators, or other third parties if we believe disclosure is necessary or appropriate to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms and Conditions; (c) protect the security or integrity of our Services; or (d) protect our rights, property, or safety, or that of our users or the public. (Basis: Legal Obligation; Legitimate Interests).
• Business Transfers: In connection with, or during negotiations of, any actual or potential merger, sale of company assets, financing, acquisition of all or a portion of our business by another company, or transition of service to another provider. We will take steps to notify you if your personal data becomes subject to a different privacy policy. (Basis: Legitimate Interests in business continuity).
• With Your Consent: We may share your information with other third parties when we have your explicit consent to do so.

Data Storage and International Transfers

Your personal data is primarily stored and processed on servers located within the European Economic Area (EEA) and the United States. For example, using hosting providers like Vercel (with potential regions in both US and EU).

However, certain processing activities may involve transferring your data outside the EEA to countries that may not have data protection laws as comprehensive as those in the EEA. This typically occurs when we utilize service providers located outside the EEA, such as:

• Stripe (USA): For payment processing.
• PostHog (USA/EU): Depending on their infrastructure configuration.
• LLM Provider(s) (potentially USA or other locations): Depending on the provider chosen (e.g., OpenAI/Anthropic often use US infrastructure).
• Google (USA): For reCAPTCHA.
• Other US-based or global service providers: Vercel (USA/Global), Resend (USA).

When we transfer your personal data outside the EEA to countries not deemed adequate by the European Commission, we ensure appropriate safeguards are implemented to protect your data in accordance with GDPR requirements. These safeguards primarily include:

• Relying on Standard Contractual Clauses (SCCs) approved by the European Commission, integrated into our data processing agreements with the relevant service providers.
• Where applicable, relying on the EU-U.S. Data Privacy Framework (DPF) and/or the UK Extension or Swiss equivalent, if the provider is certified.
• Implementing supplementary measures (technical, organizational, contractual) as necessary to ensure an essentially equivalent level of protection to that guaranteed within the EEA.

Communications With You

If you are a registered user, we may send you emails that are strictly necessary for the operation of the Service, such as account verification, password resets, security notifications, important updates to the Service or Terms/Privacy Policy, and subscription/billing information. (Basis: Performance of Contract; Legitimate Interests).

We may also occasionally send emails about new features, solicit feedback, or provide general updates about TicketToKB. (Basis: Legitimate Interests, or Consent for purely marketing emails). You can opt-out of receiving these non-essential (marketing) communications at any time by clicking the "unsubscribe" link provided in the email or by contacting us at support@tickettokb.com.

If you send us a request (e.g., via a support email), we reserve the right to publish the nature or essence of the request (without your personally identifying information) to help us clarify or respond to your request or to help us support other users.

Cookies and Your Choices

We use cookies and similar technologies for several purposes:

• Essential/Strictly Necessary: Required for the operation of the Service, such as maintaining your login session, security, and core functionalities.
• Preferences: To remember your settings and preferences (if any).
• Analytics: To help us understand how users interact with the Service (e.g., using PostHog). These are non-essential.

Your Consent: For non-essential cookies (like analytics), we obtain your explicit consent, typically through a cookie consent banner presented when you first visit our site. You can manage your preferences through the banner or potentially through site settings (if implemented).

Browser Settings: Most web browsers allow you to control cookies through their settings preferences. You can usually set your browser to refuse cookies, delete existing cookies, or alert you when cookies are being sent. However, if you disable or refuse essential cookies, some parts of the Service may become inaccessible or not function properly.

Analytics Opt-Out: You can typically opt-out of analytics tracking (like PostHog) via our cookie consent mechanism.

Your Data Protection Rights under GDPR

If you are located in the European Economic Area (EEA), UK, or Switzerland, you have the following data protection rights regarding your personal data, subject to certain limitations under applicable law:

• Right of Access: You have the right to request access to and obtain a copy of the personal data we hold about you.
• Right to Rectification: You have the right to request that we correct any inaccurate personal data or complete incomplete personal data concerning you.
• Right to Erasure ('Right to be Forgotten'): You have the right to request the deletion of your personal data under certain conditions (e.g., the data is no longer necessary for the purposes collected, you withdraw consent and no other legal ground exists, you object to processing based on legitimate interests and there are no overriding grounds, the data was unlawfully processed).
• Right to Restriction of Processing: You have the right to request that we restrict the processing of your personal data under certain circumstances (e.g., while the accuracy of the data is contested, the processing is unlawful but you oppose erasure, we no longer need the data but you require it for legal claims, you have objected pending verification of legitimate grounds).
• Right to Object to Processing: You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data based on our legitimate interests. We must stop processing unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims. You also have an absolute right to object to processing for direct marketing purposes.
• Right to Data Portability: Where processing is based on your consent or the performance of a contract, and the processing is carried out by automated means, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from us.
• Right to Withdraw Consent: If we are processing your personal data based on your consent, you have the right to withdraw that consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority (data protection authority) in your EU Member State of habitual residence, place of work, or place of the alleged infringement if you believe that our processing of your personal data infringes the GDPR.

Exercising Your Rights: To exercise any of these rights, please contact us at support@tickettokb.com with the subject line "Privacy Rights Request". We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We will respond to your request within the timeframe required by applicable law (typically within one month).

Data Retention and Deletion

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected and processed, as outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

The criteria used to determine our retention periods include:

• The duration of your active account and use of our Services.
• The necessity of the data to provide the Services and fulfill our contractual obligations.
• Compliance with our legal obligations (e.g., retaining invoice data for tax/accounting purposes, maintaining logs for security investigations).
• The need to resolve disputes or enforce our agreements.
• Our legitimate business interests (e.g., for analytics improvement, fraud prevention, backup purposes).

Specifically:

• Account Information: Retained for as long as your account is active, and for a reasonable period thereafter as necessary for administrative purposes, legal compliance, or dispute resolution.
• Usage/Generation Metadata: Retained for a period necessary for analytics, billing accuracy, service improvement, and security monitoring (e.g., potentially 12-24 months), after which it may be aggregated, anonymized, or deleted.
• Jira Content Processed: We do not permanently store the raw Jira Content submitted for generation unless necessary for troubleshooting or explicitly configured (which would be communicated). Metadata linking generations to Jira issues is retained as per Usage Data policy.
• Payment/Subscription Data: Retained as necessary for billing, accounting, tax compliance, and managing subscription status (potentially for several years as required by financial regulations).
• Backup Data: Data may remain in our secure backup archives for a limited period according to our backup schedules, isolated from further processing until deletion is possible.

When personal data is no longer necessary for the purposes for which it was collected, we will securely delete or anonymize it in accordance with applicable laws.

Contacting TicketToKB About Your Privacy

If you have any questions, comments, or concerns about this Privacy Policy, our data practices, or if you wish to exercise your data protection rights, please contact us:

Email: support@tickettokb.com
(Please use a clear subject line like "Privacy Question" or "Privacy Rights Request")