Eulo Labs - Privacy Policy
Effective starting: January 22, 2026
1. Scope & applicability
This policy covers the processing of personal data that occurs when a user installs or runs a Eulo Labs app (the “App”) from the Atlassian Marketplace, as well as visits to our public website (eulo.dev).
Current Apps:
- File Renderers for Bitbucket – A Forge app that provides enhanced file preview capabilities within Bitbucket Cloud repositories for file types including CSV, TSV, PDF, STL (3D models), and AsciiDoc documents.
- OpenStreetMap for Confluence – A Forge app that allows embedding interactive maps into Confluence pages.
- OpenStreetMap for Jira – A Forge app that allows embedding interactive maps into Jira issues, dashboards, and projects.
This policy applies globally – our Apps are offered to customers in every jurisdiction, so this policy is written to satisfy major global privacy frameworks, including the European Union's GDPR, the United Kingdom's UK-GDPR, California's CCPA/CPRA, Brazil's LGPD, China's PIPL, Japan's APPI, India's DPDP Act, Indonesia's PDP Law, Russia's Federal Law No. 152-FZ, Canada's PIPEDA, Australia's Privacy Act, and other comparable regimes.
2. Information we do not collect or store
- We never retrieve, store, or transmit any end-user or company-level personal data (e.g., names, emails, employee IDs).
- File Renderers for Bitbucket reads file content directly from the Bitbucket repository at runtime solely to render the file preview. The content is processed in the browser and is not transmitted to, stored by, or accessible to Eulo Labs.
- We do not fetch or store any filenames, file history or committer information.
- We do not store your repository content, file names, or any other repository data outside of Atlassian's infrastructure.
- OpenStreetMap for Confluence: We do not access or store the content of your Confluence pages. We only store the configuration parameters for the map macro (location, zoom level, layer choice) within the page content itself.
- OpenStreetMap for Jira: We do not access or store the content of your Jira issues or projects. We only store the configuration parameters for the map gadget or issue panel (location, zoom level) as issue properties or app storage.
3. Information we do collect and where it lives
| Data element | Source | Purpose | Storage location | Retention |
|---|---|---|---|---|
| Operational logs (request IDs, error traces) | Forge runtime & PostHog API calls | Debugging, performance monitoring, security auditing | PostHog (third-party SaaS) | Retained for 1 year (Free tier) or 7 years (Paid tier) per PostHog standard policy |
| Analytics events (usage counts, feature activation) | Forge analytics (built-in) | Product improvement, roadmap planning | Atlassian Infrastructure (aggregated, no personal identifiers) | Aggregated forever; raw event logs are deleted after 90 days |
| Website analytics (page views, referrer, country) | Cloudflare Web Analytics (website only) | Understanding website traffic and improving user experience | Cloudflare (third-party SaaS) | Aggregated; no personal identifiers stored |
No personal identifiers (email, account identifiers, IP address) are stored permanently. Any temporary identifiers used for logging are hashed and discarded after the retention period noted above.
4. Legal basis (GDPR)
| Processing activity | Legal basis |
|---|---|
| Rendering file previews within Bitbucket (reading file content to display) | Performance of a contract – the user has explicitly installed the App and expects it to read and display file content. |
| Temporary logging for security and debugging | Legitimate interests – necessary to maintain the security, stability and reliability of the service. |
| Aggregated usage analytics | Legitimate interests – to improve the App and inform future development. |
| Website analytics via Cloudflare | Legitimate interests – privacy-friendly analytics (no cookies, no personal data collected) to understand website traffic. |
5. International data transfers
- All data that remains under our control stays within the Atlassian Cloud Infrastructure region selected by the customer (EU, US, APAC, etc.).
- OpenStreetMap for Confluence and Jira: Map tiles are loaded directly from public tile servers (OpenStreetMap, CyclOSM, Thunderforest, MapTiler) to your browser. Your IP address may be visible to these tile providers as part of the standard HTTP request to fetch the image. This is standard for any web-based map.
- Logs sent to PostHog are transferred to PostHog's infrastructure under the Standard Contractual Clauses (SCCs) that PostHog provides to its customers. No personal data is included in those logs.
- Cloudflare Web Analytics (website only) processes data globally under Cloudflare's data processing agreements and does not collect personal identifiers.
6. Data security
- All communications between the App and Bitbucket Cloud use TLS 1.3.
- Access tokens are stored only in memory and never persisted.
- least-privilege scopes – our Apps request only:
read:repository:bitbucket– Read-only access to repository content (File Renderers)read:confluence-content.all– Read access to display macro content (OpenStreetMap for Confluence)write:confluence-content– ability to insert/update the map macro on the page (OpenStreetMap for Confluence)read:jira-work– Read access to issue details (OpenStreetMap for Jira)write:jira-work– Write access to save map configuration to issues (OpenStreetMap for Jira)
- The App cannot modify, delete, or write to your repositories (Bitbucket), read unauthorized pages (Confluence), or access unauthorized issues (Jira).
- Regular security reviews are performed in line with industry-standard Marketplace Security Programs and the ISO 27001, ISO 27017 and SOC 2 certifications held by our third-party partners (PostHog, Cloudflare).
7. Your rights (GDPR & comparable laws)
| Right | How to exercise it |
|---|---|
| Access / Portability – obtain a copy of any data we retain about you | Send a request to [email protected]; we will export the data in JSON within 30 days. Note: we do not store personal data, so responses will confirm this. |
| Rectification – correct inaccurate records | Not applicable – we do not store editable personal data. |
| Erasure – delete all retained data and logs | Send a request to [email protected]; we will purge any identifiable logs and confirm completion. |
| Restriction – limit processing of your data | Uninstall the App from the Atlassian Marketplace; this stops further processing. |
| Objection – object to analytics | Contact us at [email protected] to discuss your concerns. |
| Complaint – lodge a complaint with a supervisory authority | You may contact the data-protection authority in your jurisdiction. |
8. Data retention
- App data: Our Apps do not store persistent user data. File content is processed in-browser at runtime only.
- Logs: Operational logs are automatically deleted after their retention period (1 year on Free tier; up to 7 years on Paid tiers).
- App uninstallation: Uninstalling the App stops all data processing immediately. Atlassian retains app installation records per their own policies.
9. Third-party processors
| Processor | Service | Why we use it | Link to their privacy notice |
|---|---|---|---|
| PostHog | Log aggregation & monitoring (App) | Error tracking, performance metrics | https://posthog.com/privacy |
| Cloudflare | Web Analytics (Website only) | Privacy-friendly website traffic analysis (no cookies, no personal identifiers) | https://cloudflare.com/privacypolicy/ |
| Atlassian | Forge hosting & Bitbucket Cloud | Runs the App in a secure, isolated Forge environment | https://atlassian.com/legal/privacy-policy |
| OpenStreetMap Foundation & Contributors | Map Tile Provider | Delivers the map images to your browser. | OpenStreetMap Foundation Privacy Policy |
| Thunderforest | Map Tile Provider | Delivers specialized map images to your browser. | Thunderforest Privacy Policy |
| MapTiler | Map Tile Provider | Delivers custom map images to your browser. | MapTiler Privacy Policy |
We have Data Processing Agreements (DPAs) with each processor that incorporate the EU-standard contractual clauses where applicable.
10. Cookies & tracking
Our Apps (within Atlassian/Bitbucket)
Our Apps do not set any cookies or use any tracking mechanisms. The Apps run entirely within the Atlassian Forge environment and do not deploy cookies, local storage, or fingerprinting techniques. We explicitly disable PostHog Session Replay features.
Note: Atlassian may set its own cookies as part of the Bitbucket Cloud experience. These are governed by Atlassian's Privacy Policy and are not controlled by Eulo Labs.
Our Website (eulo.dev)
We use Cloudflare Web Analytics on our public website. Cloudflare Web Analytics is designed to be privacy-friendly:
- No cookies – Cloudflare Web Analytics does not use cookies or client-side storage (such as localStorage).
- No fingerprinting – It does not fingerprint individuals via IP addresses, User Agent strings, or other persistent attributes.
- Aggregated data only – We receive aggregated statistics (page views, referrer sources, country-level location) with no personal identifiers.
Because Cloudflare Web Analytics does not use cookies, you will not see a cookie consent banner on our website for analytics purposes.
11. Data minimization commitment
In accordance with Atlassian's Marketplace data privacy guidelines and GDPR principles, we are committed to:
- Collecting only what we need – We request only the minimum permissions required for the App to function (read-only repository access for file preview).
- No unnecessary data collection – We do not collect data “just in case” it might be useful later.
- Prompt deletion – Logs are automatically purged after their retention period. We honor deletion requests promptly.
- Transparency – This policy clearly explains what data we collect, how we use it, and who has access.
12. Changes to this policy
Process for updating the policy
- Internal review – At least once per quarter the product team reviews the policy for regulatory or architectural changes.
- Versioning – Each amendment increments the “Effective Date” and adds a short change log at the top of the document.
- Marketplace notification – When the policy changes, the new version is uploaded to the App's Atlassian Marketplace listing.
13. Contact us
If you have any questions, wish to exercise your data-subject rights, or need clarification, please reach out to:
[email protected]