filter Filter Blog

ThinkTilt News

An Update on Protecting Your Privacy

by Simon Herd on December 13, 2018

ThinkTilt has recently updated it’s privacy policy and Terms of Use and we thought this would be a good time to pass on some reassuring information on how we handle data privacy.


ProForma Forms & Custom Fields for Jira


Principles of Data Privacy

In guiding our practices related to data privacy, we follow a these guiding principles:

  • Minimize
    Where possible we always avoid collecting personal information. Where we do need to collect information, we always ensure we know where the information is stored and minimize the number of systems it is stored in. For example, our analytics data contains no personal information. 

  • Transparency
    We believe in being transparent about how we use data. When possible, we capture analytics data through the browser so you can see for themselves what we are capturing (and opt out if you prefer). We list all of the systems we use for data capture/management, as well as how and why they are used, in our Privacy Policy. 

  • Respect
    We respect your preferences by honoring the Do Not Track setting in individual browsers and by allowing Server customers to turn off all anonymous analytics. Cloud customers can contact us to opt out of our analytics.

  • Support 
    We allow everyone who interacts with us or our products to have their information deleted, updated or to access their data. By maintaining good data hygiene and auditing which systems hold which data, we can respond to these queries relatively quickly. 

  • Compliance
    We believe we are compliant with GDPR. We have updated our Privacy Policies and incorporated a Data Processing Agreement and the Model Contract Clauses for data transfer into our standard terms for EU customers.

Types of Data

We use five broad categories to think about data:

  • Customer Data
    Our app, ProForma, allows teams to create forms for Jira. Thus, there are two types of customer data; the design of the forms and the data users enter into the forms. With the exception of form names, we avoid holding Customer Data. We never see customer data for Server customer. For cloud customers, Customer Data momentarily passes through our servers in order to be rendered in the browser, however this data is only held momentarily in our servers' memory.


  • Organization Data
    Organizational data includes our business records, customer support requests, the emails we receive, and other material we maintain to manage our business. We are under legal obligations to keep appropriate business records, typically for seven years. We keep this data in secure systems and whenever possible we delete any extraneous attachments.

  • Usage Data
    Capturing information on specific actions customers take within our app allows us to improve our product. Seeing which features are most utilized and at which points customers find the app confusing drives future development decisions.  Our usage data is collected through and does not include personal information. It does include the name of the ProForma forms and the license number for the organization. We have modified the Segment library to ensure that all events tracked through Segment are anonymous. For example, we ensure that IP addresses are not recorded and individual users are tracked using an anonymized account-id.

  • Communications Data
    This is the data that’s most likely to contain personal information. We collect names, email addresses, and occasionally phone numbers and/or job titles from customers we meet at Atlassian Summit, from our update requests submitted via our webpage and also through the contact details Atlassian provides us as part of each license issued in the Marketplace. 

    We use this information to send out updates about our app and to inform customers of changes to our policies or terms of service. Note that we only hold data that people have consented to give us, or where we have legitimate purpose to hold them (e.g. the admin contact for our app who we need inform about changes to our product or policies). We only communicate in relation to our apps. We do not use this data for general marketing. 

  • Analytics and Advertising Data
    We use data from Google Analytics and other tools to measure how much traffic we are getting to our public facing websites. This information informs our decisions about future blog topics. We also use various advertising systems, such as Facebook, LinkedIn, and Google Ads to raise awareness about our app and the solutions we provide.  Most of our public facing websites (but not our Atlassian Marketplace Apps) include ad tracking code, so that we can track the effectiveness of our advertising campaigns.


Auditing, Cleaning & Deleting Data

Periodically, we comb through are systems to ensure that we only have the data we need. This generally entails three steps:

  • Auditing the Data
    We maintain a record of all the systems where data is stored, including the types of data held in each system. Each system is categorized based on the type of data and the impact that a data breach would have. We conduct periodic reviews of these systems and monitor who has access. 

  • Cleaning the Data
    There are times when our processes require extra scrutiny and clean up. We may make a local copy of data in order to better analyze it, but we make sure every computer has an encrypted file system before downloading this data.  We then ensure we clean up afterwards. We also closely monitor any integration tools, configuring them not cache/log any processes that include personal data.

  • Delete the Data
    We are committed to deleting data that we don’t need. As part of our auditing process, we set an age limit on our records, dependent on their data type, and delete personal information once it is no longer required.


Best Practices for Data Security

ThinkTilt staff engage in day to day practices to ensure that all data is kept secure. These include:

  • Two factor authentication;
  • 1Password for storage of common passwords;
  • Tightly controlling who has access to specific projects, production servers and other sensitive systems;
  • Ensuring that all devices used by our team are encrypted and that team members practice good password management;
  • Ensuring that all team members and contractors understand their confidentiality/NDA obligations;
  • Carefully vetting all third party services we integrate with.

Finally, recognizing that an ounce of prevention is worth a pound of cure, we do our best to prepare for things going wrong. This includes having written procedures for responding to incidents and data breaches.  We also make sure to carry more than adequate insurance coverage, so that should a breach happen, we will have the resources we need to handle the notification process.

We are committed to protecting your data and earning your trust. Please contact us if you have any questions or concerns about how we handle your data.