Privacy Policy of OneNote to Confluence
We are very delighted that you have shown interest in our product “OneNote to Confluence” and our enterprise. Data protection is of a particularly high priority for the management of the Winter und Gellweiler – Software Engineering GbR aka. CraftCoders (hereinafter referred to as “we” or “CraftCoders”).
This document only applies to the Cloud version of the “OneNote to Confluence” app.
The processing of personal data, such as the name, address, email-address, or telephone number of a data subject shall always be in line with the General Data Protection Regulation (GDPR), and in accordance with the country-specific data protection regulations applicable to CraftCoders. By means of this privacy policy, our enterprise would like to inform the Data Subjects of the nature, scope, and purpose of the personal data we collect, use and process. Furthermore, Data Subjects are informed, by means of this privacy policy, of the rights to which they are entitled.
Our data privacy policy is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Terms used in this privacy policy shall have the meaning as defined in the GDPR.
As the controller, CraftCoders has implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed. However, internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed.
All our infrastructure needed to run “OneNote to Confluence” is hosted on the Atlassian Forge Platform. Our product integrates with Confluence Cloud, a product by Atlassian. Pty Ltd (hereinafter referred to as “Atlassian”) and uses services provided by Atlassian.
1. Name and address of the controller and the data protection officer
Controller for the purposes of the GDPR, other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:
Winter und Gellweiler – Software Engineering GbR
Alter Schlachthof 39 D2
76131 Karlsruhe
Germany
phone: +49 721 95944575
email: mail@craftcoders.app
Our data protection officer is available at:
Jan Hendrik Winter
Alter Schlachthof 39 D2
76131 Karlsruhe
Germany
phone: +49 721 95944575
email: dpo@craftcoders.app
2. Collection of general data and information
If you acquire a License of our product “OneNote to Confluence”, Atlassian will provide us with transaction details. These transaction details will be stored and processes by us. If Atlassian processes data on its own behalf, Atlassian acts as controller. Further information about the privacy policy of Atlassian can be accessed here: https://www.atlassian.com/legal/privacy-policy#what-this-policy-covers.
The servers of Atlassian collect a series of general data and information when you use our services. This general data and information is stored in the server log files. This information is needed to (1) deliver the content of our plugin correctly, (2) optimize the content of our plugin, (3) ensure the long-term viability of our information technology systems and plugin technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack.
When using these general data and information, we do not draw any conclusions about you. This information is needed to (1) deliver the content of our plugin correctly, (2) ensure the long-term viability of our information technology systems and plugin technology, and (3) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. Therefore, we analyse anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process.
We process this data on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR. Our legitimate interests correspond to the stated processing purposes.
3. OAuth Connection with Microsoft
When you authorize our app using the OAuth protocol, we obtain a token from Microsoft that grants access to specific resources within your Microsoft account. This token allows us to securely access and retrieve your OneNote data without requiring your password. The information collected during this process includes your Microsoft user ID, the authorization token, and the permissions granted to our app.
This information is used to provide the core functionality of our app, enabling it to access and synchronize your OneNote data with Atlassian Confluence. All data is processed and stored within the Atlassian Forge environment. This data processing is necessary to fulfill our contractual obligations to you (Art. 6 para. 1 lit. b) GDPR) and is based on our legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR. Our legitimate interests correspond to the stated processing purposes.
If you revoke the authorization or uninstall the app, the token and related information will no longer be used or accessed.
4. Retrieving OneNote Data
Our app retrieves data from your OneNote notebooks through the Microsoft Graph API. The data accessed includes notebook titles, section titles, page titles, page content, and associated metadata such as creation and modification dates.
This information is necessary to synchronize your OneNote content with Atlassian Confluence, ensuring that your notes are accurately reflected in your Confluence instance. We process this data to fulfill a contract with you (Art. 6 para. 1 lit. b) GDPR) and based on our legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR. Our legitimate interests correspond to the stated processing purposes.
Within the Forge platform, we store a metadata object for each sync rule. This object includes the title, ID, timestamp of last sync of the notebook, its sections, and pages.
We do not permanently store your OneNote data; it is retrieved and processed within the Atlassian Forge environment and then discarded after synchronization.
5. Retrieving Confluence Information
Our app accesses information from your Atlassian Confluence instance to identify the target spaces and pages where your OneNote content will be synchronized. The data accessed includes space IDs, page IDs, and summaries of existing content to ensure accurate synchronization.
This information is used to manage and apply the synchronization rules you configure, ensuring that your OneNote content is correctly mapped to the appropriate locations within Confluence. We process this data to fulfill a contract with you (Art. 6 para. 1 lit. b) GDPR) and based on our legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR. Our legitimate interests correspond to the stated processing purposes.
All data processing occurs within the Atlassian Forge environment, and we do not store any Confluence information on our own servers.
6. Legal basis for the processing
Art. 6 para. 1 lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose.
If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service, the processing is based on Article 6 para. 1 lit. b GDPR. The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services.
If we are subject to a legal obligation by which processing of personal data is required, such as for the fulfillment of tax obligations, the processing is based on Art. 6 para. 1 lit. c GDPR.
In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6 para. 1 lit. d GDPR.
Finally, processing operations could be based on Article 6 para. 1 lit. f GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of you which require protection of personal data.
7. Period for which the personal data will be stored
We store your personal data only as long as this is necessary for the fulfilment of the processing purposes or – in the case of consent – as long as you have not withdrawn your consent. In the event of an objection, we will erase your personal data unless its further processing is permitted under the relevant legal provisions or your personal data is not identifiable any-more as we have already anonymized it. We also erase your personal data if we are obliged to do so for legal reasons. If and as long as there are legal storage obligations, we will only erase the personal data after the relevant periods have expired.
8. Automated decision-making
We do not use automatic decision-making or profiling.
9. Your rights as a data subject
As a data subject, you have numerous rights under the GDPR. In detail, these are:
- Right of access: You have the right to obtain information about the personal data we have stored about you.
- Right to rectification and erasure: You can request that we correct incorrect personal data and erase your personal data.
- Restriction of processing: You can request that we restrict the processing of your personal data.
- Data portability: If you have provided us with per-sonal data on the basis of a contract or consent, you may request that we send you the personal data you have provided in a structured, common and machine-readable format or that we transfer it to another controller.
- Right to object to data processing on the legal basis of „legitimate interest“:
You have the right to object to our processing of your personal data at any time with future effect on grounds relating to your particular situation, insofar as this is based on the legal basis of “legitimate interest”. If you exercise your right to object, we will cease processing your personal data, unless we can demonstrate compelling legitimate grounds for further processing that override your rights. However, if you object to such processing of personal data, you will not be able to use our services anymore (which may also have an effect on your contractual relationship with your employer or corporate partner).
- Withdrawal of consent: If you have given us consent to process your personal data, you can with-draw this consent at any time with effect for the future. The lawfulness of the processing of your personal data until the withdrawal remains unaffected.
- Right to lodge a complaint with a supervisory authority: You can also lodge a complaint with a competent supervisory authority if you are of the opinion that the processing of your personal data violates applicable law. To do this, you can, e.g., contact the data protection authority competent for your place of residence or the data protection authority competent for us in Baden-Württemberg:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit, Königstraße 10a, 70173 Stuttgart;
phone: +49 (0) 711 / 615541-0
fax: +49 (0) 711 / 615541-15
mail: poststelle@lfdi.bwl.de.
Exercising any of your rights mentioned above is subject to legal prerequisites and, in certain circumstances, your rights may be limited due to legal exceptions set out, in particular, in Art. 17 para. 3 and 22 para. 2 GDPR.
If you have any questions on the processing of your personal data, your data subject rights and any consent you may have given, you can contact us free of charge. Should you have any questions relating to your rights or their limitations, please feel free to contact any of our employees.
10. Changes to this privacy policy
From time to time it may be necessary to amend the content of this privacy notice. We therefore reserve the right to change it at any time. We will also publish the amended version of the privacy notice. The current version of our privacy notice applies at the time of your use of our services.
Version: 1; Date: 01.07.2024