Privacy Policy

Last updated: May 27, 2026 (Forge-storage migration)

This Privacy Policy describes how Project Commander ("we", "our", or "the App") collects, uses, and protects information when you use our Jira Cloud app.

1. Information We Access

Project Commander is a planning and analysis app for Jira Cloud that provides capacity planning, delivery forecasting, sprint management, and AI-powered insights. To provide this functionality, the App accesses the following Jira data:

Jira Project Data

• Sprint information: Sprint names, dates, states, and goals
• Issue data: Issue keys, summaries, story points, time estimates (original, remaining, and time spent), status, assignees, issue types, priority, due dates, start dates, resolution dates, epic links, and dependency links (blocks / blocked-by)
• Board configuration: Board names and associated projects
• User information: Display names of Jira users (primarily issue assignees) for workload tracking

Configuration and App-Managed Data

Project Commander also stores content that you create or configure inside the App:

• Gadget and board settings (board selection, capacity limits, display preferences)
• Velocity tracking data from completed sprints
• Sprint snapshots used for scope-creep detection
• Team capacity configuration (per-member hours/week, utilization, time-off entries, holidays)
• Risks (strategies, owners, mitigation actions, rationales) and action items (assignees, due dates, notes)
• Retrospective notes and carry-over items
• Governance policies, portfolio project lists, and alert dismissals
• Per-user UI preferences and AI prompt-enrichment cache
• Your AI provider API key, if you configure one

2. How We Use Information

All data accessed by Project Commander is used solely to provide the App's functionality:

• Display sprint, issue, and team information in the App and dashboard gadget
• Calculate capacity utilization, workload distribution, and feasibility scores
• Track velocity metrics and scope changes from completed sprints
• Surface risks, alerts, and dependency conflicts across sprints and projects
• Run what-if scenarios, auto-leveling, and critical-chain analysis
• Generate retrospectives and action items from closed sprints
• Enable drag-and-drop issue management between sprints and inline editing of issue fields
• Power optional AI features (see Section 4) when you provide an API key

3. Data Storage

All App data is stored using Atlassian Forge's built-in storage, isolated to your Jira instance and scoped to your Atlassian account. No App content is held in browser local storage as a system of record.

• Jira Data: Project Commander does not copy or store your raw Jira data outside of Atlassian's infrastructure. All Jira data is accessed in real-time through Atlassian's secure APIs.
• Configuration and analytics: Gadget settings, team capacity configuration, velocity history, sprint snapshots (used for scope-creep detection), and per-user UI preferences are stored in Forge storage.
• App-managed content: Risks (strategies, owners, mitigation actions, rationales), action items, retrospective notes and sprint carry-over items, governance policies, portfolio project lists, alert dismissals, and the AI prompt-enrichment cache are stored in Forge storage and follow your Atlassian account across devices.
• AI API key: If you configure an AI provider key, it is stored using Forge's encrypted secret storage (separate from regular Forge storage) and only retrieved server-side at the moment an AI request is dispatched.

Data Retention

App data persists until you uninstall the App or clear it through the App interface. Velocity history retains the last 10 completed sprints. Uninstalling the App removes all data stored in Forge storage, including App-managed content, configuration, snapshots, the AI API key, and the AI enrichment cache.

4. AI Features and Third-Party Providers

Project Commander includes optional AI-powered features. These features are disabled by default and only activate when you explicitly trigger them after providing your own API key. Current AI features include:

• Dashboard Insights — narrative analysis of the current project's state
• AI Chat — a project-aware planning assistant you can ask questions of
• AI Risk Suggestions — proposed risks generated from the project's data on the Risks tab
• What-If Analysis — AI-driven scenarios that translate a natural-language change ("what if we lose a developer for two weeks") into simulator adjustments
• Retrospective Summaries — auto-generated summaries for closed sprints

What is sent

When you trigger an AI feature, the App builds a project-context prompt and sends it to the AI provider you have configured. The prompt may include:

• Issue fields: keys, summaries, statuses, story points, time estimates, time spent, priority, issue types, assignee display names, due/start/resolution dates, dependency links (blocks / blocked-by), and epic links
• Sprint fields: names, states, start/end dates, and sprint goals (free text)
• Team and capacity context: member display names, hours per week, utilization, average velocity, time-off entries (member, dates, reason), and holiday entries
• Velocity history and computed metrics for the project
• For AI Chat: the message you typed plus the project context above

The prompt does not include full issue descriptions, attachments, issue comments, or your AI API key beyond the per-request header used to authenticate the call.

Some of the fields sent are free-text (notably sprint goals, time-off reasons, and your AI Chat messages) and may contain PII or confidential information depending on what your team writes in them. If that's a concern, review the provider's data-use terms before enabling AI features, or leave them off.

Which providers

• Anthropic (api.anthropic.com) — Claude AI models
• OpenAI (api.openai.com) — GPT models
• Google Gemini (generativelanguage.googleapis.com) — Gemini models

You choose which provider to use by supplying your own API key in Settings. Project Commander does not supply API keys on your behalf and does not have access to your key beyond passing it per-request to the selected provider.

Data handling by providers

Data sent to AI providers is subject to each provider's own privacy policy and terms. Project Commander does not log, store, or retain prompts or responses on its own servers. Responses are displayed in the App and discarded.

Opting out

AI features can be disabled entirely by removing your API key from Settings. If no API key is configured, no data is ever sent to any AI provider.

5. Data Sharing

Project Commander does not share, sell, or transfer your data to third parties, except as described in Section 4 (AI providers you explicitly configure).

6. Data Security

We implement security measures to protect your information:

• The Jira Cloud app runs entirely within Atlassian's secure Forge platform
• All API communications use HTTPS encryption
• API keys are stored using Forge's encrypted secret storage
• No Jira data is transmitted to our servers
• Access is controlled by your Jira permissions

7. Your Rights

You have the following rights regarding your data:

• Access: View all configuration, velocity, and App-managed content (risks, action items, retros, etc.) through the App interface
• Correction: Update your settings and App-managed content at any time through the App interface
• Deletion: Clear velocity data and App-managed content through the App where applicable. Uninstalling the Forge app removes all App data stored in Forge storage — configuration, velocity, snapshots, team capacity, risks, action items, retros, governance, portfolio data, alert dismissals, AI enrichment cache, and the AI API key.
• Portability: Your Jira data remains in Jira and is accessible through standard Jira exports. For App-managed content (risks, action items, retros), contact support@projectcommander.app if you need help exporting it.

8. Atlassian Marketplace

Project Commander is distributed through the Atlassian Marketplace. Atlassian may collect information about your use of the Marketplace and Apps. Please refer to Atlassian's Privacy Policy for details.

9. Children's Privacy

Project Commander is a business productivity tool and is not intended for use by children under 16. We do not knowingly collect information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes through the Atlassian Marketplace listing or the App interface. Continued use of the App after changes constitutes acceptance of the updated policy.

11. Contact Us