Feed the Troll - Jira Cloud App
Privacy & Security Policy
This policy describes how Feed the Troll handles data within your Jira Cloud instance. Effective date: March 2026 - Version 1.0.0.
Introduction & Scope
This Privacy and Security Policy governs data processed by Feed the Troll: Gamified Agile Companion (the “App”), a Jira Cloud application developed by drinkits DEV and distributed via the Atlassian Marketplace.
This policy applies to all end-users, project members, and Jira System Administrators who interact with the App within their organisation’s Atlassian Jira Cloud instance.
What the App Does
Feed the Troll gamifies your team’s existing Jira workflow. When team members log time, transition issue statuses, leave comments, complete sprints, or send peer kudos, the App awards XP to a personal “troll” character. Trolls level up, evolve through five stages, and collectively shape a shared team village. No new workflow is imposed - the App observes activity that already occurs inside Jira.
Data Storage (Forge Infrastructure)
All App data is stored exclusively in Atlassian Forge SQL - a TiDB-compatible managed database that runs entirely within Atlassian’s infrastructure. There are no external servers, no cloud buckets, and no off-platform databases of any kind.
What Is Stored and Why
| Table | Contains | Retention |
|---|---|---|
trolls |
Troll profile per user per project: level, XP, lineage, cosmetics, privacy toggles, streak, last active date | Until app uninstall |
xp_events |
Log of XP-awarding actions: event type, XP awarded, quality multiplier, source issue key, timestamp | Until app uninstall |
daily_activity |
Daily XP and action count per user per project - used for the 30-day activity heatmap | Until app uninstall |
kudos |
Sender ID, recipient ID, project ID, optional message (max 280 chars), XP awarded, source issue key | Until app uninstall |
quest_progress |
Personal quest progress: quest ID, current count, target, completion status, timestamps | Until app uninstall |
inventory |
Cosmetic items earned via quests: item type, item ID, acquisition source | Until app uninstall |
team_quests |
Team quest progress per project per sprint - no personal data | Until app uninstall |
villages |
Shared village state per project: building levels, defense score, prosperity score - no personal data | Until app uninstall |
raid_history |
Sprint raid outcomes per project: outcome, defense score, XP bonus, building affected - no personal data | Until app uninstall |
project_settings |
Feature toggle configuration per project; stores the account ID of the last administrator who changed settings | Until app uninstall |
global_settings |
Instance-wide settings (rollout strategy, Global Harmony Mode); stores admin account ID of last modifier | Until app uninstall |
On Uninstall
When the App is uninstalled from a Jira instance, the Forge platform automatically deletes all associated Forge SQL data. No data remains on any infrastructure we control.
What Data We Process
The App processes the minimum data necessary to deliver the gamification experience. The following describes precisely what is read from Jira and what is derived and stored.
Data Read from Jira (Not Stored)
To detect XP-awarding events, the App receives event notifications from Jira containing:
- Jira Account ID - the Atlassian-assigned opaque identifier for the user who performed the action (e.g.
5f7a3b...). This is not a name or email address. - Project ID - to associate the event with the correct village.
- Event type and timestamp - what happened (e.g. a worklog was created) and when.
- Issue key - the Jira issue identifier (e.g.
PROJ-42) stored alongside the XP event for the activity log. - Sprint completion data - percentage of sprint goal achieved, used to calculate quality multipliers for the sprint-complete XP event.
Jira API Scopes Requested
The App declares the following Forge permission scopes in its manifest. No other scopes are requested.
The App does not request write access to Jira issues, attachments, users, or any other Jira content. All write operations are limited to the App’s own Forge SQL storage.
User-Controlled Visibility
Each user controls what teammates can see via five privacy toggles in Troll Settings → Privacy. These settings do not affect data storage - they only govern what is displayed to other users within the App.
| Setting | Default | Governs visibility of |
|---|---|---|
| Show my troll in village | ON | Your troll appearing in the shared team village scene |
| Show my level to team | ON | Your level on the village leaderboard |
| Show my streak to team | OFF | Your consecutive active-day streak count |
| Show my XP details to team | OFF | Your total accumulated XP |
| Allow kudos from teammates | ON | Whether others can send you kudos |
GDPR & Data Rights
For organisations with users in the European Union or European Economic Area, this section describes the GDPR framework governing the App.
Controller and Processor Roles
Your organisation (the Jira Cloud customer) is the Data Controller: you determine the purpose and means of processing personal data by choosing to install and configure the App within your Jira instance.
drinkits DEV acts as a Data Processor operating through Atlassian’s Forge platform. We process only the data necessary to deliver the App’s stated functionality, in accordance with your instructions as expressed through the App’s configuration.
Individual Data Rights
The following rights are available to data subjects. Because the App stores only Atlassian Account IDs (not names or email addresses), identity verification is handled via Atlassian’s existing authentication.
■ Right to Access
View your troll profile, XP history, quest progress, and activity heatmap directly in the App (Troll Settings). Contact us for a complete data export.
■ Right to Erasure
Atlassian’s standard User Deletion APIs propagate to Forge SQL, removing your records when your Atlassian account is deleted. You may also contact us directly to request erasure of your troll data only.
■ Right to Portability
Contact us via the support portal to request a structured export of your personal troll data in a machine-readable format.
■ Right to Restrict
Use the five privacy toggles in Troll Settings to restrict the visibility of your data to teammates. For full processing restriction, contact us or ask your Jira System Administrator to remove your troll profile.
Data Retention
Data is retained for as long as the App is installed and active in your Jira instance. There is no automatic expiry of individual records during an active installation. Upon uninstall, all Forge SQL data is deleted automatically by the Atlassian platform with no further action required from you.
International Transfers
The App does not transfer data across borders independently. Any geographic placement of data is determined by Atlassian’s infrastructure and your organisation’s Jira Cloud region selection, and is governed by Atlassian’s Data Processing Addendum and Standard Contractual Clauses where applicable.
CCPA (California)
We do not sell personal information as defined under the California Consumer Privacy Act. California residents have the right to know what data is collected (this policy), to request deletion (contact us or uninstall the App), and to opt out of sale (not applicable - no sale occurs).
Contact Us
For any privacy or security question, request, or concern related to Feed the Troll, contact us through one of the following channels:
| Channel | Details |
|---|---|
| [email protected] | |
| Support Portal | drinkits.atlassian.net/servicedesk - preferred for formal data subject requests |
| Response time | Within 5 business days for general enquiries; within 30 days for formal data subject requests under GDPR |
| Security disclosures | Mark your support ticket or email as Security Issue for priority handling |
Policy Updates
We will update this policy when the App’s data practices change. Material changes will be announced via the Atlassian Marketplace changelog. The effective date at the top of this page will reflect the most recent revision.