Privacy Policy

1. Who we are (data controller)

GumStory is operated by Plainmoss, 55 Bestdesk Cove, 2nd Floor, Jaipur, Rajasthan, 302015, India. For any privacy question or to exercise your rights, contact us at support@gumstory.com.

Plainmoss is the data controller for account and marketing data. When you use GumStory to manage your own team's work items, tests, and projects, Plainmoss acts as a data processor on your behalf for that content (see section 9).

2. Data we collect

• Account data: email address, and name, username, job title, or company if you provide them; hashed password (for password sign-in); sign-in provider identifiers if you use Google or Microsoft.
• Content you create: projects, work items, test cases, test runs, comments, attachments, and related activity.
• Jira (Atlassian) data: OAuth tokens and a row-level mirror of issues you fetch (see section 3).
• Billing data: if you subscribe, our payment processors handle your card/UPI details; we store subscription status, invoices, and tax identifiers, not full card numbers.
• Technical data: data needed to operate the service securely, such as session cookies, IP address (for rate limiting and abuse prevention), and basic logs.
• Guest demo sessions: if you explore without signing up, we create a temporary anonymous account so your demo edits persist in your browser. It holds no personal details unless you choose to register.

3. Jira (Atlassian) data

If you connect Jira, you sign in with Atlassian and authorize GumStory through OAuth. GumStory calls Atlassian's APIs only to provide features you use (for example: listing projects, reading issues for dashboards, and creating or updating work items when you request it).

To run those features reliably and to limit how often GumStory calls Jira, GumStory stores a row-level mirror of issues you have fetched (for example issue key, summary, status, type, priority, assignee, and timestamps) in the GumStory database, tied to your project. The Overview dashboard reads from that mirror; refreshing or certain views updates it from Jira. That data is used only to operate GumStory for you. GumStory does not sell Jira content or use it for unrelated advertising profiles.

Atlassian remains the source of truth for your Jira data. You can disconnect access by revoking the app in your Atlassian account and/or removing the connection in GumStory; use the contact page if you need help deleting associated data stored by GumStory.

Your use of Jira is also governed by Atlassian's terms and privacy policy.

4. Why we use it and our legal basis

Under the GDPR we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b)): to create your account, run the app, sync Jira, and process subscriptions you buy.
• Legitimate interests (Art. 6(1)(f)): to keep the service secure, prevent abuse and spam, apply rate limits, and improve GumStory. We balance these against your rights.
• Consent (Art. 6(1)(a)): for any optional communications you opt into. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): to keep tax and invoicing records where the law requires it.

We do not sell your personal data, and we do not use it for third-party advertising.

5. AI features

Some features (for example the work assistant, quick create, and project insights) send the text you submit, and the relevant work items, to a third-party AI provider (currently OpenRouter, which routes to model providers) to generate drafts and summaries. This content is processed only to return your result. We do not permit this content to be used to train third-party models, and we do not send it for advertising. Avoid pasting sensitive personal data into AI inputs.

6. Service providers (sub-processors)

We share data only with providers that help us run GumStory, under contracts that require them to protect it:

• Vercel — application hosting and content delivery.
• Supabase — managed PostgreSQL database.
• Upstash — rate limiting and caching.
• Email delivery provider — transactional email (sign-in links, invoices, notifications).
• OpenRouter — AI features described above.
• PayPal and Razorpay — payment processing for subscriptions.
• Google and Microsoft — optional single sign-on, if you use it.
• Atlassian — Jira sync, if you connect it.

We may update this list as our infrastructure changes. Email support@gumstory.com for the current list at any time.

7. International data transfers

We are based in India and our providers may process data in the United States, the EU/EEA, and other countries. Where data is transferred outside the EEA or UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum) with those providers.

8. Data retention

• Account & content: kept while your account is active. When you close your account, your profile and sign-in details are removed; work you contributed to shared projects may remain (de-identified) so teammates can keep using those projects.
• Anonymous guest demos: automatically deleted after a short period of inactivity (about 7 days) unless you register.
• Jira mirror & OAuth tokens: removed when you disconnect Jira or delete personal data.
• Billing & tax records: retained as long as required by applicable law.
• Logs: kept only as long as needed for security and troubleshooting.

9. Data processing for business customers

If you use GumStory to manage your organization's work, you are the controller of that content and Plainmoss is your processor. We offer a Data Processing Addendum (DPA) for business and team customers, available on request at support@gumstory.com.

10. Security

We apply industry-standard measures to protect your data. Passwords are hashed, OAuth tokens are stored securely, and access is restricted. No method of transmission or storage is 100% secure, but we work to protect your information and to notify you and the relevant authority of a data breach where the law requires.

11. Your rights

Subject to applicable law, you have the right to access, correct, delete, export (portability), restrict, and object to the processing of your personal data, and to withdraw consent at any time.

• Access & export: download a copy of your data from Settings → Account → Download my data.
• Correction: edit your profile in Settings → Profile.
• Deletion: use Settings → Account or the account & data deletion guide.

For any other request, email support@gumstory.com and we will respond within 30 days. If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection supervisory authority.

12. Cookies

GumStory uses only essential cookies needed to sign you in and run the app (for example your session and workspace cookies). We do not use advertising or third-party analytics cookies, so no cookie consent banner is required.

13. Children

GumStory is a workplace tool and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact support@gumstory.com and we will delete it.

14. EU/EEA representative

Plainmoss is established outside the EU/EEA. Where Article 27 of the GDPR requires it, we will designate a representative in the EU/EEA; until then, EEA and UK users can reach us directly at support@gumstory.com for any data protection matter.

15. Changes

This policy may be updated from time to time. For material changes, GumStory will make reasonable efforts to notify users. Continued use after an update constitutes acceptance.