Skip to content
Wayflare

Privacy Notice — Leaver Cleanup & Owner Reassignment for Jira

Effective date · 8 June, 2026Last updated · 8 June, 2026

This notice explains what the Leaver Cleanup & Owner Reassignment for Jira app (the "App"), published by Wayflare OÜ on the Atlassian Marketplace, does with personal data. It is specific to this App and is the privacy policy referenced from the App's Marketplace listing. The Wayflare OÜ general privacy policy does not cover this App; this notice and the App's data processing agreement govern it.

The App Runs on Atlassian: it operates only on Atlassian-hosted compute and storage and sends nothing to Wayflare OÜ or any third party. Wayflare OÜnot Atlassian — is responsible for the privacy, security, and integrity of the data this App processes.

See also the App's data processing agreement and security & data handling page.

  • App: Leaver Cleanup & Owner Reassignment for Jira
  • Provider: Wayflare OÜ (Estonia)
  • Registered office: Pärnu mnt 141, 11314 Tallinn, Estonia
  • Estonian registry code (registrikood): 17495514
  • Contact: info@wayflare.eu

1. Who controls the data, and our role

The Jira site administrator (your organisation) decides which departed user to act on and which active user to reassign their content to. In data-protection terms, your organisation is the controller and Wayflare OÜ is a processor acting on your administrator's documented instruction — the configuration and use of the App. We do not decide why, on whom, or when the App is used.

2. What the App processes, and where it comes from

To do its job, the App processes:

  • Atlassian account identifiers (accountId) of the departed user, the reassignment target, and the administrator who runs the App;
  • references to the items being reassigned (issue, filter, component, and project identifiers, names, and types);
  • the outcome of each reassignment (succeeded / already at target / failed, with a reason); and
  • timestamps.

The App obtains this data from your organisation's Jira instance, not from the individual users. Display names are fetched live only when needed — to show the candidate list and to label the evidence export — and are not stored by the App. The App does not process issue content, attachments, comments, or worklogs; it does not profile users; and it does not use the data for advertising or any purpose other than the reassignment you requested.

3. Lawful basis

Because your organisation is the controller, the lawful basis for the processing is your organisation's to determine — typically a legitimate interest in offboarding and administering your own Jira site. Your organisation is responsible for ensuring it has a lawful basis to reassign the departed user's content.

4. Where the data lives, and who can access it

  • The App stores data only in Atlassian-hosted Forge storage and matches your site's data residency: for a Jira site pinned to the EU, the App's stored data is held in Atlassian's Europe (Frankfurt and Dublin) regions. Residency follows your Atlassian instance's setting, which your organisation controls; we cannot independently guarantee a particular region.
  • The App has no external egress — it declares no outbound network access, so it does not send data to Wayflare OÜ's servers or to any third party.
  • The only sub-processor Wayflare OÜ engages for this App is Atlassian (which hosts the compute and storage); Atlassian in turn relies on its own infrastructure sub-processors under the Forge Data Processing Addendum. None of the sub-processors listed in our general privacy policy for our other products apply to this App.
  • Wayflare OÜ staff do not have access to your instance's data through the App.

5. Retention and deletion

  • Per-change records carry a 90-day retention and age out automatically. (This is a processor-proposed default; a controller that needs a different period can raise it with us.)
  • An administrator can erase a run's records on demand after exporting the evidence.
  • When the App is uninstalled, it makes a best-effort erase of its records, and Atlassian purges the App's hosted storage.
  • On Atlassian's personal-data reporting cycle, if a user's Atlassian account is closed, the App erases that user's stored identifiers when Atlassian notifies it. Because records are organised per reassignment run, this removes the records of any run in which the closed account appeared in any role, which may include records concerning other users in the same run. (Account closure is the permanent deletion of an Atlassian account — distinct from merely deactivating a user, which is the everyday leaver case the App is built for and which does not by itself trigger erasure.)

6. Your rights

Under the GDPR and similar laws, individuals have rights over their personal data — access, rectification, erasure, restriction of processing, objection, and portability — and the right to lodge a complaint with a supervisory authority. Because Wayflare OÜ acts only as a processor on your administrator's instruction, these rights are exercised against your organisation (the controller) — usually your Jira administrator — and Wayflare OÜ assists the controller in responding, as GDPR Article 28 requires. In practice: an administrator can erase a run's records on demand; the per-change records also age out after 90 days; uninstalling the App purges its stored data; and a closed Atlassian account's identifiers are erased on the reporting cycle. The underlying content lives in Jira itself, where your administrator and Atlassian's own data-subject processes apply.

Wayflare OÜ's lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn, Estonia, www.aki.ee. You may also complain to the supervisory authority in your own country.

7. The evidence export

The App can produce a closure-evidence export (a CSV) describing the changes it made; display names are re-fetched at export time and are not stored. Once your administrator downloads that file, it leaves the App's control: storing and disposing of the downloaded file appropriately is your organisation's responsibility as the controller.

8. Data Processing Agreement

Because the App processes your users' identifiers on your instruction, Wayflare OÜ acts as your processor. Our Data Processing Agreement sets out the GDPR Article 28 terms and is entered into when your organisation accepts the App's end-user terms on installation.

9. Changes

If this notice changes materially, the updated version will be published here and on the App's Marketplace listing with a new date.

Contact

Wayflare OÜ
Pärnu mnt 141, 11314 Tallinn, Estonia
Registry code (registrikood): 17495514
Email: info@wayflare.eu