Privacy Policy — Invisible Work Risk Index (IWRI)
Last updated: 20 April 2026
Effective date: 20 April 2026
This Privacy Policy describes how the Invisible Work Risk Index Atlassian Forge app ("IWRI", "the app", "we", "our") handles information when installed in your Atlassian Cloud environment.
1. Who we are
IWRI is developed and maintained by Ayman Idris (sole developer, ABN 59 540 661 752), operating in Australia.
- Developer contact: idrisayman88@gmail.com
- ABN: 59 540 661 752
- App name: Invisible Work Risk Index
- Platform: Atlassian Forge (Jira Cloud)
2. How IWRI is hosted
IWRI is built on the Atlassian Forge platform. This means:
- All code runs on Atlassian-hosted infrastructure (AWS, managed by Atlassian).
- All data the app processes or stores remains within your Atlassian Cloud tenancy.
- We, the developer, never receive, see, or store any of your Jira data on our own servers. We do not operate any external database, analytics pipeline, or backend outside of Atlassian's infrastructure.
- The app makes no external network calls to any third party.
Atlassian's own privacy, security, and data residency practices apply to all data processed by the app. See the Atlassian Trust Center and Atlassian Privacy Policy for details.
3. What data the app accesses
IWRI requests the following read-only permissions (scopes) to compute workflow risk scores:
| Scope | What it permits |
|---|---|
read:project:jira | Read Jira project metadata (name, key, lead) |
read:jira-work | Read issues, changelog, workflows |
read:jira-user | Read user profiles referenced by issues (display name, avatar) |
read:board-scope:jira-software | Read Scrum/Kanban board configurations |
read:sprint:jira-software | Read sprint metadata (start date, end date, state) |
storage:app | Store computed risk scores within the app's own storage |
The app is read-only for all Jira data. It does not create, modify, or delete issues, sprints, projects, users, or any other Jira entity.
4. What data the app stores
IWRI stores only derived, aggregate metrics in Atlassian Forge Key-Value Storage (@forge/kvs). Specifically:
- Per-project computed risk scores and category flags (numerical values and short enum labels)
- Configuration settings chosen by an administrator (e.g. computation frequency)
- Small internal metadata (last computation timestamp, job status)
The app does not store:
- Issue summaries, descriptions, comments, or attachments
- User personal information (emails, names, avatars)
- Sprint names, issue keys, or any identifiable Jira content beyond numerical aggregate scores per project
All stored data resides within Atlassian's Forge storage for your Atlassian Cloud instance and is subject to Atlassian's data residency guarantees.
5. How data is used
Data accessed by the app is used solely to:
- Compute the Invisible Work Risk Index score and category flags for Jira projects in your organisation.
- Display those scores within the app's interface in your Jira instance.
- Recompute scores on the schedule chosen by your administrator.
Data is never:
- Sold to third parties
- Used for advertising or marketing
- Shared with any party other than Atlassian (as the platform host)
- Used to train machine learning or AI models
6. Data retention and deletion
- While the app is installed: computed scores remain in Forge storage until overwritten by the next computation or deleted by an administrator.
- When the app is uninstalled: Atlassian's Forge platform automatically purges all app-managed storage in accordance with the Atlassian Forge data deletion policy. No action from the developer is required.
- Right to deletion: to request deletion of stored data at any time, uninstall the app from your Jira instance, or contact the developer at the email address below.
7. Subprocessors
IWRI has exactly one subprocessor: Atlassian Pty Ltd, which hosts the Forge platform on which the app runs. No other subprocessors are used.
8. Security
- All code runs inside the Atlassian Forge sandbox, which enforces strict runtime isolation.
- The app makes no egress calls; no external fetch domains are declared in the manifest.
- Credentials and tokens are managed by the Atlassian Forge runtime; the developer never handles or stores OAuth tokens directly.
- The developer follows secure coding practices and runs
forge lintbefore every deployment.
9. Your rights (GDPR, CCPA, Australian Privacy Act)
Because the developer does not hold any personal data outside of the Atlassian platform, data subject rights (access, rectification, erasure, portability) are most directly exercised through Atlassian's own data subject request process, or by uninstalling the app.
You may also contact the developer directly at idrisayman88@gmail.com for any privacy-related question.
10. Children's privacy
The app is designed for workplace use and is not directed at children under 16. The app does not knowingly collect any information from children.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the app's Atlassian Marketplace listing and will be reflected by an updated "Last updated" date at the top of this document.
12. Contact
Questions, concerns, or data requests:
Ayman Idris (ABN 59 540 661 752)
Email: idrisayman88@gmail.com