Privacy Policy

Privacy policy for Confluence Health Check.

This document describes the current product behavior reflected in this repository. It should be reviewed before Marketplace publication so the published listing, support contact, and any legal terms stay aligned with the live service.

1. Scope

Confluence Health Check is a read-only Forge app for Confluence Cloud. It scans Confluence spaces and pages, computes documentation-health scores, and presents the results in a dashboard. The app does not modify Confluence content.

2. Data We Process

To provide the scan, dashboard, and export features, the app may process:

• workspace identifiers such as tenant, space, and page identifiers,
• page metadata such as titles, URLs, timestamps, labels, and derived issue counts,
• link data extracted from page bodies for broken-link and orphan detection,
• configuration values saved by administrators in the settings screen,
• limited user-related identifiers such as Confluence account IDs when needed for diagnostics during a scan lifecycle.

The app is intentionally designed to avoid storing unnecessary personal data. As documented in the architecture and data-model docs, user-related identifiers are treated as personal data and are cleared after the relevant completed scan lifecycle when they are no longer needed.

3. How We Use Data

We use processed data only to:

• fetch and analyze Confluence content health signals,
• store scan results and configuration needed to render the dashboard,
• generate CSV exports requested by the customer,
• diagnose and remediate operational issues affecting the app.

We do not use app data for advertising, profiling, or sale to third parties.

4. Storage and Retention

The app uses Forge-hosted storage:

• Forge SQL stores scan results and related derived records.
• Forge KVS stores configuration and transient scan state.

Retention and cleanup controls are implemented in the product:

• scan-lifecycle cleanup prunes stale rows and deleted-page data,
• transient scan state is reconciled during scanner lifecycle handling,
• tenant uninstall/offboarding follows the documented purge process in docs/TENANT_OFFBOARDING_PLAYBOOK.md.

5. Sharing and Subprocessors

The app runs on Atlassian Forge and relies on Atlassian-hosted platform services for execution and storage. Data is not intentionally shared with unrelated third parties as part of normal product operation. The current Marketplace release does not declare Forge outbound external-fetch permissions, so the shipped runtime does not perform arbitrary outbound URL probing. Any future egress-enabled release must go through a separate security and privacy review before that behavior is advertised or enabled.

6. Security and Access

The app is designed around least privilege:

• the manifest is limited to read-only Confluence scopes plus app storage,
• scanner and export paths are covered by threat-model and test-enforced controls,
• operational incident handling and escalation procedures are documented in the runbook set.

See docs/SECURITY_STATEMENT.md for the product security summary.

7. Customer Requests

Customers can use the support channel published in the Marketplace listing to request support, ask privacy questions, or coordinate tenant offboarding and data-deletion workflows.

8. Policy Updates

This policy should be updated whenever the app’s data flows, storage behavior, or Marketplace-facing commitments change.