Privacy Policy

Last updated 2026-05-26 · Operator: Crosstown Tech · Contact: support@crosstowntech.com

OneNote Reports for Jira is operated by Crosstown Tech. This page describes what data the app processes when you install it on a Jira site, connect a Microsoft account, and run scheduled exports to OneNote.

What we collect

Atlassian identifiers. Installation ID, app ID, Jira cloud ID, and the account ID of the user creating each report. We don't store your email, display name, or any Jira-side profile fields.
Report configuration. Report name, JQL query, OneNote notebook and section IDs, column selections, schedule. Stored per-user.
Jira issue data. When a scheduled refresh runs, we fetch the issue list from Jira (key, summary, status, assignee, due date, sprint, priority, reporter, created/updated dates, labels) and render it as an HTML table that we push to your OneNote page. We do not persist the fetched issues — they are rendered and forwarded to OneNote, then discarded.
Microsoft account identity. When you connect Microsoft, we store your Microsoft user ID, display name, mail (if present), and userPrincipalName. We display these in the app so you know which account is connected.
Tokens. A Microsoft OAuth refresh token (so we can refresh access tokens for scheduled runs) and a short-lived Forge app system token (so we can mint user-scoped Atlassian tokens for cron). Both are encrypted at rest with AES-GCM under per-deployment keys.
Run history. One row per export attempt: start time, completion time, status, counts of issues added/updated/resolved/notes-preserved, and any error message returned by Jira or Microsoft. Shown on the dashboard for the report's owner.

What we don't collect

Your Jira account email, display name, profile picture, or any other PII beyond the account ID.
Issue contents beyond the columns you configured for the report.
OneNote page contents you author yourself (text outside our marked table, the Notes column you fill in). We read the page only to merge new issue rows with your existing Notes column entries; we never persist what we read.
Anything from other apps installed on your Jira site, or any Confluence / Bitbucket data — the app's scopes are Jira-only.

Where data lives

Configuration + tokens	Convex Cloud (operator: Convex, Inc.). US-region database.
OneNote pages	In your own Microsoft 365 tenant. We push HTML to pages you select; we never copy notebook content out.
Jira issues	Fetched from your Jira site on demand. Not persisted by us.

Sharing

We don't share any of the above with third parties. The app's only outbound API calls are to Atlassian (your Jira site, Atlassian's GraphQL gateway) and Microsoft (the Graph endpoint for OneNote and the OAuth token endpoint). The app itself has no third-party analytics, ad networks, or error-tracking services that send your data off-site.

Retention

Configs, tokens, and run history are kept as long as the app is installed and the user has not disconnected Microsoft.
Clicking Disconnect in the dashboard deletes the stored Microsoft tokens immediately.
Deleting a report from the dashboard cascades to its run history.
Uninstalling the app does not automatically wipe the operator-side state — contact us at support@crosstowntech.com to request deletion. (A scheduled cleanup of inactive installs is planned.)

Your rights

You can disconnect Microsoft, delete individual reports, or request full deletion of your installation's data at any time via support@crosstowntech.com. We respond within 30 days.

Changes

If we change this policy in a way that affects existing users, we'll update the date above and notify Marketplace admins through the Atlassian developer console where applicable.