Privacy Policy

23 Sep 2025

This Privacy Policy (the “Policy”) explains how Scope 360 AB (“Service Provider”, “we”, “us”) collects, uses, discloses, and safeguards personal data when individuals or organizations (“Customer”, “you”) use the Scope360° Service. It also describes what personal data we process, for what purposes, on what legal bases, and how we ensure compliance with applicable data protection laws, including GDPR.

When incorporated as Appendix 1 to the Enterprise Customer Agreement, this Policy forms an integral part of that Agreement.

1. Definitions

Service Provider / We / Us: Scope 360 AB.

Service: The Scope360° Chrome extension and related services.

Customer / You: Any individual or entity using the Service.

Personal Data: Any information that can identify an individual, directly or indirectly, including names, email addresses, and technical identifiers.

2. Responsibility for Data Collection

Scope 360 AB, Swedish Company Registration Number SE559362049401 is responsible for the personal data you provide to us through purchases and other contacts with us and is responsible for processing these.

For any privacy-related questions or to exercise your rights, you may contact us at email: hello@scope360.se

3. Information We Collect

We collect different types of personal data for the following purposes:

User Data: A SHA-256 hash of your Jira instance origin (URL) and Jira username is used to determine which configuration to fetch from our central server. These hash values serve as anonymous identifiers and are not reversible, which means we cannot determine the original Jira URL or username. This ensures we cannot identify or track individual users or Jira instances. No other Jira-related data is sent to our servers.
Login Data: Your Jira username and password, if needed for authentication, are stored only in your browser’s local storage in encrypted form and are never transmitted externally (Contractual Necessity).
Usage Data: Information such as page titles, URLs, and view identifiers may be collected and sent to Google Analytics to help us improve the Service (Legitimate Interest).
Subscription Data: Name, email, payment information, and subscription details are collected to manage billing and access to the Service (Contractual Necessity).
Marketing Data: We may use your contact details to send you relevant marketing communications about our products and services. You can opt out at any time (Legitimate Interest or Consent).
Retention: Data is stored only as long as necessary for its intended purpose or required by law.

4. Use of Cookies

We use cookies to personalize content, ads and to analyze our traffic. We also share information about your use of our site with our advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

We also use cookies to collect data for the purpose of personalizing and measuring the effectiveness of our advertising. For more details, visit the Google Privacy Policy.

5. Use of Your Information

We process personal data for the following purposes:

To provide and configure the Service
To authenticate and manage login credentials for Jira.
To manage subscriptions and payments
To improve and analyze service usage
To ensure security and fraud prevention
To comply with legal obligations (e.g., accounting, tax requirements)
To send you marketing communications about our products and services (you may opt out at any time)

We do not sell or share your personal data except where necessary to operate our Service:

Payment Processors (for handling transactions)
Analytics Providers (Google Analytics, if consented to)
Cloud Storage & IT Service Providers (hosting and infrastructure)
Marketing & Communication Providers (for sending promotional emails, with your consent)
Legal Compliance (to authorities if required by law)

To deliver our Service, Scope 360 AB engages certain carefully selected third-party providers (“sub-processors”). These sub-processors perform limited tasks on our behalf, such as cloud hosting, infrastructure, payment processing, or marketing communications.

Each sub-processor only processes personal data to the extent necessary to provide their specific service, and always under data protection obligations consistent with GDPR and our Data Processing Agreement.

A current and always up-to-date list of our sub-processors is provided below. This list may change over time as we improve our Service. Customers will normally be notified at least thirty (30) days in advance of any addition or replacement of a sub-processor, and in no case less than fifteen (15) days. Notifications are provided either directly (for enterprise customers) or through updates to this Privacy Policy (for all other customers).

Sub processor	Purpose	Location of processing	Safeguards for transfers outside EU/EEA
Microsoft Office 365	Document storage (SharePoint, OneDrive), including user information, logs and backup data.	EU (Sweden/EU region)	N/A – data remains in EU
MongoDB	Database for storing configurations, logs and limited user data	Frankfurt, Germany (EU)	N/A – data remains in EU
Stripe Payments	Payment processing (customers, subscriptions, and transactions)	EU/EEA with potential transfers to USA	Standard Contractual Clauses (SCCs)
Brevo Marketing	communications and newsletters	EU (EU data centers)	N/A – data remains in EU
Zapier	Email automation, data sync, workflow automation	United States (AWS infrastructure)	EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs)

7. Data Security

We implement industry-standard security measures, including:

TLS encryption for data in transit
Access controls to restrict unauthorized access
Secure storage mechanisms for sensitive information

We also apply a privacy-by-design approach in how the Chrome extension is developed and interacts with data:

All communication with Jira REST APIs takes place entirely within your browser. No Jira content (e.g. issue details, user data, or project information) is ever transmitted to our servers.
To fetch the correct configuration for your instance, the extension generates a SHA-256 hash of the Jira origin and username. These hashes are used only as anonymous lookup keys to fetch configuration data and cannot be traced back to you or your Jira instance.
This ensures that sensitive data never leaves your device and that we, as the service provider, have no access to your Jira content.

8. Your Rights

Under GDPR, you have the following rights:

Right to be informed about data collection and usage
Right of access to your personal data
Right to rectification of inaccurate or incomplete data
Right to erasure (“right to be forgotten”)
Right to restrict processing
Right to data portability
Right to object to processing
Right to withdraw consent at any time

To exercise these rights, please contact us at hello@scope360.se. We will respond within GDPR timelines.

9. Data Processing Legal Basis

We process your personal data based on:

Consent (for analytics, marketing communications, and cookies)
Contractual Necessity (for service access and billing)
Legal Obligation (for compliance with legal requirements)
Legitimate Interest (for improving and securing the Service, as well as sending relevant service-related marketing communications where applicable)

You can withdraw your consent for data processing at any time.

10. International Data Transfers

All personal data is processed within the EU/EEA. Any transfer outside the EU/EEA will be subject to appropriate safeguards in accordance with GDPR (e.g. SCCs or adequacy decisions).

EU Standard Contractual Clauses (SCCs)
Adequacy decisions for certain countries
Technical and organizational security measures

For more information, contact hello@scope360.se.

11. Changes to This Privacy Policy

We may update this Policy as needed. Significant changes will be notified via:

Email (if you have an account with us)
Website notice

Please review this Policy periodically to stay informed.