SPARK
Get Started

Privacy Policy for SPARK

Your privacy and data protection are our top priorities. Learn how we collect, use, and protect your information.

Last Updated: July 2025

Information We Collect

Temporary Processing Data (Auto-deleted after 24 hours)

Important: Data is automatically deleted immediately after each successful test case generation. The 24-hour retention period only applies to failed requests, which we keep temporarily for debugging and system improvement purposes.

Issue Content

Temporarily processed in our backend system (AWS DynamoDB), where it is encrypted at rest using industry-standard AES-256 encryption.

Selected Comments & Attachments

When you choose to include comments or upload images for enhanced test generation, these are temporarily processed alongside issue content and stored in encrypted AWS S3 buckets.

Request Information

Request IDs and processing status

Processing Metadata

Timestamps and operation status

Stored Data

API Key Management

  • • Masked keys (first 3, last 2 characters) stored in Jira
  • • Full API keys securely stored in AWS Secrets Manager (encrypted at rest)

Usage & Subscription

  • • Test generation count, feature usage statistics
  • • License status and tier information
  • • Billing data processed through Atlassian Marketplace

Security

  • • Security and access logs for compliance purposes
  • • Session cookies for app functionality only

What We Do NOT Collect

  • • Personal information beyond what's necessary for service operation
  • • Issue content from a successful generation is deleted immediately after the results are delivered. Content from failed or abandoned requests is automatically purged within 24 hours for debugging and support purposes.
  • • Passwords or authentication credentials (except your provided API keys)
  • • Browser history or tracking cookies
  • • Data from other Jira projects or instances
  • • Analytics data containing personally identifiable information (PII)
  • • Marketing or advertising data

How We Use Your Data

  • Service Operation: Process your requests to generate test cases
  • API Key Management: Securely store and use your Gemini API keys
  • Service Improvement: Analyze usage patterns to enhance features
  • Support: Respond to your inquiries and resolve issues
  • Compliance: Meet legal and regulatory requirements

Data Location & Retention

Infrastructure: All data is processed and stored in AWS eu-central-1 (Frankfurt, Germany)

Data Type Retention Period
DynamoDB entries Automatically deleted after 24 hours via TTL (Time To Live)
API keys in AWS Secrets Manager Retained until you explicitly delete them
Usage metrics 90 days rolling window
Audit logs 12 months for security compliance
Subscription data Duration of subscription + 30 days post-cancellation
Session cookies Duration of browser session only

Cross-Border Data Transfers

  • EU Data Residency: All data remains within the European Union (AWS eu-central-1)
  • Cross-Border Data Transfers: Our application infrastructure and all data we control are hosted exclusively within the European Union. We do not transfer your data outside the EU. However, under our Bring-Your-Own-Key (BYOK) model, when you configure the app to use a third-party service like Google's Gemini API, the data you process (such as issue content) will be sent to that service. The location of that service's servers is governed by your agreement with them, not by us.
  • API Calls: Gemini API calls originate from EU-based infrastructure
  • Backups: All backups remain within EU regions (eu-west-1)
  • Compliance: Full compliance with EU data protection regulations

Data Sharing

We do NOT sell, rent, or trade your data. We share data only with:

  • AWS: Our infrastructure provider (data processor agreement in place)
  • Atlassian: For marketplace transactions and subscription management only
  • Google (Gemini): Direct relationship using your provided API keys (BYOK model)
  • No Marketing Partners: We do not share any data for marketing or advertising purposes

Data Processing Agreements: We maintain valid data processing agreements with all third-party processors in compliance with GDPR Article 28.

Security Measures

  • Encryption: All API keys encrypted at rest in AWS Secrets Manager
  • Access Control: Strict IAM policies and least-privilege access
  • Infrastructure Security: AWS security best practices and compliance
  • BYOK Model: You control your own API keys and can revoke access anytime
  • Data Isolation: Tenant isolation ensures your data remains private
  • Incident Notification: In the event of a security incident, we will notify Atlassian via ECOHELP within 48 hours of discovery. End-user notifications will follow applicable data protection laws.
  • Security Audits: Regular security assessments and vulnerability testing

Your Rights (GDPR Compliance)

As a data subject, you have the following rights:

Right to Access (Article 15)

  • Request a copy of all your personal data
  • Receive information about how we process your data
  • Data provided within 30 days of request

Right to Rectification (Article 16)

  • Correct any inaccurate personal data
  • Update information via the admin interface
  • Complete incomplete personal data

Right to Erasure/Deletion (Article 17)

  • Request complete removal of your data
  • Deletion completed as required by applicable law
  • Includes API keys, usage data, and all associated records

Right to Data Portability (Article 20)

  • You have the right to request an export of the personal data we hold about you (such as your account and usage information) in a structured, machine-readable JSON format. To make a request, please contact our support team at support@leviathan-labs.com.
  • Transfer data to another service provider
  • Receive data within 30 days of request

Right to Object (Article 21)

  • Object to specific data processing activities
  • Opt-out of non-essential data processing

Right to Restriction (Article 18)

  • Limit how we process your data
  • Suspend processing while disputes are resolved

Data Processing Basis

We process your data based on:

  • Contract Performance (Article 6(1)(b)): To provide the SPARK service you've subscribed to.
  • Legitimate Interest (Article 6(1)(f)): For service improvement, security monitoring, and fraud prevention.
  • Legal Compliance (Article 6(1)(c)): When required by law or to respond to a valid legal process.

Contact Us

For privacy concerns, data requests, or to exercise your rights:

  • Email: support@leviathan-labs.com
  • Data Protection Officer: Available at support@leviathan-labs.com

Analytics and Cookies

  • Session Cookies: We use session cookies for app functionality only
  • No Tracking Cookies: We do not use tracking or advertising cookies
  • Analytics: We collect aggregate usage metrics only, no personally identifiable information
  • Cookie Duration: Session cookies expire when you close your browser

Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. We will notify you of significant changes through the app or via email.

Additional Notes

  • This policy applies to SPARK
  • Billing and payment data is handled exclusively by Atlassian Marketplace under their privacy policy

Questions About This Policy?

If you have any questions about this Privacy Policy or how we handle your information, please contact us:

support@leviathan-labs.com