Recoup — Privacy Policy

Effective date: 2026-05-20 Last updated: 2026-05-20

This privacy policy describes how Recoup ("we", "us", "the app") handles your data. Recoup is an Atlassian Marketplace app distributed via the Atlassian Forge platform. By installing Recoup, you agree to this policy.


Summary in plain English


1. Data we access

When you install Recoup and run a scan, the app accesses the following data via Atlassian's APIs:

From your Atlassian site (via Forge asApp() / asUser() calls)

Recoup accesses this data using Forge's built-in app/user authentication only. It does not collect or store any Atlassian account credentials — no passwords, no user or org-admin API tokens.

From your own input

2. Where data is stored

Recoup stores the following entities in Forge Key Value Store, hosted and encrypted by Atlassian:

Forge Key Value Store data is encrypted at rest by Atlassian using AES-256 and tied to your Atlassian Cloud site. Recoup operates as a tenant inside this storage; we cannot access the data without going through Forge's authenticated APIs invoked by an admin user of your org.

Recoup performs all analysis inside Atlassian's Forge runtime. No End-User Data is transmitted to any third party or outside Atlassian's infrastructure.

Data residency: Forge storage follows Atlassian's data residency commitments. If your Atlassian site is in a specific data region, Recoup's storage stays in that region.


3. Data we share with third parties

Recoup shares data with exactly one external service, which is explicitly allow-listed in our Forge manifest:

api.atlassian.com (Atlassian's personal-data reporting API)

This is an Atlassian-operated endpoint, so no End-User Data ever leaves Atlassian's infrastructure. All other processing — including service-account detection and the dashboard summary — happens deterministically inside the Forge runtime, with no external calls.

We do not share data with any other third party. Recoup has no analytics provider, no error reporting service, no AI vendor, and no marketing tools embedded.

3a. Account actions and data changes

Recoup right-sizes paid product access by managing membership in your Jira access-control groups (you map products → groups in Settings). When an admin reclaims a seat, Recoup calls Atlassian's Jira group API (/rest/api/3/group/user) via Forge asApp() to remove the user from the mapped Jira/JSM group(s) — Atlassian then stops billing that seat. This is fully reversible: "Add back" re-adds the user to the same group(s). Recoup never deletes, suspends, or hard-deactivates the account; the user's identity, profile, and SSO are left completely untouched. Jira and JSM are actionable; Confluence and Jira Product Discovery findings are insights-only for now (Recoup shows the reclaimable dollars and you right-size those yourself).

Every account action writes an immutable before/after audit record. No automation acts on its own — every action is admin-initiated.

4. Data we do NOT collect


5. Data retention

On uninstall: Atlassian automatically purges all Forge storage associated with the app within 30 days per Atlassian's Forge data lifecycle policy.


5a. Automatic erasure on Atlassian account closure

Recoup implements Atlassian's personal-data reporting flow. Once a week, Recoup posts the list of Atlassian accountIds for which it stores personal data to Atlassian's report-accounts endpoint. If Atlassian responds that an account has been closed (the user has exercised right-to-erasure, or the account has been permanently deactivated) or updated (data is stale or the user requested a refresh):

You can also trigger the same erasure path for any user by clearing their entries through any in-app "Clear all data" developer tool, or by uninstalling Recoup entirely.


6. Your rights

You have the right to:

For requests under GDPR, CCPA, or similar regulations, contact us at support@taskhooker.com. The automatic erasure flow runs weekly; if you need faster action, email us and we'll process the deletion manually.


7. Children's privacy

Recoup is a business administration tool for Atlassian Cloud organisations. It is not intended for, marketed to, or used by individuals under 18. We do not knowingly collect data about minors.


8. Changes to this policy

We may update this policy when materially new features ship. The "Last updated" date at the top reflects the most recent change. Material changes will be communicated via the Marketplace listing and any in-app notice we deem appropriate.


9. Contact

For privacy questions: