Recoup — Privacy Policy
Effective date: 2026-05-20 Last updated: 2026-05-20
This privacy policy describes how Recoup ("we", "us", "the app") handles your data. Recoup is an Atlassian Marketplace app distributed via the Atlassian Forge platform. By installing Recoup, you agree to this policy.
Summary in plain English
- All data stays inside Atlassian's infrastructure. Recoup performs all analysis inside Atlassian's Forge runtime. No End-User Data is transmitted to any third party or outside Atlassian's infrastructure.
- We don't operate any servers. Recoup runs on Atlassian Forge — Atlassian hosts every function call and storage write.
- All stored data is encrypted at rest in Forge's Key Value Store, tied to your Atlassian Cloud site. It is never logged or returned to any third party; all processing happens inside Atlassian's Forge runtime.
1. Data we access
When you install Recoup and run a scan, the app accesses the following data via Atlassian's APIs:
From your Atlassian site (via Forge asApp() / asUser() calls)
- User account IDs, display names, email addresses and account type, from
/rest/api/3/users/search - Last-activity timestamps derived from Jira issue activity (
/rest/api/3/search/jql— assignee, reporter, updated timestamp; we never read issue contents or bodies) - Jira access-control group names and group memberships from
/rest/api/3/group/*— used to list the groups you can map products to, and to add or remove a user from a mapped group when you reclaim a seat. Recoup reads only group names and theaccountIds of members; it never reads issue, page, or ticket contents.
Recoup accesses this data using Forge's built-in app/user authentication only. It does not collect or store any Atlassian account credentials — no passwords, no user or org-admin API tokens.
From your own input
- Per-seat cost configuration (numeric inputs)
- Inactivity thresholds (numeric inputs)
- Product → access-group mapping (which Jira/JSM groups grant each paid product)
2. Where data is stored
Recoup stores the following entities in Forge Key Value Store, hosted and encrypted by Atlassian:
- User records (one per Atlassian account discovered)
- Recommendation records (one per detection)
- Scan run history (metadata only — no full user list snapshots)
- Audit log entries (one per admin action, immutable)
- Settings (thresholds, per-seat costs, product → access-group mapping)
Forge Key Value Store data is encrypted at rest by Atlassian using AES-256 and tied to your Atlassian Cloud site. Recoup operates as a tenant inside this storage; we cannot access the data without going through Forge's authenticated APIs invoked by an admin user of your org.
Recoup performs all analysis inside Atlassian's Forge runtime. No End-User Data is transmitted to any third party or outside Atlassian's infrastructure.
Data residency: Forge storage follows Atlassian's data residency commitments. If your Atlassian site is in a specific data region, Recoup's storage stays in that region.
3. Data we share with third parties
Recoup shares data with exactly one external service, which is explicitly allow-listed in our Forge manifest:
api.atlassian.com (Atlassian's personal-data reporting API)
- What: the Atlassian account IDs of users Recoup has stored, submitted to Atlassian's required
report-accountsendpoint - When: on Atlassian's weekly personal-data reconciliation schedule
- Why: Atlassian requires Marketplace apps to report the accounts they hold so that account closures and data-erasure requests are honoured. The call is authenticated by Forge (the
report:personal-datascope) — Recoup supplies no credentials of its own.
This is an Atlassian-operated endpoint, so no End-User Data ever leaves Atlassian's infrastructure. All other processing — including service-account detection and the dashboard summary — happens deterministically inside the Forge runtime, with no external calls.
We do not share data with any other third party. Recoup has no analytics provider, no error reporting service, no AI vendor, and no marketing tools embedded.
3a. Account actions and data changes
Recoup right-sizes paid product access by managing membership in your Jira access-control groups (you map products → groups in Settings). When an admin reclaims a seat, Recoup calls Atlassian's Jira group API (/rest/api/3/group/user) via Forge asApp() to remove the user from the mapped Jira/JSM group(s) — Atlassian then stops billing that seat. This is fully reversible: "Add back" re-adds the user to the same group(s). Recoup never deletes, suspends, or hard-deactivates the account; the user's identity, profile, and SSO are left completely untouched. Jira and JSM are actionable; Confluence and Jira Product Discovery findings are insights-only for now (Recoup shows the reclaimable dollars and you right-size those yourself).
Every account action writes an immutable before/after audit record. No automation acts on its own — every action is admin-initiated.
4. Data we do NOT collect
- Issue contents, comments, attachments
- Document contents (Confluence pages, JSM tickets, JPD ideas)
- User passwords or authentication tokens beyond what you explicitly provide via Settings
- Behavioral or telemetry data about how admins use Recoup
- IP addresses or geolocation
- Cookies (Recoup runs inside Atlassian's iframe — Atlassian's cookies apply, not ours)
5. Data retention
- User records, recommendations, scan runs: retained until you uninstall Recoup or explicitly clear data via the in-app "Clear all data" developer tool
- Audit log entries: immutable, retained for the life of the install (no built-in deletion path — they exist for accountability)
- Settings: retained until you change them in Settings or uninstall Recoup
On uninstall: Atlassian automatically purges all Forge storage associated with the app within 30 days per Atlassian's Forge data lifecycle policy.
5a. Automatic erasure on Atlassian account closure
Recoup implements Atlassian's personal-data reporting flow. Once a week, Recoup posts the list of Atlassian accountIds for which it stores personal data to Atlassian's report-accounts endpoint. If Atlassian responds that an account has been closed (the user has exercised right-to-erasure, or the account has been permanently deactivated) or updated (data is stale or the user requested a refresh):
- The corresponding
Userrecord is deleted from Recoup's storage - All
Recommendationrecords for that account are deleted - The account is removed from the service-account allowlist if present
- In audit log entries that touched the account, the
displayNameandemailfields are redacted to[redacted]. TheaccountIditself is retained so that the action record stays linked to a unique (now anonymous) actor — this preserves the audit trail's forensic integrity without storing the user's personal data after closure.
You can also trigger the same erasure path for any user by clearing their entries through any in-app "Clear all data" developer tool, or by uninstalling Recoup entirely.
6. Your rights
You have the right to:
- Access the data Recoup stores — visible in the in-app screens
- Export any in-app audit log as CSV (where the app exposes one)
- Delete all data via any in-app "Clear all data" developer tool, or by uninstalling Recoup
- Be erased automatically when Atlassian flags your account as closed (see section 5a)
For requests under GDPR, CCPA, or similar regulations, contact us at support@taskhooker.com. The automatic erasure flow runs weekly; if you need faster action, email us and we'll process the deletion manually.
7. Children's privacy
Recoup is a business administration tool for Atlassian Cloud organisations. It is not intended for, marketed to, or used by individuals under 18. We do not knowingly collect data about minors.
8. Changes to this policy
We may update this policy when materially new features ship. The "Last updated" date at the top reflects the most recent change. Material changes will be communicated via the Marketplace listing and any in-app notice we deem appropriate.
9. Contact
For privacy questions:
- Email: support@taskhooker.com
- Website: https://recoup.taskhooker.com
- Address: Melbourne, Australia