estimio

Privacy Policy

Last Updated: 2025-11-28

At estimio, we take your privacy seriously. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal information.

1. Data We Collect

Account Information

When you create an account, we collect:

  • Name: Your display name for sessions
  • Email address: Used for account verification and communication
  • Password: Stored as a secure hash (we never see your actual password)

Session Data

When you use estimio, we collect:

  • Sessions created: Session codes, titles, and participants
  • Votes cast: Your story point estimates
  • Consensus results: Final estimates and statistics
  • Session metadata: Creation time, participant count, etc.

Integration Data

If you connect Jira, we store:

  • Jira connection configuration: Base URL, credentials (encrypted), organization domain
  • Story points field name: Your custom field configuration
  • Jira issue data: Titles, descriptions, acceptance criteria (cached temporarily)

AI Usage Data

When you use AI features, we log:

  • AI estimation requests: Story titles and descriptions sent to AI
  • AI summary requests: Jira issue data sent for summarization
  • AI response times: Performance metrics
  • AI failure rates: Error tracking

Server Logs

We automatically collect:

  • Request logs: API endpoints accessed, timestamps, IP addresses
  • Error logs: Application errors and exceptions
  • Performance metrics: Response times, database query performance

Cookies

We use essential cookies and analytics cookies:

  • JWT session token: For authentication (httpOnly, secure)
  • Google Analytics cookies: For understanding website usage (see Analytics section below)

Analytics

We use Google Analytics 4 to understand how visitors use our website. This helps us improve the service and understand user needs.

What we collect:

  • Page views and navigation patterns
  • Device and browser information
  • Geographic location (country-level only, IP addresses are anonymized)
  • Referral sources

Privacy protections:

  • IP addresses are anonymized
  • We respect Do Not Track (DNT) browser settings
  • No personal identification data is collected
  • Data is aggregated and anonymized

You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

2. How We Use Your Data

We use your data to:

  • Provide and improve our service
  • Authenticate your account
  • Store your session history
  • Enable Jira integration
  • Generate AI-assisted estimates
  • Troubleshoot technical issues
  • Ensure service security

We do not:

  • Sell your data to third parties
  • Use your data for advertising
  • Share your data except as described in this policy

3. Data Storage

Your data is stored in:

  • Google Cloud Run: Frontend and backend hosting (Switzerland/EU region)
  • Neon/PostgreSQL Database: User accounts, sessions, votes, Jira connections (EU region)
  • Email Providers: For sending verification and password reset emails

All data is stored in secure, encrypted databases with access controls.

4. Data Retention

We retain your data as follows:

  • Active accounts: Data is retained while your account is active
  • Deleted accounts: Data is deleted within 30 days of account deletion
  • Session data: In-memory sessions are cleared after 24 hours of inactivity
  • Server logs: Retained for 90 days for security and troubleshooting
  • AI usage logs: Retained for 30 days for performance monitoring

5. Data Security

We implement industry-standard security measures:

  • HTTPS encryption: All data transmission is encrypted
  • Password hashing: Passwords are hashed using bcrypt
  • JWT tokens: Short-lived authentication tokens
  • Environment variables: Secrets stored securely, never in code
  • Regular security patches: We keep dependencies up to date
  • Access controls: Database access is restricted and monitored

6. Your Rights (GDPR Compliance)

If you are located in the European Economic Area (EEA), you have the following rights:

Right to Access

You can request a copy of all personal data we hold about you.

Right to Rectification

You can correct inaccurate or incomplete data through your profile settings or by contacting us.

Right to Erasure ("Right to be Forgotten")

You can delete your account at any time, which will remove all your personal data.

Right to Data Portability

You can request an export of your data in a machine-readable format.

Right to Object

You can object to processing of your data for certain purposes (though this may limit service functionality).

Right to Restrict Processing

You can request that we limit how we process your data.

To exercise these rights, contact us at: info@estimio.ch

7. Data Processing Agreement (DPA)

For V1 of our service, a Data Processing Agreement (DPA) is not required unless you are an enterprise customer. If you need a DPA, please contact us.

8. International Data Transfers

Your data may be processed in:

  • Switzerland (primary)
  • European Union (EU) regions
  • United States (for some third-party services like Google Cloud)

We ensure appropriate safeguards are in place for international transfers, including:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions where applicable
  • Compliance with GDPR requirements

9. Third-Party Services

We use the following third-party services that may process your data:

  • Google Cloud Run: Hosting infrastructure
  • Neon/PostgreSQL: Database services
  • Google Gemini AI: AI processing (your story data is sent to generate estimates)
  • Jira (Atlassian): When you connect your Jira account
  • Email providers: For account verification emails

Each third party has their own privacy policy. We recommend reviewing them:

10. Children's Privacy

estimio is not intended for users under 16 years of age. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately.

11. Cookies

We use only essential cookies:

  • JWT Session Token: Stored as an httpOnly, secure cookie for authentication
  • Expiration: Short-lived (typically 7 days or until logout)

You can clear cookies through your browser settings, but this will log you out.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting a notice on our website
  • Sending an email to registered users
  • Updating the "Last Updated" date

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us at:

Email: info@estimio.ch
Address: [Your Company Address, Switzerland]

14. Data Protection Officer

For GDPR-related inquiries, you can contact our Data Protection Officer at: info@estimio.ch

15. Supervisory Authority

If you are in the EEA and believe we have not addressed your privacy concerns, you have the right to file a complaint with your local data protection supervisory authority.

Cookie Preferences

We use cookies to enhance your experience. Essential cookies are required for the service to function. Analytics cookies help us improve the service by understanding how you use it. IP addresses are anonymized and we respect Do Not Track settings. Learn more