Privacy Policy

Version 2.0Effective: January 6, 2026GDPR Compliant
Contact DPO

Privacy Policy

This Privacy Policy explains how Ibis Flow GmbH ("Ibis Flow", "we", "us", or "our") collects, uses, and protects personal data when you visit our website at https://www.ibisflow.com or use our services. This policy applies to website visitors, authenticated users, and organisations using Ibis Flow.

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

The data controller responsible for processing your personal data is:

Ibis Flow GmbH
Germany
Contact: Available through our support page

2. Our Role: Controller and Processor

Ibis Flow operates in two distinct capacities depending on the type of data being processed:

When we act as a Data Controller

We are the data controller for:

  • Account and organisation registration data
  • Authentication and identity data
  • Billing and subscription information
  • Website analytics and cookies
  • Operational telemetry and error monitoring data

When we act as a Data Processor

We act as a data processor on behalf of our customers (the data controllers) for:

  • Jira ticket content imported into estimation sessions (titles, descriptions, comments, attachments, story points, history)
  • Estimation session data created within Ibis Flow
  • Votes and comments submitted by users during estimation sessions

When processing customer content, we act solely on the instructions of the customer organisation. Customers retain control over their data and are responsible for ensuring they have appropriate legal bases for processing.

3. Categories of Personal Data We Process

Account and Identity Data

When you create an account or authenticate, we collect:

  • Name and email address (provided by your identity provider)
  • Organisation membership and role information
  • Authentication tokens and session data

Billing Data

When you subscribe to a paid plan, we collect:

  • Organisation billing contact details
  • Subscription and invoice history

Payment card details are processed directly by Stripe and are not stored by Ibis Flow.

Usage and Estimation Data

When you use our services, we process:

  • Estimation session participation and voting data
  • Comments and reactions submitted during sessions
  • Jira ticket content imported for estimation purposes

Votes and comments are linked to user accounts. Organisation administrators cannot currently view historical individual votes or comments from other users.

Technical and Operational Data

We automatically collect:

  • Browser type and version
  • Device information and screen resolution
  • IP address (for security and error monitoring)
  • Error reports and performance data (with personal data scrubbing enabled)

Analytics Data (Opt-in Only)

If you consent to analytics cookies, we collect:

  • Pages visited and navigation patterns
  • Approximate geographic location (country/region level)
  • Traffic source and referral information

Google Analytics is disabled by default and only enabled with your explicit consent.

Data We Do Not Collect

  • We do not collect payment card numbers (these are processed by Stripe)
  • We do not collect sensitive personal data (racial origin, political opinions, religious beliefs, health data)
  • We do not collect data from children under 16

4. Purposes of Processing and Legal Bases

We process personal data for the following purposes under the specified legal bases (GDPR Article 6):

Performance of Contract (Art. 6(1)(b)):

  • Providing access to the Ibis Flow platform
  • Processing estimation sessions and storing results
  • Managing your account and organisation membership
  • Processing subscription payments
  • Sending transactional emails (account notifications, session invitations)

Legitimate Interests (Art. 6(1)(f)):

  • Ensuring platform security and preventing fraud
  • Monitoring and improving service reliability
  • Error tracking and debugging (with personal data scrubbing)
  • Responding to support enquiries

Consent (Art. 6(1)(a)):

  • Website analytics via Google Analytics (opt-in)
  • Marketing communications (where separately consented)

Legal Obligation (Art. 6(1)(c)):

  • Retaining financial records as required by law
  • Responding to lawful requests from authorities

5. Subprocessors

We use the following third-party service providers to deliver our services:

  • Microsoft Azure - Cloud infrastructure hosting (EU West Europe region)
  • Microsoft Entra External ID - Authentication and identity management
  • Postmark - Transactional email delivery
  • Stripe - Billing and payment processing
  • Sentry - Error monitoring (always enabled, with personal data scrubbing)
  • Google Analytics (GA4) - Website analytics (opt-in only, disabled by default)

We maintain data processing agreements with all subprocessors as required by GDPR Article 28.

6. International Data Transfers

Our primary infrastructure is hosted by Microsoft Azure in the West Europe region (Germany/Netherlands). Your data is stored within the European Union.

Some of our subprocessors may process data outside the European Economic Area. Where this occurs, we ensure appropriate safeguards are in place:

  • EU-US Data Privacy Framework certification (where applicable)
  • EU-approved Standard Contractual Clauses
  • Adequacy decisions by the European Commission

We only transfer data internationally where necessary for service delivery and with appropriate legal protections in place.

7. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy:

  • Account data: Retained while your account is active, plus a reasonable period for reactivation
  • Estimation session data: Retained according to your organisation's data retention settings
  • Billing records: Retained for the period required by applicable tax and accounting laws
  • Error logs: Retained for up to 90 days for debugging purposes
  • Analytics data: Subject to Google Analytics retention settings (14 months by default)

When data is no longer required, we delete it or anonymise it so that it can no longer identify you.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access: You can request a copy of the personal data we hold about you
  • Right to rectification: You can request correction of inaccurate or incomplete data
  • Right to erasure: You can request deletion of your data in certain circumstances
  • Right to restrict processing: You can request that we limit how we use your data
  • Right to data portability: You can request your data in a machine-readable format
  • Right to object: You can object to processing based on legitimate interests
  • Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time

To exercise any of these rights, please contact us through our support page . We will respond to your request within 30 days.

You also have the right to lodge a complaint with your local data protection authority if you believe we have not handled your data appropriately.

9. Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit (TLS) and at rest
  • Authentication via enterprise identity providers (Microsoft Entra, Google Workspace)
  • Regular security assessments and monitoring
  • Access controls limiting data access to authorised personnel
  • Personal data scrubbing in error monitoring systems

While we take reasonable precautions, no method of transmission or storage is completely secure. We cannot guarantee absolute security of your data.

10. Cookies and Local Storage

We use cookies and browser local storage for the following purposes:

Essential (Always Active):

  • Authentication and session management
  • Cookie consent preferences
  • Security and fraud prevention

Functional:

  • User interface preferences
  • Local storage for application functionality

Analytics (Opt-in):

  • Google Analytics cookies (disabled by default)

We do not use marketing or advertising cookies. You can manage your cookie preferences at any time using the "Manage Cookies" option on this page or in your browser settings.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or for other operational reasons. When we make significant changes, we will:

  • Update the "Effective" date at the top of this page
  • Notify registered users via email where changes materially affect their rights
  • Provide a summary of key changes

We encourage you to review this policy periodically. Continued use of our services after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us through our support page .

For data protection enquiries, please include "Privacy" in your message subject to help us route your request appropriately.

This policy is effective as of 6 January 2026
Version 2.0

Document Actions

Privacy Enquiries

Compliance

GDPR Article 13 & 14EU Data Residency
Ibis Flow Logo
© 2024 Ibis Flow UG . All Rights Reserved.