Privacy Policy of mailto.wiki – Email for Confluence (Cloud)

We are very delighted that you have shown interest in our product “mailto.wiki – Email for Confluence” and our enterprise. Data protection is of a particularly high priority for the management of the Winter und Gellweiler – Software Engineering GbR aka. CraftCoders (hereinafter referred to as “we” or “CraftCoders”).

This document only applies to the Cloud version of the “mailto.wiki – Send Emails to Conluence” app. For the Data Center version please read: Privacy Policy of mailto.wiki – Email for Confluence (Server).

The processing of personal data, such as the name, address, email-address, or telephone number of a data subject shall always be in line with the General Data Protection Regulation (GDPR), and in accordance with the country-specific data protection regulations applicable to CraftCoders. By means of this privacy policy, our enterprise would like to inform the Data Subjects of the nature, scope, and purpose of the personal data we collect, use, and process. Furthermore, Data Subjects are informed, by means of this privacy policy, of the rights to which they are entitled.

Our data privacy policy is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Terms used in this privacy policy shall have the meaning as defined in the GDPR.

As the controller, CraftCoders has implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed. However, internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed.

All our infrastructure needed to run “mailto.wiki – Email for Confluence” is hosted on Amazon Web Services (AWS) on servers in the European Union. Our product integrates with Confluence Cloud, a product by Atlassian Pty Ltd (hereinafter referred to as “Atlassian”) and uses services provided by Atlassian. You can read more about how AWS treats private information here: https://aws.amazon.com/privacy/.

1. Name and address of the controller and the data protection officer

Controller for the purposes of the GDPR, other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:

Winter und Gellweiler – Software Engineering GbR
Alter Schlachthof 39 D2
76131 Karlsruhe
Germany

phone: +49 721 95944575
email: mail@mailto.wiki

Our data protection officer is available at:

Jan Hendrik Winter
Alter Schlachthof 39 D2
76131 Karlsruhe
Germany

phone: +49 721 95944575
email: dpo@mailto.wiki

2. Collection of general data and information

If you acquire a License of our product “mailto.wiki – E-Mail for Confluence”, Atlassian will provide us with transaction details. These transaction details will be stored and processed by us. If Atlassian processes data on its own behalf, Atlassian acts as controller. Further information about the privacy policy of Atlassian can be accessed here: https://www.atlassian.com/legal/privacy-policy#what-this-policy-covers.

The servers of CraftCoders collect a series of general data and information when you use our services. This general data and information is stored in the server log files. This information is needed to (1) deliver the content of our plugin correctly, (2) optimize the content of our plugin, (3) ensure the long-term viability of our information technology systems and plugin technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack.

When using these general data and information, we do not draw any conclusions about you. This information is needed to (1) deliver the content of our plugin correctly, (2) ensure the long-term viability of our information technology systems and plugin technology, and (3) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. Therefore, we analyse anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process.

We process this data on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR. Our legitimate interests correspond to the stated processing purposes.

These log files are automatically deleted after 7 days.

3. Registration

When you install the “mailto.wiki – Email for Confluence” plugin, some general information about your Confluence instance is transmitted to our services. This information includes (1) a unique client key to identify you, (2) the URL to your Confluence instance and (3) randomly generated security keys to enable two-way authentication and encryption between our services and your Confluence instance.

We need to store this information on our servers in order to provide the core functionality of the “mailto.wiki – Send Emails to Confluence” plugin. We need this information to be able to send content to your Confluence instance and to authenticate you to our services.

We process this data to fulfill a contract with you (Art. 6 para. 1 lit. b) GDPR) and on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR. Our legitimate interests correspond to the stated processing purposes.

If you uninstall the “mailto.wiki – Email for Confluence” plugin, this information will be deleted.

4. Emails

The core functionality of the “mailto.wiki – Email for Confluence” plugin is the ability to send emails to our service, which are then converted into Confluence content and published in your Confluence instance. For this purpose, all processed emails must pass our mail servers.

We cannot control how the emails are delivered to us and it is your responsibility to ensure that any sensitive information contained in the emails is transmitted in a secure manner (e.g. by using SMTPS to encrypt the transmission).

As soon as our servers receive an email, we subject it to a series of automatic tests (Spam filtering, virus checks, etc.) to determine whether we should reject the email. If the email is rejected, we delete it immediately. Otherwise, it is temporarily stored in encrypted form on the hard disk for further processing.

We then process the emails to convert their content into Confluence content. Once the data has been successfully transferred to your Confluence instance (with transport encryption) or in the event of an error, the email is deleted. Normally, this process should take between a few seconds and 5 minutes.

The maximum storage period for the content (body and attachments) of an email is 48 hours. The content of emails is never visible to our employees.

When an email passes through our system, we store the email header in our log files. The header contains a range of meta-information about the email such as (1) the sender address, (2) the recipient address, (3) the email subject, (4) the date and time the email was written, (5) information about the transmission of the email and (6) any other similar data and information that can be used in the event of attacks on our IT systems.

The logs containing the meta information are automatically deleted after 7 days.

5. Configuration, email-addresses, and spam-protection settings

The configuration of the “mailto.wiki – Email for Confluence” plugin, which can be edited by Confluence administrators on the configuration page, is stored in your Confluence instance and loaded by our services when we process an email. They are never stored permanently on our servers. If you uninstall the plugin, this information will be deleted from your Confluence instance.

You can register multiple email-addresses ending in @mailto.wiki or @sendto.wiki to use them with the “mailto.wiki – Email to Confluence” plugin. To be able to forward incoming emails to the correct recipients, we have to assign the email-addresses to the customers. For this purpose, we store the email-addresses in hashed form on our servers. The email-addresses are also stored in plain text along with the other configuration in your Confluence instance so that we can display them on the configuration page. All information is deleted from our servers when you uninstall the “mailto.wiki – Email to Confluence” plugin.

To combat Spam and abuse, we offer you the option of restricting senders to certain email-addresses (secure sender list). We store these entries in hashed form on our servers to reject emails quickly and at an early stage. The entries in the list are also stored in plain text together with the rest of the configuration in your Confluence instance so that we can display them on the configuration page. All information is deleted from our servers when you uninstall the “mailto.wiki – Email to Confluence” plugin.

Our technicians can view the configuration, your registered emails, and your spam protection settings stored in your Confluence instance via a diagnostic console. This is to help you troubleshoot problems and avoid complications when we update the structure of the configuration. The diagnostic console reads the data directly from your Confluence instance, and the data is never copied to any other permanent storage. The Diagnostics Console cannot display information about the content of emails you send or other information from your Confluence instance.

6. Legal basis for the processing

Art. 6 para. 1 lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose.

If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service, the processing is based on Article 6 para. 1 lit. b GDPR. The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services.

If we are subject to a legal obligation by which processing of personal data is required, such as for the fulfillment of tax obligations, the processing is based on Art. 6 para. 1 lit. c GDPR.

In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data, or other vital information would have to be passed on to a doctor, hospital, or other third party. Then the processing would be based on Art. 6 para. 1 lit. d GDPR.

Finally, processing operations could be based on Article 6 para. 1 lit. f GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds if processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of you which require protection of personal data.

7. Period for which the personal data will be stored

We store your personal data only as long as this is necessary for the fulfilment of the processing purposes or – in the case of consent – as long as you have not withdrawn your consent. In the event of an objection, we will erase your personal data unless its further processing is permitted under the relevant legal provisions or your personal data is not identifiable anymore as we have already anonymized it. We also erase your personal data if we are obliged to do so for legal reasons. If and as long as there are legal storage obligations, we will only erase the personal data after the relevant periods have expired.

8. Automated decision-making

We do not use automatic decision-making or profiling.

9. Your rights as a data subject

Right of access: You have the right to obtain information about the personal data we have stored about you.
Right to rectification and erasure: You can request that we correct incorrect personal data and erase your personal data.
Restriction of processing: You can request that we restrict the processing of your personal data.
Data portability: If you have provided us with personal data on the basis of a contract or consent, you may request that we send you the personal data you have provided in a structured, common, and machine-readable format or that we transfer it to another controller.
Right to object to data processing on the legal basis of “legitimate interest”: You have the right to object to our processing of your personal data at any time with future effect on grounds relating to your particular situation, insofar as this is based on the legal basis of “legitimate interest”. If you exercise your right to object, we will cease processing your personal data, unless we can demonstrate compelling legitimate grounds for further processing that override your rights. However, if you object to such processing of personal data, you will not be able to use our services anymore (which may also have an effect on your contractual relationship with your employer or corporate partner).
Withdrawal of consent: If you have given us consent to process your personal data, you can withdraw this consent at any time with effect for the future. The lawfulness of the processing of your personal data until the withdrawal remains unaffected.
Right to lodge a complaint with a supervisory authority: You can also lodge a complaint with a competent supervisory authority if you are of the opinion that the processing of your personal data violates applicable law. To do this, you can, e.g., contact the data protection authority competent for your place of residence or the data protection authority competent for us in Baden-Württemberg: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit, Königstraße 10a, 70173 Stuttgart; phone: +49 (0) 711 / 615541-0; fax: +49 (0) 711 / 615541-15; mail: poststelle@lfdi.bwl.de.

Exercising any of your rights mentioned above is subject to legal prerequisites and, in certain circumstances, your rights may be limited due to legal exceptions set out, in particular, in Art. 17 para. 3 and 22 para. 2 GDPR.

If you have any questions on the processing of your personal data, your data subject rights, and any consent you may have given, you can contact us free of charge. Should you have any questions relating to your rights or their limitations, please feel free to contact any of our employees.

10. Changes to this privacy policy

From time to time it may be necessary to amend the content of this privacy notice. We therefore reserve the right to change it at any time. We will also publish the amended version of the privacy notice. The current version of our privacy notice applies at the time of your use of our services.

Version: 2, Date: 01.07.2024