Privacy Policy

Data Security Statement for ZanMind Q&A for Confluence

Last Updated: February 25, 2026

Overview

ZanMind Q&A for Confluence ("the App") is committed to protecting the privacy and security of our users' data. This document outlines how we handle, store, and protect data within the App.

Data Collection and Storage

What Data We Collect

The App collects and stores the following data within your Confluence instance:

  • Questions and Answers: Content created by users including titles, descriptions, and responses
  • User Information: Confluence usernames and display names (obtained from Confluence's user API)
  • Metadata: Timestamps, vote counts, tags, and question status (solved/unsolved)
  • Configuration Data: Team names, notification settings (MS Teams webhook URLs, email settings)

What Data We DO NOT Collect

  • No Personal Credentials: We do not collect, store, or transmit passwords, API tokens, or authentication credentials
  • No Personally Identifiable Information (PII): Beyond what is already available in Confluence (username, display name)
  • No Financial Information: We do not process or store any payment or financial data
  • No External Tracking: We do not use analytics, telemetry, or tracking services
  • No Third-Party Sharing: Your data is never shared with, sold to, or transmitted to third parties

Data Storage and Security

Storage Location

  • All data is stored within your Confluence database using Atlassian's Active Objects framework
  • No external storage: We do not store data on external servers, cloud services, or file systems
  • No data export: Data remains within your Confluence instance at all times

Security Measures

  • Authentication: All access requires valid Confluence user authentication
  • Authorization: Permission checks using Confluence's built-in permission system
  • CSRF Protection: All state-changing operations are protected against Cross-Site Request Forgery attacks
  • Input Validation: All user inputs are validated and sanitized to prevent injection attacks (XSS, SQL injection)
  • Parameterized Queries: Database operations use parameterized queries preventing SQL injection
  • Secure Dependencies: Uses only Atlassian-provided libraries with no additional third-party dependencies
  • HTTPS Only: All communications occur over encrypted HTTPS connections (enforced by Confluence)

Data Processing

How We Use Your Data

Data collected by the App is used solely for:

  • Displaying questions and answers to authorized Confluence users
  • Enabling search and filtering functionality
  • Sending notifications (if configured by administrators)
  • Providing analytics within the App (question counts, popular tags, active users)

Data Retention

  • User-Controlled: All data persists until explicitly deleted by users or administrators
  • No Automatic Deletion: We do not automatically delete or archive data
  • Complete Control: Administrators have full control over data retention policies

Third-Party Integrations

Optional Integrations

The App supports optional integrations configured by administrators:

  • MS Teams Notifications: If configured, question/answer notifications are sent to specified MS Teams channels via webhooks
  • Email Notifications: If configured, notifications are sent via your Confluence instance's SMTP server

Integration Security

  • Outbound Only: Integrations only send data outbound; we never receive data from external services
  • Administrator Controlled: All integrations must be explicitly configured by Confluence administrators
  • Webhook URLs: MS Teams webhook URLs are stored encrypted in the database
  • IP Allowlist Compliance: All outbound requests honor Confluence's IP allowlist configuration

Data Subject Rights

As all data is stored within your Confluence instance, data subject rights (access, rectification, erasure) are handled through:

  • User Access: Users can view, edit, and delete their own questions and answers
  • Administrator Access: Confluence administrators have full access to all App data
  • Data Export: Data can be exported through Confluence's standard backup procedures
  • Data Deletion: Uninstalling the App removes all associated database tables and data

Compliance

The App is designed to support compliance with:

  • GDPR: General Data Protection Regulation
  • SOC 2: Service Organization Control 2 standards
  • Atlassian Security Requirements: Full compliance with Atlassian's Data Center security requirements

Data Breach Notification

In the unlikely event of a security incident or vulnerability:

  • We will notify affected customers within 72 hours of discovery
  • We will notify Atlassian following their incident notification guidelines
  • We will provide detailed information about the incident and remediation steps
  • We will release security patches following Atlassian's security bug fix policy

Changes to This Policy

We may update this Privacy Policy periodically. Changes will be:

  • Posted on this page with an updated "Last Updated" date
  • Communicated to customers through our support channels
  • Effective immediately upon posting

Contact Information

For questions, concerns, or requests regarding data privacy and security: