top of page

GDPR

Field

Detail

Document ID

BB-PRI-002

Version

3.0

Created

13 Mar 2026

Last Updated

23 Mar 2026

Last Reviewed

23 Mar 2026

Next Review

Mar 2027

Document Owner

BluBees LLC

Classification

Public

Contact

privacy@blubees.ai

Purpose

This policy describes how BluBees LLC processes personal data in connection with its software services and outlines the company's commitments and practices related to the European Union General Data Protection Regulation (GDPR). This policy forms part of the Terms of Service between BluBees LLC and its customers.

Compliance Summary

  • BluBees LLC processes minimal business contact information only.

  • BluBees stores encrypted Integration Credentials (API tokens, OAuth credentials, account identifiers) to maintain customer-configured integrations with third-party services.

  • BluBees stores Configuration Data (workflow definitions, settings, field mappings).

  • BluBees does not store data flowing between customer's third-party services during workflow execution (Pass-Through Data). Such data is transmitted transiently and is not persisted.

  • Account management, billing, and authentication are handled by Atlassian Marketplace.

  • Service infrastructure is hosted on Amazon Web Services (AWS) in the United States.

  • BluBees also operates application logic within the Atlassian Forge environment on Jira Cloud.

1. Scope

This policy applies to the limited business contact information, Integration Credentials, and Configuration Data processed by BluBees LLC in connection with the operation and support of its software-as-a-service (SaaS) application.

BluBees LLC's services are designed to operate with minimal personal data exposure. The Service functions as a workflow automation and integration platform that enables customers to connect virtually any third-party application or AI provider. Data flowing between those third-party services during workflow execution passes through BluBees transiently but is not stored or persisted.

2. Business Operations

BluBees LLC operates as a software-as-a-service (SaaS) provider and provides services to organizations that may be located in the European Union (EU).

As part of normal business operations, BluBees LLC may receive and store limited business contact information related to its clients, including: client name, company name, business address, business email address, business telephone number, and Jira user identifier.

BluBees LLC also stores the following non-personal operational data:

  • Integration Credentials (encrypted): API tokens, OAuth tokens/secrets, account identifiers, domain names, and other authentication information provided by the customer to enable connections with third-party services.

  • Configuration Data: Workflow definitions, automation rules, field mappings, integration settings, and account-level configurations and preferences.

3. Platform Integration (Atlassian)

BluBees LLC's product operates within the Atlassian Jira Cloud platform as a Forge-based application, and client communications and system interactions are first processed through Jira.

All purchases, billing, account management, and primary customer account relationships are handled through Atlassian Marketplace. Atlassian generally acts as the primary platform provider and data controller for account management, authentication, and billing information.

BluBees LLC does not act as the primary data controller for customer accounts created through Atlassian Marketplace.

4. Data That BluBees Does NOT Store

Data flowing between customer's third-party applications and AI providers during workflow execution ("Pass-Through Data") is transmitted transiently through the Service and is not stored or persisted by BluBees. The processing, storage, and terms governing Pass-Through Data are solely between the customer and the applicable third-party service providers.

BluBees LLC does not collect or store: personal login credentials or passwords (managed by Atlassian), financial or payment information (managed by Atlassian Marketplace), IP addresses, geolocation data, browser or device tracking data, behavioral analytics or advertising tracking, or cookies, web beacons, or similar tracking technologies.

BluBees LLC does not sell, share, or disclose client data to third parties for marketing or advertising purposes. BluBees LLC does not perform user profiling, behavioral analytics, advertising tracking, or cross-service monitoring.

5. Third-Party Platform Dependencies

Provider

Role

Location

Atlassian Jira Cloud

Application platform and Forge runtime

Global (Australia-based)

Atlassian Marketplace

Licensing, billing, account management

Global (Australia-based)

Amazon Web Services (AWS)

Cloud infrastructure hosting and compute

United States

Chatlio

Real-time customer support chat (ephemeral)

United States

Note: Third-party applications and AI providers that customers connect to via BluBees are not subprocessors of BluBees.

6. Data Storage and Infrastructure

BluBees LLC stores and processes service data using Amazon Web Services (AWS) cloud infrastructure located in the United States. The application also executes within the Atlassian Forge environment on Jira Cloud.

AWS maintains industry-recognized security certifications including SOC certifications and ISO 27001.

Operational logs, limited Jira platform metadata, encrypted Integration Credentials, and Configuration Data are stored within the BluBees service infrastructure on AWS.

7. Purpose of Data Processing

Client information and Integration Credentials are used solely for: providing application functionality and maintaining configured integrations, authenticating and connecting with customer's third-party services, providing customer support, communicating product updates or service notifications, and communicating service notices, renewal notifications, account information, and other operational communications.

The lawful bases for processing this limited contact information are: legitimate business interests (Art. 6(1)(f) GDPR) and performance of a contract or services requested by the client (Art. 6(1)(b) GDPR).

8. Data Subject Rights

BluBees LLC respects and upholds the data protection rights of individuals under the GDPR, including:

  • Right of access (Art. 15) — to obtain confirmation and a copy of personal data being processed

  • Right to rectification (Art. 16) — to correct inaccurate or incomplete personal data

  • Right to erasure (Art. 17) — to request deletion of personal data where applicable

  • Right to restriction of processing (Art. 18) — to limit how personal data is processed

  • Right to data portability (Art. 20) — to receive personal data in a structured, machine-readable format

  • Right to object (Art. 21) — to object to processing based on legitimate interests

Individuals may submit requests to: privacy@blubees.ai

BluBees LLC will review and respond to such requests in accordance with applicable data protection laws, typically within thirty (30) days.

9. Data Minimization and Retention

BluBees LLC processes only the minimum information necessary to provide its services. Pass-Through Data is transmitted transiently and not stored.

Stored information is retained only for as long as reasonably necessary to: support business operations and maintain configured integrations, comply with legal obligations, and resolve disputes.

Upon termination, personal data, Integration Credentials, and Configuration Data are deleted in accordance with the Data Processing Addendum unless retention is required by applicable law.

10. International Data Transfers

Where personal data originating from the European Union is processed or stored in the United States, BluBees LLC relies on appropriate safeguards implemented by its infrastructure and platform providers, including the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs) where applicable.

11. Security and Safeguards

BluBees LLC maintains administrative, technical, and organizational safeguards including: data in transit encrypted using TLS 1.2 or higher, data at rest encrypted using AES-256, Integration Credentials stored in encrypted form, restricted operational access following least-privilege principles, platform-based authentication through Atlassian Jira Cloud, monitoring of service operations and infrastructure access, documented security incident response procedures, backup and disaster recovery procedures, periodic access reviews, and personnel subject to confidentiality obligations.

12. Data Protection Impact Assessments

BluBees LLC will assist customers in conducting Data Protection Impact Assessments (DPIAs) upon reasonable notice, where required under GDPR Article 35.

13. Compliance Alignment

BluBees LLC designs and operates its services using security and privacy practices aligned with: GDPR principles, cloud security best practices, and SOC 2 Type II compliance program (in progress).

14. Policy Review

BluBees LLC will periodically review its business practices and applicable laws and update this policy if operations or legal requirements change. Material changes will be communicated to customers via appropriate channels.

15. Contact

Privacy or data protection inquiries: privacy@blubees.ai

Security-related reports: security@blubees.ai

bottom of page