Privacy Policy

Last updated: 29 May 2026

ScrumVote ("we", "our", "us") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what personal data we collect, how we use it, and what rights you have under the General Data Protection Regulation (GDPR) and other applicable data protection laws.

By using ScrumVote at scrumvote.com, you acknowledge that you have read and understood this policy.

1. Who is the Data Controller?

ScrumVote is the data controller responsible for your personal data. If you have any questions about this policy or wish to exercise your rights, you can contact us at:

Email: privacy@scrumvote.com

2. What Data We Collect

We collect and process the following categories of personal data:

  • Account data: your name and email address, collected when you register.
  • Authentication data: hashed passwords or OAuth tokens (e.g. from Jira) used to authenticate you.
  • Usage data: session activity, votes submitted, tickets estimated, and team memberships — necessary to provide the service.
  • Technical data: IP address, browser type, and request logs collected automatically for security and rate-limiting purposes.

We do not collect sensitive personal data (such as health, racial, or financial data) and we do not use cookies for advertising or tracking purposes.

3. Legal Basis for Processing

We process your personal data on the following legal bases:

  • Performance of a contract (Art. 6(1)(b) GDPR): to provide and operate the ScrumVote service you have signed up for.
  • Legitimate interests (Art. 6(1)(f) GDPR): to maintain the security of the platform, prevent abuse, and improve our service.
  • Compliance with legal obligations (Art. 6(1)(c) GDPR): where we are required to retain data by law.

4. How We Use Your Data

We use your personal data solely to:

  • Create and manage your account.
  • Provide and operate the planning poker session functionality.
  • Send transactional emails (e.g. account activation, password reset).
  • Maintain the security of the platform and prevent unauthorised access.
  • Comply with legal obligations.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

5. Third-Party Services

We use a limited number of third-party services to operate the platform:

  • Jira (Atlassian): if you connect your Jira account, we store OAuth tokens on your behalf to import tickets and sync estimates. We access only the Jira data you authorise.
  • Email provider: we use a transactional email service to send account-related emails. Your email address is shared only for this purpose.
  • Hosting provider: your data is stored on servers within the European Economic Area (EEA).

All third-party processors are bound by data processing agreements and may not use your data for their own purposes.

6. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, your personal data (name, email, votes, sessions) is deleted within 30 days, except where we are required to retain it by law or for the resolution of disputes.

Technical logs (IP addresses) are retained for a maximum of 90 days for security purposes.

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15): you can request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): you can ask us to correct inaccurate or incomplete data.
  • Right to erasure (Art. 17): you can ask us to delete your personal data ("right to be forgotten").
  • Right to restriction of processing (Art. 18): you can ask us to limit how we use your data.
  • Right to data portability (Art. 20): you can request your data in a structured, machine-readable format.
  • Right to object (Art. 21): you can object to processing based on legitimate interests.

To exercise any of these rights, email us at privacy@scrumvote.com. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encrypted connections (HTTPS), hashed passwords, rate limiting, and restricted access to production systems.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Art. 34 GDPR.

9. International Transfers

Your personal data is stored and processed within the EEA. If any transfer outside the EEA becomes necessary, we will ensure it is protected by appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email and update the "last updated" date at the top of this page. Continued use of the service after such notice constitutes acceptance of the updated policy.

11. Contact

For any questions about this Privacy Policy or your personal data, please contact us at privacy@scrumvote.com.