Privacy Policy

We are committed to upholding your privacy and adhering to the stringent standards set by Atlassian for the protection of personal data.

1. Acknowledgment

By using our Products, you acknowledge that you have reviewed our Terms of Service and this Privacy Policy (Privacy Policy), have the authority to act on behalf of any person for whom you are using the Products, and agree that we may collect, use and transfer your Data in accordance with this Privacy Policy. If you are using our Products on behalf of a company, then you acknowledge that you are binding your company to this Privacy Policy.

This Privacy Policy applies to our Customers. It is the responsibility of the Customer to determine if the Privacy Policy is consistent with its own treatment of end user data.

2. Definitions

  1. Company means Smol Software Pty Limited ABN 27 673 377 289. The terms “we”, “we” and “we” when used in his Privacy Policy are a reference to the Company.

  2. Customer means a direct customer of the Company. The terms “you”, “your” and “ yours” when used in this Privacy Policy are a reference to the Customer.

  3. Data means Personal Information and User Data.

  4. Data Controller has the meaning given in Rec. 22, Art 3(1) of the GPDR, that is, a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of Personal Information, where the purposes and means of processing are determined by EU or Member State laws.

  5. Data Subject means an identified or identifiable natural person who is a user of our Product.

  6. GDPR means the European Union General Data Protection Regulation.

  7. Law means all relevant legal and regulatory requirements applicable to you or us (including, for the avoidance of doubt, the Australian Privacy Act 1988 (Cth) and the GDPR).

  8. Personal Information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.

  9. Product means software owned, developed and sold by us.

  10. Subprocessor means any processor engaged by us or by any other Subprocessor who agrees to receive from us or from any other Subprocessor, Personal Information exclusively intended for processing activities to be carried out on behalf of you after the transfer in accordance with your instructions, our Terms of Service and this Privacy Policy.

  11. Supervisory Authority means the authority with the primary responsibility for dealing with the relevant data processing activity.

  12. Unsolicited Information includes any unsolicited communications by you to the Company.

  13. User Data means all information collected passively or actively from our Customers that is not Personal Information

3. Collection and use

  1. We process the Data provided by you in accordance with the Privacy Policy and your instructions. We will promptly inform you if we cannot process your Data in accordance with the Privacy Policy.

  2. The processing activities that we undertake include

    1. email notifications of new software versions to contacts;

    2. analysis of Product analytics to understand usage patterns;

  3. You agree that we may collect and use technical data and related information, including without limitation, technical information relating to your device, system, and use of the Product(s), that is gathered periodically to facilitate the provision of software updates, product support, marketing efforts and other services and communications to you related to the Products, including providing you with information about services, features, surveys, newsletters, offers, promotions; providing other news or information about us and our select partners; and sending you technical notices, updates, security alerts, and support and administrative messages. We may use this technical data and related information, as long as it is in a form that does not personally identify you, except to the extent necessary to provide you with support, or communications to improve our products or to provide services or technology to you.

4. Security measures

  1. We have implemented the following security measures:

    1. Two Factor Authentication to access all development and production services;

    2. Use of a password manager, ensuring a unique password is used for each development and production service;

  2. We use a self-assessment approach to ensure compliance with the Privacy Policy. We verify periodically that the Privacy Policy is accurate and comprehensive for the information intended to be covered, prominently displayed, completely implemented, and accessible and in conformity with applicable Laws. We encourage interested parties to contact us with any concerns using the contact information provided.

  3. We will:

    1. restrict access and use of Data to those employees responsible for processing Data to fulfil our obligations under the Privacy Policy; and

    2. maintain a list of our employees that have been granted access to Data.

5. Incident response

Where there has been a security breach, data leakage or Personal Information is lost, destroyed or becomes damaged, corrupted or unusable, we will notify you as soon as practicable.

6. Your obligations

You agree and warrant that:

  1. the processing, including the transfer itself, of Personal Information has been and will continue to be, carried out in accordance with all applicable Laws (and, where applicable, you have notified the Supervisory Authority in your country of such processing);

  2. all Data that you provide on behalf of a Data Subject has been obtained with the informed consent of the Data Subject;

  3. you have assessed our security measures as described in clause 4 and believe our security measures ensure a level of security appropriate to the nature of the Data you provide to us;

  4. you will provide Data Subjects with a copy of the Privacy Policy or a description of our security measures, if requested by the Data Subject;

  5. if applicable, you will deposit a copy of the Privacy Policy with the Supervisory Authority upon request or if such deposit is required under the applicable Laws.

7. Access to Data

  1. Data Subjects have the right to request that we update, correct or, upon request, erase Personal Information in our possession. We will endeavour to provide the requested Personal Information within a reasonable time.

  2. If you request a correction to your Personal Information then we will take reasonable steps to correct that Personal Information.

  3. To guard against fraudulent requests, we will require information to confirm your identity before granting access or making corrections.

  4. We may decline to provide a Data Subject with access to Personal Information including where we determine that the information requested:

    1. may disclose:

      1. the Personal Information of another individual; or

      2. trade secrets or other business confidential information;

    2. is subject to legal professional privilege;

    3. is not readily retrievable and the burden or cost of providing the information would be disproportionate to the nature or value of the information;

    4. does not exist, is not held, or cannot be located by us;

    5. would pose a serious threat to the life, health or safety of any individual, or to public health or safety if it were accessed; or

    6. is not permitted by Law to be accessed.

8. Subprocessing

  1. We will not disclose your Data to any other party other than at your request or in accordance with this clause.

  2. We will share information including Personal Information with our Subprocessors. In addition, Atlassian works with us on certain business-related functions of our Products, such as processing payments. Atlassian has its own privacy policy, which you can find under

  3. There are also a limited number of circumstances in which we may share your Data with third parties. This may be done without further notice to you. These circumstances are:

    1. Legal requirements: We may disclose your Data and any other information if required to do so by law or in good faith belief that such action is necessary to:

      1. comply with a legal obligation;

      2. protect and defend the rights or property of the Company; or

      3. protect against legal liability.

    2. Business transfers and related activities: We may sell, buy, restructure or reorganise our business or assets. In the event of any sale, merger, reorganisation, restructuring, dissolution or similar event involving our business or assets, Personal Information may be part of the transferred assets.

9. Cross-border transfer of data

  1. If you are using our Products in a country other than the United States, your communications will result in the transfer of Data across international boundaries. The countries in which recipients of your Personal Information are likely to be located are the United States, Australia and countries within the European Union.

  2. If you provide Personal Information, you acknowledge and agree that Personal Information may be transferred from your current location to the offices and servers of the Company and Subprocessors located primarily in Australia, the United States and countries within the European Union.

10. Warranties

We warrant that:

  1. you may withdraw your consent for us to process your Data at any time at which time the process under clause 12 will be followed;

  2. we will process your Data in compliance with your instructions and the Privacy Policy. If we cannot provide such compliance for whatever reason, we will inform you promptly of our inability to comply, in which case you are entitled to suspend the transfer of Data and/or terminate your contract with us;

  3. we will not vary or modify clauses of the Privacy Policy without notifying you and obtaining your consent;

  4. we have no reason to believe that any Law prevents us from fulfilling the terms of the Privacy Policy. In the event of a change in the Law that is likely to have a substantial adverse effect on the warranties and obligations provided under the Privacy Policy, we will promptly notify you of the change as soon as we become aware, in which case you are entitled to suspend the transfer of Data and/or terminate your contract us;

  5. we will implement and maintain appropriate technical and organisation measures to meet the requirements of the Australian Privacy Act 1988 (Cth) and the GDPR. This does not alter your own obligations under these legal regimes;

  6. we will only use your Data for the purposes for which it is provided by you;

  7. we will not sell or otherwise redistribute to third parties the Data we collect from you;

  8. we will promptly notify you of:

    1. any legally binding request for disclosure of the Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

    2. any unauthorised access to or disclosure of Personal Information or any circumstances that are likely to give rise to such unauthorised access or disclosure, where there is a likely risk of serious harm to any Data Subject as a result of the unauthorised access or disclosure; and

    3. any request received directly from one of your customers or a Data Subject, without responding to that request, unless we have been otherwise authorised by you to do so;

  9. we will deal promptly and properly with all inquiries from you relating to the processing of your Data and we will abide by the advice of any Supervisory Authority with regard to the processing of the Data transferred; and

  10. the processing services by any Subprocessor will be carried out in accordance with clause 19.

11. Survival

The Privacy Policy will survive termination of the Terms of Service and will remain in effect until we have deleted all of your Data.

12. Termination

On termination, you will have the choice of having all Data transferred to you or the Data being destroyed, unless Laws imposed on us prevent us from returning or destroying all or part of the Data. If we cannot return or destroy the Data, we warrant that we will guarantee the confidentiality of the Data and will not actively process the Data after termination.

13. Audit of measures

  1. Where you are required by a Supervisory Authority to demonstrate compliance with privacy obligations, we allow and contribute to audits, including inspections.

  2. We will submit our data processing facilities for an audit of the measures referred to in clause 13(1) at the request of you and/or the Supervisory Authority.

14. Unsolicited information

  1. If you submit unsolicited User Data, we will use it in accordance with the Privacy Policy.

  2. If you submit unsolicited Personal Information and we determine that we could not have collected the Personal Information in accordance with the Privacy Policy, we will destroy the information or ensure that the information is de-identified as soon as practicable. Otherwise, the Personal Information will be used in accordance with the Privacy Policy.

15. European Union General Data Protection Regulation

  1. Clauses 16 to 20 apply only if you are a Data Controller.

  2. If you are a Data Controller, clause 21 will not apply and instead the Privacy Policy will be governed by the law of the country in which you reside or are incorporated.

16. Notifying the data protection authority

In the event that you receive a notification from us or any Subprocessor under clause 10(4) or 13(3), you must forward such notification to the Supervisory Authority if you decide to continue the transfer of Personal Information or to lift the suspension.

17. Liability

  1. Any Data Subject who has suffered damage as a result of any breach of the obligations referred to in clause 19 by us, a Subprocessor or yourself, is entitled to receive compensation from you for the damage suffered.

  2. Where either the Company or a Subprocessor has breached the obligations referred to in clause 19 and a Data Subject is unable to bring a claim for compensation in accordance with clause 19(1) because you have disappeared, ceased to exist in Law, or have become insolvent, the Data Subject may issue a claim against us, unless any successor entity has assumed your entire legal obligations by contract or by operation of law, in which case the Data Subject can enforce its rights against the successor entity.

18. Mediation and jurisdiction

  1. If the Data Subject invokes third-party beneficiary rights and/or claims compensation for damages under the Privacy Policy, we will accept the decision of the Data Subject to:

    1. refer the dispute to mediation, by an independent person or, where applicable, by the Supervisory Authority; or

    2. refer the dispute to the courts in your country.

  2. The choice made by the Data Subject will not prejudice their substantive or procedural rights to seek remedies in accordance with other provisions of Law.

19. GDPR-compliant subprocessing

  1. In addition to our obligations under clause 8, we will not subcontract any of our processing operations performed on your behalf without your prior written consent.

  2. Where a Subprocessor is engaged to process your Data in accordance with clause 19(1), we will enter into a written agreement with the Subprocessor. A copy of this written agreement will be provided to you. Where the Subprocessor fails to fulfil its data protection obligations under the written agreement, we will remain fully liable to you for the performance of the Subprocessor’s obligations under such agreement.

  3. The prior written agreement between the Company and the Subprocessor will provide for:

    1. the imposition of the same obligations on the Subprocessor as are imposed on us under the Privacy Policy, as applicable;

    2. if a Data Subject is not able to bring a claim against you or us as referred to in clause 17, arising out of a breach by the Subprocessor of any of its obligations referred to in the Privacy Policy because both you and the Company have disappeared, ceased to exist in Law or become insolvent, the Data Subject may issue a claim against the Subprocessor (unless any successor entity has assumed all of your or our legal obligations by contract or by operation of law as a result of which it takes on your or our rights and obligations in which case the Data Subject can enforce its rights against such entity). The liability of the Subprocessor will be limited to its own processing operations under the Privacy Policy;

    3. the Supervisory Authority’s right to conduct an audit of the Subprocessor; and

    4. the Subprocessor’s warranty that upon the request of you and/or the Supervisory Authority, it will submit its data processing facilities for an audit of the measures referred to in clause 13(1).

20. Your obligations under GDPR

As a condition of our provision of the Products to you, you agree to comply with all of your obligations under the GDPR.

21. Jurisdiction

Other than in accordance with clause 15(2), the Privacy Policy is governed by and construed in accordance with the laws of the State of New South Wales, Australia. You agree to submit any dispute arising out of your use of the Products to the exclusive jurisdiction of the State of New South Wales.

22. Making a complaint

You are entitled to lodge a complaint about our treatment of your Data with the relevant Supervisory Authority.

Before lodging a complaint with a Supervisory Authority, we encourage you to first attempt to resolve the complaint by contacting us using the details below. We will respond to your complaint within 30 days.

23. Changes to this Privacy Policy

We may update Our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

We will let you know via email and/or a prominent notice on Our Service, prior to the change becoming effective and update the "Last updated" date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Last updated