Privacy policy

Last updated: 2026-05-07

What this is

Probably Five is an async pre-sprint estimation tool that integrates with Atlassian Jira and Slack. To do that, we read information about you from Atlassian (so we know who you are and what tickets you can estimate) and we record information you generate inside the app (estimates, comments, reactions). This page lists exactly what we collect, why, how long we keep it, and how to request access or deletion.

Who we are

Probably Five is operated by Probably Five. Contact: help@probablyfive.com.

Data we collect from Atlassian on sign-in

When you sign in with Atlassian via OAuth 2.0, we receive and store the following from your Atlassian account:

• account_id — your durable Atlassian identifier. The only field we treat as the canonical "who is this."
• email — when your Atlassian email visibility allows it. May be null; the app continues to work without it.
• name (display name) — for chip rendering and Slack DM bodies.
• picture (avatar URL) — for participant chips.
• cloud_id + the vanity host of your Atlassian site — for building /browse/<ticket-key> deep links.
• OAuth refresh + access tokens, encrypted at rest with AES-256-GCM, AAD-bound to your user id. Used to query Jira tickets on your behalf during typeahead and queue refresh. Never shared, never logged, automatically rotated by Atlassian's refresh-token rotation policy.

Data we collect from Slack

When the bot is added to a workspace channel, we record:

• Your slack_user_id — looked up by email so we can DM you nudges and review notifications. Only resolved when your Atlassian email is visible.
• Slack channel id + thread ts values for any session you connect to a channel. Used to keep estimation discussion in one threaded place rather than spamming the channel.

We do not read messages in your Slack workspace beyond replies in threads we ourselves opened, and only via Slack's conversations.replies API limited to threads tied to a session.

Data the app generates from your activity

• Estimates — the numeric value you submitted for each ticket, plus the user_agent string of the browser that submitted it (useful for debugging). Visible to other estimators only after the team-wide reveal.
• Session participation — your role in each session (estimator, observer), and whether you've been removed.
• PRD review activity — when the PRD-reviewer feature is enabled for your workspace: comments you write, reactions you add, the assignment status you flip your reviews to, and which teammates you @-mention.
• Audit log — every state-changing action you take (joining a session, submitting an estimate, posting a comment, closing a session, etc.) plus a JSON snapshot of the action's parameters. Used for incident-response and SOC 2-aligned audit retention.
• Outbox / nudge log — short-lived records of Slack messages we sent on your behalf (for retry on transient Slack failures and for 24-hour de-duplication of nudges).

Why we collect each thing

• Identity (account_id, email, name, avatar): so the app knows who you are and renders your chip correctly.
• OAuth tokens: so the Jira typeahead can search your tickets.
• Slack id + thread ts: so DMs and discussion posting work.
• Estimates + session data: this is the product itself.
• Audit log: required by our security framework (SOC 2-aligned audit retention) and by the Atlassian Personal Data Reporting API contract for traceability of deletion events.

Retention

• Active sessions are kept indefinitely so you can revisit recent grooming sessions; closed sessions remain readable to participants.
• Audit log is retained for 7 years per our audit-retention policy. Rows older than 30 days are exported nightly to a Glacier Deep Archive S3 bucket and aged out of the primary database. The archive is immutable; deletion requests don't rewrite archived bytes — see "Right to deletion" below for how that's reconciled.
• Stub users (people invited via email who never signed in) are deleted automatically after 30 days of inactivity by an automated cron.
• Slack outbox / nudge log are pruned by the periodic cleanup job once Slack has confirmed delivery (typically < 30 days).
• OAuth refresh tokens rotate per Atlassian's policy; expired tokens are NULL'd on next sign-in.

Sharing

We do not sell or share your data with third parties for advertising, profiling, or analytics. The only outbound data flows are to Atlassian (when we query Jira on your behalf with your own OAuth token) and Slack (when we DM you or post to a thread you've connected to a session). Both are functional integrations you've authorized by signing in / by inviting the bot to a channel.

Right to access

Email help@probablyfive.com from the address tied to your Atlassian account and we'll send you a structured export of every record we hold linked to your account_id. This is the same shape Atlassian's Personal Data Reporting API /report endpoint returns programmatically.

Right to deletion (Atlassian Personal Data Reporting API)

We implement the Atlassian Personal Data Reporting API endpoints required of apps that store data about Atlassian users:

• POST /api/atlassian/personal-data/report — returns a structured export of every record we hold for a given accountId.
• POST /api/atlassian/personal-data/mark-for-deletion — flags a user for upcoming deletion.
• POST /api/atlassian/personal-data/delete — performs the deletion.

Endpoints are authenticated via shared secret + per-IP rate-limited. Deletion uses an anonymize-not-hard-delete approach to reconcile our audit-retention requirement with your right to erasure: directly-identifying columns (email, display name, avatar, Slack id) are NULL'd; the Atlassian account_id is replaced with a synthetic non-identifying value; PRD review comment bodies you authored are replaced with a redaction marker; audit-log rows have PII fields stripped from the JSON details payload while preserving the action shape. A tombstone records the (original_account_id → synthetic_user_id) mapping so Atlassian's /report contract continues to return a coherent shape after deletion.

The 7-year archived audit-log JSONL files in S3 are immutable (Glacier Deep Archive). To honor deletion against archived data without rewriting it, every deletion writes a redaction record to a sidecar JSONL file shipped alongside the archive; the restore-drill reader applies redactions inline at read time.

To request deletion, email help@probablyfive.com or, if your Atlassian admin filed a request via Atlassian's reporting pipeline, that flows through automatically.

Security

• All traffic over HTTPS with HSTS preload, X-Frame-Options DENY, strict CSP, and a hardened set of response headers.
• OAuth refresh + access tokens encrypted at rest with AES-256-GCM, AAD-bound to your user id. Never logged.
• Postgres connections require sslmode=require.
• Per-tenant isolation enforced both at the application layer and by Postgres Row-Level Security on every domain table — defense in depth so a query bug can't leak across workspaces.

Changes

If we materially change what we collect or how we use it, we'll update the "last updated" date at the top of this page and, where the change is significant, surface a notice in the app on your next sign-in.

Contact

help@probablyfive.com for privacy questions, data access, or deletion requests.