/
Privacy Policy

Privacy Policy

 Last updated on  14. August 2024.

  

Welcome to Stratus’ Privacy Policy!  

Within our Applications (Apps), we pay great attention to protecting the privacy of all our Users. For this reason, we have adopted this document, which contains answers to questions relevant to the protection and use of your Data, information about your rights, and how you can exercise them. Please read it carefully. 

 

Please note that this Privacy Policy applies to personal data that is collected and processed in connection with the use of Apps and in the course of providing Service (as defined in the Section 1 of this Privacy Policy) by Stratus Add-ons DOO NOVI SAD, with registered seat at Pariske komune 6, 21000 Novi Sad, Serbia, CIN: 21572462, TIN: 111926376, (hereinafter: “Stratus”, or “we”). 

 Stratus, as a Data Controller or Data Processor (as explained below), collects and processes personal data relating to the usage of the Apps (as defined in Section 1 of this Privacy Policy). This Privacy Policy describes how Stratus uses and protects any information that you share with us in relation to our Apps. 

 We believe in full transparency, which is why we keep our Privacy Policy simple and easy to understand. 

 We strongly urge you to read this Privacy Policy and make sure that you fully understand and agree with it. If you do not agree to this Privacy Policy, please do not access, or otherwise use Apps. In case there is anything that you would like to ask us regarding this Privacy Policy, please send your inquiry to suppor​t@stratus-addons.com.​ 

 Along with the EULA (End-user Licence Agreement), Support Terms and Service Level Agreement and Security Bugfix Policy, this Privacy Policy represents a contract between you and Stratus (hereinafter: “Agreement”). Any capitalized term in this Privacy Policy shall have the meaning given to it in the Definitions Section. 

 

​​​CONTENT  

  1. DEFINITIONS 

  1. DATA CONTROLLER AND DATA PROCESSOR 

  1. WHAT DATA DO WE PROCESS ABOUT YOU AND WHEN? 

  1. WHAT DO WE NOT DO? 

  1. PERSONAL DATA SECURITY 

  1. WITH WHOM DO WE SHARE YOUR PERSONAL DATA? 

  1. INTERNATIONAL TRANSFER OF YOUR PERSONAL DATA 

  1. HOW LONG DO WE KEEP YOUR DATA? 

  1. YOUR RIGHTS 

  1. CHANGES TO PRIVACY POLICY 

  

  1. DEFINITIONS 

 

TERM 

MEANING 

Applications or Apps 

 

Applications (plug-ins) developed and provided by Stratus and which are used to generate diagrams based on User input. This includes and is limited to the following applications: PlantUML Diagrams for Confluence and Mermaid Diagrams for Confluence 

Atlassian Marketplace 

 

An online marketplace for cloud and downloadable software applications, plugins and extensions, including but not limited to the Applications. Atlassian Marketplace is owned by Atlassian Pty Ltd, an Australian corporation (ABN 53 102 443 916) and available at: Collaboration software for software, IT and business teams

Client 

 

User who is paying for the Service (except in case of a free subscription plan) and who is inviting and enabling other Users to use Applications. 

 

Consent 

 

 

Explicit consent on the processing of personal data, given in accordance with all applicable privacy and data protection laws and regulations regarding consent for the processing of personal data, including for the processing of data from underage users.  

Cookies 

 

Cookies and other similar technologies (e.g. web beacons, LocalStorage, etc.) are small pieces of data stored on your device (computer or mobile device). This information is used to track your use of the Applications and to compile statistical reports on Application activity. 

Data Controller 

 

An entity that alone or jointly with others determines the purposes and means of the processing of personal data. 

Data Processor   

Any natural or legal person who processes the data on behalf of the controller. 

Data Protection Law 

 

a) Law on Personal Data Protection of the Republic of Serbia ("Official Gazette of RS", No. 87/2018") 

and / or 

b) General Data Protection Regulation 2016/679. 

Data Subject, User or you 

 

 

Any natural person who shares personal data with us via Applications, or in relation to Applications and Service (e.g. via payment or email). This includes both Client and other Users added to the Applications by Client. 

Personal data or data 

 

Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, either directly or indirectly. Therefore, data about a company or any legal entity is not considered to be personal data but registering on behalf of a legal entity may include sharing personal data. For example, information about one-person companies may constitute personal data where it allows the identification of a natural person. The rules also apply to all personal data relating to natural persons in the course of professional activity, such as the employees of a company or organization, and business e-mail addresses like “firstname.surname@company.com”. This Privacy Policy does not apply to information from which no individual can reasonably be identified (anonymized information). 

Processing  

Any operation or set of operations that is performed on personal data or sets of personal data. This includes activities such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. 

Service 

 

 

Making Apps available to Users in full or in part, including any updates, upgrades, enhancements, modifications, new features, programs and tools. 

  

  1. DATA CONTROLLER AND DATA PROCESSOR  

In relation to your personal data processed via the Applications, Stratus may be either a Data Controller or Data Processor.   

When Stratus acts in the capacity of a Data Controller, Stratus determines the purposes and means of the processing of personal data. The purpose of data processing is the reason why we process your personal data. The table in Section 3.1 of the Privacy Policy presents the purposes and legal basis for data processing. In those cases, Stratus is responsible for your personal data.  

 If Stratus is processing your data in the capacity of a Data Controller, should you have any inquiries, or you wish to exercise any of the rights of a Data Subject stipulated in Section 9, please contact us:  

  • Stratus add-ons DOO NOVI SAD 

  • Pariske komune 6, 21000 Novi Sad, Republika Srbija 

  • Email: ​support@stratus-addons.com.​  

In relation to the usage of Apps itself, Stratus will primarily process your data in the capacity of a Data Processor. Given that Stratus strongly supports fair personal data processing, despite being only a Data Processor in the below-listed cases, Stratus made an additional effort to explain such personal data processing via Applications - in Section 3.2 of this Privacy Policy. The information contained therein outlines how personal data processing via Apps functions in general, but if you wish to send an inquiry, or exercise any of the rights that you may have under the applicable data protection law as the Data Subject, please contact the Client directly, as they hold the position of Data Controller.  

Since Stratus is a company operating under Data Protection Law, Stratus as a Data Processor is obliged to sign the Data Processing Addendum (hereinafter: “DPA”) with Clients as Data Controllers, in relation to the provision of the Services. The DPA reflects the agreement between Client and Stratus regarding the terms that govern the processing of personal data in relation to the use of Apps and Stratus’ Service. Signing the DPA will be considered as an amendment to the Agreement and will be considered to form a part of the Agreement. The DPA includes the Standard Contractual Clauses adopted by the European Commission and Standard Contractual Clauses adopted by the Commissioner for information of public importance and personal data protection of the Republic of Serbia, as applicable. 

  

  1. WHAT DATA DO WE PROCESS ABOUT YOU AND WHEN?  

We may collect and receive information about you in various ways:  

  • Information you provide through the use of Applications (for example, entering information containing personal data in order to create diagrams).  

  • Information we obtain regarding paid fees and subscription for the use of the Applications.  

  • Information you decide to provide through getting in touch with us.  

  • Information we process while providing Users with technical support upon their request. 

  

  1.  STRATUS AS DATA CONTROLLER 

 

DATA WE COLLECT 

PURPOSE 

LEGAL BASIS 

 RETENTION PERIOD 

 

Client’s full name, country and region, host entitlement number, App entitlement number, Licence ID, Internal ID, email address, time of the installation or deinstallation of the Apps. 

Managing subscriptions/accounts on Applications. 

Processing is necessary for the performance of the Agreement. 

Five years after the Client ceases using the application, unless there is a statutory obligation to retain the data for a longer period. 

​​​​​​​Payment data of the Service-related fees 
 
Client name, sale date, sale type, Sale price, Order ID, hosting type, contact information (email), Client location, payment document number, maintenance period, subscription package, tier (number of allowed Users per Client’s account). 

   

Since Clients pay a monthly or yearly subscription for Apps it is necessary to process data in order to determine Client’s right to use the Service and the extent of that right. This Data is primarily collected by Atlassian. 

This processing is necessary for the provision of Services and is done at your request. 

Five years after the Client ceases using the application, unless there is a statutory obligation to retain the data for a longer period.. 

Voluntarily provided Data 
 
i.e., data you decide to share with us by contacting us. 

If you send us an inquiry or otherwise request support, we will collect the data you decide to share with us. 

Processing of personal data is either necessary to provide a Service or part thereof or the processing is based on your consent. 

If the processing is based on your consent, we keep the information until you withdraw your consent or for one year, whichever date comes first. 

Information necessary for identification 

To allow Data Subjects to exercise their rights in accordance with this Privacy Policy, as defined in Section 9. 

Processing is necessary for compliance with a legal obligation to which the Data Controller is subject. 

We keep this information for a period of one year. 

Other personal data 

For the prevention and detection of fraud, money laundering or other crimes or to respond to a binding request from a public authority or court. 

The processing is necessary to comply with legal and regulatory obligations. 

In accordance with the applicable statutory deadlines. 

 

  1.  STRATUS AS DATA PROCESSOR  

 In most cases, we will act as Data Processors. 

 As previously stated, concerning some of your personal data processed on the Applications, Stratus is a Data Processor, and the Client is the Data Controller. Stratus processes personal data following instructions from the Data Controller under the Agreement and DPA. The purpose of such personal data processing includes but is not limited to using the functionalities of the Application (eg. generating diagrams), and provision of technical support by Stratus. 

 As a processor, Stratus is permitted to collect, use, disclose and/or otherwise process your personal data only in accordance with its agreements with the Client. 

 

3.2.1 Processing during the Usage of the Applications  

  1. Personal data uploaded while using Applications’ functionalities 

 Your data will be processed in case you share personal data while using the functionalities of the Applications (for example when the text you chose to turn into a graph or diagram contains personal data). Since the functionalities of the Apps provide a number of possibilities for the Users to insert different types of Personal Data, it is not possible to determine the precise list of types of Personal Data. 

 

  1. Personal data processed while providing customer support 

 Your data may be processed in case the User requests customer support in relation to the Applications and Services. In case customer support is needed, the User can anonymously report an issue via the JIRA software within the Atlassian platform. However, the User may voluntarily disclose their contact information to the Processor, such as name, surname, email address, App-related ID numbers and similar details. Additionally, to enable the provision of customer support, the User can send the Processor diagrams created within the Apps, which may contain Personal Data, the entire page containing such a diagram, error message logs, as well as screenshots/screen-recording, and thus the Processor may come into contact with Personal Data. After the completion of customer support, the Processor does not retain Personal Data collected in this manner. 

 

  1. WHAT DO WE NOT DO? 

 Stratus will never:  

  • Sell any kind of personal information or data. 

  • Disclose this information to marketers or third parties not specified in Section 6 of the Privacy Policy. 

  • Process your data in any way other than stated in this Privacy Policy. 

 

  1. PERSONAL DATA SECURITY 

 We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We limit access to your personal information to those employees and contractors who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. 

 We train employees regarding our data privacy policies and procedures, and permit authorised employees and staff to access information on a need to know basis, as required for their role. We use firewalls designed to protect against intruders, test for network vulnerabilities and use encryption for data at rest and data in transmission. However, no method of transmission over the internet or method of electronic storage is completely secure. 

Your information related to the usage of Apps is saved on Atlassian Marketplace’s servers as explained in more detail on the following link: Understand data residency | Atlassian Support

 Remember – all information you submit to us by email is never completely secure, so we advise you not to send sensitive information in any email to Stratus or to anonymize data before its submission.   

 

  1. WITH WHOM DO WE SHARE YOUR PERSONAL DATA?  

Stratus may utilize external processors and sub-processors or other data controllers for certain processing activities. We conduct information audits to identify, categorize and record all personal data that is processed outside our company so that the information, processing activity, processor, and legal basis are all recorded, reviewed, and easily accessible.   

We have strict due diligence procedures and measures in place and review, assess and background check all processors prior to forming a business relationship. We obtain company documents, certifications, and references and ensure that the (sub)processor is adequate, appropriate, and effective for the task we are employing them for.  

This is the list of data recipients with whom we share your personal data: 

 

INDEPENDENT DATA CONTROLLER 

 

ROLE 

 

SEAT 

 

Atlassian Pty Ltd 

Online marketplace for Apps 

Sydney, Australia 

  

DATA PROCESSOR 

 

ROLE 

 

SEAT 

 

 

 

 

 

SUB-PROCESSOR 

 

ROLE 

 

SEAT 

 

CyberLynk 

 Cloud Server Service Provider for PlantUML 

Phoenix, Arizona, USA 

Google, Inc. 

Cloud Server Service Provider for PlantUML and Mermaid 

California, USA 

  Since our Apps are available via Atlassian Marketplace, please note that Atlassian Marketplace may have access to your account and information about you like your name and email address, and any content you choose to use in connection with those apps.  Atlassian Marketplace policies and procedures are not controlled by us, and this privacy policy does not cover how they use your information. We encourage you to review the Atlassian Marketplace privacy policies to learn more about their privacy and information handling practices. 

 We may also share your personal data with our outside accountants, legal counsels, and auditors. 

 Moreover, we may disclose your personal information to third parties:  

  • if we are under a duty to disclose or share your personal data in order to comply with any legal obligation; 

  • to prevent and detect fraud or crime; 

  • in response to a subpoena, warrant, court order, or as otherwise required by law.  

Please note that personal information may be disclosed or transferred as part of, or during negotiations of, a merger, consolidation, sale of our assets, as well as equity financing, acquisition, strategic alliance or in any other situation where personal information may be transferred as one of the business assets of Stratus.  

We do not have a list of all third parties we share your data with. However, if you would like further information about who we have shared your data with, you can request this by contacting us at ​support@stratus-addons.com​  

 

  1. INTERNATIONAL TRANSFER OF YOUR PERSONAL DATA  

Given that Stratus is registered and operating in the Republic of Serbia, your data will be  transferred to the Republic of Serbia. In that case, we will also apply appropriate technical and organizational measures to ensure an adequate level of security in respect of all personal data we process. If the Data Protection  Law applies to you, we make sure that such transfer is made by applying the appropriate safeguard measures (such as Standard Contractual Clauses adopted by the European Commission).  

If you would like to obtain more information about these protective measures, please contact us at ​support@stratus-addons.com.​  

Kindly note that for all transfers made by other data controllers (e.g., Atlassian Marketplace or Client), it is necessary to consult the privacy policies of those controllers.  

Your personal data is stored on Atlassian Marketplace’s servers. More information about the location of these servers can be found at the following link: Understand data residency | Atlassian Support .   

 

  1. HOW LONG DO WE KEEP YOUR DATA?  

We do not retain collected Data longer than necessary to fulfill the purpose for which they were collected, or longer than the retention period for which we have your consent, as further described in section 3 of this Privacy Policy.  

When determining the data retention period, we take into account relevant regulations, contractual obligations, as well as the expectations and requirements of our clients and business partners. If the Data are no longer needed, or if you explicitly request that the collected Data about you be deleted, provided that such deletion is permitted by law, we will delete or destroy the collected Data in accordance with applicable law and our internal procedures.  

However, as an exception to the data retention periods in Section 3, data may be processed longer for the purpose of submitting, enforcing, or defending a legal claim or counterclaim.  

Furthermore, if a specific imperative regulation defines the obligation to retain certain data for a period longer than stated in Section 3, we are obliged to retain the data within that period.  

 

  1. YOUR RIGHTS  

Given that fairness and transparency are our cornerstone principles, we wanted to remind you of the rights that you have as a Data Subject. These rights may be exercised by Data Subject when Stratus operates as a Data Controller.  

If your inquiry or exercise of any of the Data Subject's rights relates to the data processed by the Client or Atlassian Marketplace as a Data Controller as explained in Section 3.2 of the Privacy Policy, please contact the Data Controller.  

In the event Stratus receives a request for exercising any of these rights directly from a Data Subject, we are obliged to notify the Data Controller before responding to such a request.   

Right of Access 

 You can send us a request for a copy of the personal data we hold about you. 

 We have ensured that appropriate measures have been taken to provide such in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Such information is provided in writing free of charge. It may be provided by other means when authorized by the Data Subject and with prior verification as to the subject's identity. 

 Information is provided to the Data Subject at the earliest convenience, but at a maximum of 30 days from the date the request was received. Where the provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months where necessary.

Right to Object to Processing 

 You have the right to object to the processing of your personal data where that processing is being undertaken based on the Data Controller’s legitimate interest. In such a case the Data Controller is required to cease processing your data unless they can demonstrate adequate grounds that override your objection.  

Right to Correction of Your Personal Data   

If your personal data processed by the Data Controller is incorrect, you have the right to request that we correct those data.  When notified of inaccurate data by the Data Subject, we will rectify the error within 30 days and inform any third party of the rectification if we have disclosed the personal data in question to them.  

Right to Erasure   

You have the right to request that your personal data is deleted in certain circumstances, such as: 

  • The personal data are no longer needed for the purpose for which they were collected; 

  • You withdraw your consent (where the processing was based on consent); 

  • You object to the processing and no overriding legitimate grounds are justifying processing the personal data;  

  • The personal data have been unlawfully processed; or 

  • To comply with a legal obligation.  

However, this right does not apply where, for example, the processing is necessary:  

  • To comply with our legal obligation (such as, for example, compliance with retention periods from applicable clinical trials rules and regulations); or 

  • For the establishment, exercise, or defense of legal claims.  

​​​​​​​​​​​ If you decide to use your right to erasure, as a processor we have an obligation to notify the controller about your request and ask for the instructions. Only after the controller approves, we are authorized to erase your personal data.  

Right to Restriction of Processing   

You can exercise your right to the restriction of processing in the following situations: 

 if the accuracy of the personal data is contested, 

  • you consider the processing unlawful, but you do not want your personal data to be erased,  

  • we no longer need the personal data, but you require it for the establishment, exercise or defense of legal claims or you have objected to the processing and verification.  

Right to Data Portability   

Where you have provided personal data to us, you have the right to receive such personal data back in a structured, commonly used and machine-readable format, and to have those data transmitted to a third-party without hindrance, but in each case only where:  

  • The processing is carried out by automated means; and 

  • The processing is based on your consent or the performance of a contract with you.  

Right to Withdraw the Consent   

If you have provided your consent to the collection, processing, and transfer of your personal data, you have the right to fully or partly withdraw your consent. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to which you originally consented unless there is another legal ground for the processing.  

Right to Lodge a Complaint  

If you have any concerns or requests in relation to your personal data, please contact us at support@stratus-addons.com and we will respond as soon as possible but not later than 30 days.   

If you are unsatisfied with our response, you may also contact the competent supervisory authority in your country of residency or Serbian Commissioner for information of public importance and personal data protection, 15 Bulevar kralja Aleksandra street, Belgrade 11120, telephone number: +381 11 3408 900, e-mail: оffice@poverenik.rs, website: Home - Commissioner for Information of Public Importance and Personal Data Protection .  

 

  1. CHANGES TO OUR PRIVACY POLICY    

Any changes we may make to our Privacy Policy will be posted on this page and where appropriate may be notified to you by email or posted on our website. If you continue with the use of the Applications after the changes were implemented, that will signify that you agree to any such changes.