Privacy Policy

Revenue Mechanics LLC (“we,” “us,” or “our”) operates the TrueStory application and the revmech.ai website (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

1.1 Information You Provide

• Early access and support contact information: When you register for early access or contact us, we collect your name, email address, company name, and job title.
• Communication data: When you email us or submit a form, we retain the content of those communications.

1.2 Information Collected Through the Service

• Jira issue descriptions: TrueStory reads Jira issue descriptions (acceptance criteria text) to generate verification specs. TrueStory does not intentionally store Jira issue text in Forge Storage or any Revenue Mechanics LLC system. Jira issue text is processed transiently in the Forge runtime. Note that Atlassian's platform infrastructure may produce its own operational logs or caching independently of our application code.
• Salesforce metadata: TrueStory queries your Salesforce org's metadata (object schemas, field definitions, validation rules, page layouts) via the Tooling API and REST describe endpoints. A metadata index mapping field labels to API names is cached in Forge Storage, scoped to your Jira Cloud site.
• Behavioral test records: TrueStory may create temporary test records in your Salesforce org to verify validation rules and field constraints, and may update those records during the test workflow (for example, to test conditional validation rules). Where supported by the object, test records are marked with a [TRUESTORY-TEST] identifier in the Name field or another standard text field, depending on the object type. Test records are automatically deleted after each test run on a best-effort basis. No test data is stored by Revenue Mechanics LLC — all records exist only in your Salesforce org during testing.
• Verification results: Each verification run stores requirement identifiers and outcomes, plus minimal diagnostic metadata (such as the check type, target component, and a brief status description). Up to 50 verification runs are retained per Jira issue in Forge Storage. Verification results do not store full Jira issue descriptions or full Salesforce metadata dumps. This data is scoped to your Jira Cloud site and is accessible to authorized users within your Jira site, as determined by your Jira permissions, and the TrueStory app running within that site. Revenue Mechanics LLC does not operate an external database containing this data and does not access your Forge Storage tenant data unless you explicitly provide it to us for support purposes (for example, by exporting and sending logs or screenshots).

1.3 Jira Forge Permissions

TrueStory requests the following Jira Cloud permissions through the Atlassian Forge platform:

• Read Jira issue data: TrueStory reads issue descriptions (acceptance criteria) and issue metadata (key, summary, status) to generate verification specs. TrueStory does not read or access other Jira data such as attachments, worklogs, or private comments.
• Write Jira comments: When you choose to post a verification report, TrueStory creates a comment on the Jira issue. Comments are only created when you explicitly click “Post to Jira” — never automatically.
• Forge Storage: TrueStory uses Forge Storage (scoped to your Jira Cloud site) to store OAuth tokens (encrypted), metadata indexes, verification results, and dashboard configuration. This data is automatically deleted when TrueStory is uninstalled from your Jira site, per Atlassian Forge's platform uninstall behavior.

In the Standard tier, TrueStory does not use AI, machine learning, or large language models. All constraint detection, check generation, and report narration are deterministic and rule-based.

The Pro tier offers optional AI-powered analysis via a Bring Your Own Key (BYOK) model. If you configure an AI API key (Anthropic, OpenAI, or Google), TrueStory sends story context to your chosen provider using your own API key. This is entirely opt-in. No AI processing occurs unless you explicitly configure a key. Your API key is stored encrypted in Forge Storage, scoped to your Jira site. Revenue Mechanics LLC does not proxy, log, or retain AI request or response content.

No data is sent to analytics platforms, advertising services, or data enrichment providers.

1.4 Automatically Collected Information

TrueStory does not use analytics tools, tracking pixels, or telemetry. We do not collect usage analytics through the Jira application.

Our website (revmech.ai) does not currently use cookies or analytics tools. Our website hosting provider may collect standard server logs (for example, IP address and user agent) for security and reliability purposes. If we introduce analytics in the future, we will update this Privacy Policy and provide appropriate notice.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Respond to your inquiries and support requests
• Send you product updates and security notices (you may opt out of non-essential communications at any time)
• Comply with legal obligations

3. Legal Bases for Processing and Data Roles

For personal information collected through revmech.ai (such as early access registrations and support inquiries), Revenue Mechanics LLC is the data controller. For Jira and Salesforce data processed through the TrueStory app, your organization is the data controller and Revenue Mechanics LLC acts as a data processor / service provider on your behalf.

We process your information on the following legal bases:

• Performance of a contract: Processing necessary to provide the Service you have requested (e.g., running verification checks, storing results).
• Legitimate interests: Processing necessary for our legitimate business interests, including service improvement based on customer feedback and support interactions, security, and fraud prevention, where those interests are not overridden by your data protection rights.
• Consent: Where you have given consent for specific processing activities, such as receiving marketing communications. You may withdraw consent at any time.
• Legal obligation: Processing necessary to comply with applicable laws and regulations.

4. Data Storage and Security

For the TrueStory Jira app, Revenue Mechanics LLC does not operate separate servers or databases that process your Jira or Salesforce data outside of Atlassian Forge. All application data is stored in Atlassian Forge Storage, which is managed by Atlassian and scoped to your Jira Cloud site. We do not maintain independent copies of your Jira or Salesforce data.

All communication between TrueStory, Jira, and Salesforce uses TLS 1.2 or higher. Data at rest in Forge Storage is encrypted using Atlassian's encryption standards.

5. OAuth Credentials and Revocation

TrueStory connects to Salesforce via OAuth 2.0 authorization code flow. We never see or store your Salesforce username or password. OAuth tokens are stored encrypted in Forge Storage, scoped to your Jira site, and are not shared across Jira sites. Token refresh is handled automatically.

You can revoke TrueStory's access to your Salesforce org at any time by:

• Disconnecting from TrueStory: Open TrueStory Settings in Jira and click Disconnect. This removes the OAuth tokens from Forge Storage.
• Revoking from Salesforce: Go to Salesforce Setup → Connected Apps → revoke access for TrueStory. This invalidates the tokens immediately.
• Uninstalling TrueStory: Removing TrueStory from your Jira site removes the app's ability to access Forge Storage data. We delete OAuth tokens on disconnect; other data deletion follows Atlassian Forge's platform uninstall behavior.

6. Behavioral Test Data

TrueStory's behavioral verification creates temporary records in your Salesforce org to confirm that validation rules, required fields, and other constraints are enforced correctly. These tests follow strict safety protocols:

• Where supported by the object, test records include a [TRUESTORY-TEST] marker in the Name field or another standard text field. This marker is applied on a best-effort basis and may not be available for every object type
• TrueStory attempts to delete every test record after the test completes, regardless of pass/fail result. If cleanup fails (for example, due to sharing rules, triggers, or validation rules preventing deletion), we attempt to report cleanup failures when detected
• Tests target only the specific object and fields referenced in the acceptance criteria
• TrueStory does not intentionally read, modify, or delete existing records in your Salesforce org. However, record creation may trigger automations (Flows, Apex triggers, Process Builder rules) that interact with existing data

Sandbox recommendation: We strongly recommend connecting a Salesforce sandbox environment rather than a production org. Behavioral tests insert and delete records, which may trigger automations configured in your org. Revenue Mechanics LLC is not responsible for side effects caused by automation triggers that execute in response to test record operations. We recommend using a dedicated integration user with least-privilege permissions for the TrueStory Salesforce connection.

7. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We do not share your data with third-party analytics, advertising, or AI/ML services. We may share information only in the following limited circumstances:

• Infrastructure provider: TrueStory runs on the Atlassian Forge platform. Atlassian's data handling is governed by their own privacy policy and data processing agreements.
• Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change prior to your information being subject to a different privacy policy.

8. Data Retention

Uninstalling TrueStory removes all app data from Forge Storage, including verification results, metadata indexes, dashboard configuration, and OAuth tokens. This deletion is handled automatically by the Atlassian Forge platform and does not require a separate request.

You may request deletion of your personal data at any time by contacting security@revmech.ai. We will process deletion requests within 30 days.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your personal information
• Object to or restrict certain processing activities
• Data portability (receive your data in a structured, machine-readable format)
• Withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, contact us at security@revmech.ai with the subject line “Privacy Request.” We will respond within 30 days.

10. International Data Transfers

Your data is processed within the Atlassian Forge cloud infrastructure, which may operate in multiple regions depending on your Jira Cloud site's data residency configuration. We rely on Atlassian's data processing agreements and standard contractual clauses to ensure appropriate safeguards for any international transfers of personal data. Website and support data may also be processed by our email and hosting providers in their respective operating regions.

11. Do Not Track

TrueStory does not track users across websites or third-party services. We do not respond to Do Not Track (DNT) browser signals because we do not engage in cross-site tracking. No tracking technologies are used within the TrueStory application.

12. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
• No sale of personal information: Revenue Mechanics LLC does not sell personal information to third parties.

To exercise your California privacy rights, contact security@revmech.ai with the subject line “CCPA Request.”

13. Subprocessors

In-App Subprocessors

Website and Support

For the revmech.ai website and support communications, we may use standard infrastructure providers, such as our email provider and website hosting/CDN provider. We will update this section with specific provider names if we engage subprocessors that process personal data for these purposes.

14. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. For material changes that affect how we process your data, we will provide additional notice (such as email notification) at least 30 days before the changes take effect. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

16. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Revenue Mechanics LLC
Email: security@revmech.ai
For privacy-specific inquiries, please use the subject line “Privacy Inquiry.”