Skip to Content

Privacy Policy for Sidekick

Last updated: 29 September 2025

Who we are: ONE T.E.E.M. GmbH (“ONETEEM”, “we”, “us”, “our”)

ONE T.E.E.M. GmbH

Watzmannstraße 5, 84503 Altötting, Germany

Email: hello@oneteem.com

Website: www.oneteem.com

Represented by the Managing Director: Yassin Bennaceur

Commercial Register: HRB 34151 Traunstein District Court

VAT-ID: DE454957435

Scope: This Privacy Policy covers Sidekick app built on Atlassian Forge that integrate with Google Calendar and Microsoft 365 Calendar and store app data in customer's  Atlassian Cloud using Forge Database. It explains what we collect, how we use it, how we share it, and your rights.

What this policy covers

  • Sidekick and other ONETEEM Forge apps used inside Atlassian Cloud products such as Jira.
  • Integrations you explicitly connect, including Google Calendar and Microsoft 365 Calendar.
  • App storage that persists in our Forge hosted SQL database and related Atlassian platform services.

The data we collect

We only collect data that is necessary to provide the features you enable.

Account and profile

  • Atlassian account identifiers needed to operate the app for your site.
  • For connected calendars, the provider user ID and email required to identify your account.

Authorization and connection

  • OAuth tokens and refresh tokens from Google and Microsoft, stored securely, used only to perform actions you request.

Calendar data you authorize

  • Calendar lists you select to connect.
  • Event metadata such as title, description, start and end time, attendees, reminders, and organizer.
  • Event content is accessed only when needed to read or write events that you create or manage through the app.

App configuration and usage

  • Preferences such as which calendars are linked, default durations, and scheduling rules.
  • Technical logs and audit records needed for security and support.

We do not collect information that you do not authorize. We do not infer sensitive categories from your data.

What we use your data for

  • Provide core features such as creating, updating, moving, and deleting calendar events from inside Jira.
  • Show availability, plan focus blocks, and keep work schedules in sync with the calendars you link.
  • Operate, secure, and improve the app, including troubleshooting and abuse prevention.
  • Communicate important service messages and respond to support requests.

We do not sell or rent your data. We do not use your calendar data for advertising.

Legal bases under GDPR

  • Performance of a contract, to deliver the features you or your organization enable.
  • Legitimate interests, to ensure security, reliability, and service improvement that respects your privacy.
  • Consent, where required, for optional integrations or marketing communications.

Scopes we may request and how we use them

Google

  • https://www.googleapis.com/auth/calendar to read and write events on calendars you link so the app can create, update, move, or delete events you manage in Jira.
  • https://www.googleapis.com/auth/userinfo.email and basic profile to identify your account and show which user connected the integration.

Microsoft

  • Calendars.ReadWrite and Calendars.ReadWrite.Shared to read and write events on calendars you link or shared calendars you select.
  • User.Read to identify your account.
  • offline_access to refresh authorization so scheduled actions you configure can run.

We request the minimum scopes needed. You can disconnect at any time.

Google API Services Limited Use

For data obtained through Google APIs we comply with the Google API Services User Data Policy including the Limited Use requirements. We use Google user data only to provide app features you enable, we do not transfer it except to service providers acting on our behalf, we do not use it for advertising, and we only store what is necessary for the app to function.

How we store and protect data

  • Data is stored in our Atlassian Forge hosted SQL database and Atlassian platform services.
  • Encryption in transit and at rest, strict access controls, least privilege, and auditing.
  • Segregated environments for development and production, with production access restricted.
  • Regular security reviews, dependency patching, and incident response procedures.

Data retention and deletion

  • OAuth tokens and linked account identifiers are kept while the integration is active.
  • Event data is retrieved on demand. We only persist event metadata that is needed for synchronization and troubleshooting.
  • Diagnostic logs are typically retained for up to 30 days unless a longer period is required to resolve a support issue.
  • When you disconnect Google or Microsoft, uninstall the app, or request deletion, we delete stored connection data and related app records within 30 days, subject to legal retention requirements.

Sharing and sub-processors

We share data only as needed to operate the service.

  • Atlassian for Forge hosting and Atlassian Cloud platform services.
  • Google and Microsoft to perform calendar actions you request via their APIs.
  • Carefully selected service providers for logging, monitoring, and support who process data under our instructions and appropriate safeguards.

We do not allow our providers to use your data for their own marketing.

International transfers

Where data is transferred across borders, we rely on appropriate safeguards such as standard contractual clauses or other lawful transfer mechanisms. We work to keep processing close to your Atlassian site location where supported by Atlassian and the calendar providers.

Your rights

Subject to local law, you can request:

  • Access to your personal data.
  • Correction of inaccurate data.
  • Deletion of data.
  • Restriction or objection to processing.
  • Data portability.
  • Withdrawal of consent without affecting prior lawful processing.

To exercise your rights or raise a question, contact us at Data Privacy, Security, and Compliance Request. If you believe your rights are not respected you can contact your local supervisory authority.

How to disconnect access

You can revoke access at any time.

  • From within the app, remove the Google or Microsoft connection.
  • In your Google Account, remove ONETEEM or Sidekick from Third-party access.
  • In your Microsoft account or your organization’s Microsoft Entra settings, remove ONETEEM or Sidekick from Enterprise Applications or Connected apps.

Changes to this policy

We will update this policy as our services evolve. Material changes will be communicated through the app or by email where appropriate. Continued use after changes take effect means you accept the updated policy.

Contact

Questions about privacy or security, or requests related to your data: Data Privacy, Security, and Compliance Request.

.