1. Introduction

Bayleaf (“Bayleaf,” “we,” “us,” or “our”) is committed to protecting the privacy, confidentiality, and integrity of personal information entrusted to us. We recognise the importance of transparency and accountability in how data is handled and processed.

This Privacy Policy describes how Bayleaf collects, uses, discloses, and safeguards personal information in connection with its website, its development services, its hosting and managed services, and its service status portal.

By accessing or using our services, you acknowledge that your information will be handled in accordance with this Privacy Policy.

2. Scope and Application

This Privacy Policy applies to individuals who interact with Bayleaf in a business or professional capacity, including website visitors, prospective clients, current clients, and authorised users of systems operated or managed by Bayleaf.

This Policy applies specifically to information collected through Bayleaf-controlled systems and services. It does not extend to third-party platforms or services that are not under Bayleaf’s control, even where such platforms are used in connection with service delivery. Users are encouraged to review the privacy practices of those third parties independently.

3. Information We Collect

Bayleaf collects only the information necessary to operate effectively and deliver high-quality services.

Bayleaf collects and processes the following categories of personal information:

• Identity and contact information (e.g. name, email, business contact details)
• Account and authentication data (e.g. usernames, credentials, access records)
• Operational and service data (e.g. support tickets, monitoring data, system logs)
• Technical and usage data (e.g. IP address, device information, usage patterns)
• Communications data (e.g. messages, inquiries, and correspondence)

We may collect personal information provided directly by individuals, including names, business contact information, organisational details, and communications submitted through our website or other channels.

In the course of delivering development services, Bayleaf utilises industry-standard collaboration and project management tools, including Atlassian Jira and Atlassian Confluence. Through these platforms, we may process user account details, project-related information, issue tracking records, documentation content, and associated activity logs. This information is used exclusively to support client engagements and to facilitate collaboration and service delivery.

For clients receiving hosting and managed services, Bayleaf may process operational data necessary to maintain and support client systems. This includes account credentials, authentication-related information, incident and service request records, monitoring and alerting data, system availability metrics, and audit logs relating to system access and usage.

Bayleaf also provides a service status portal. This portal presents high-level information regarding system availability, incidents, and planned maintenance. The information published to the portal is intentionally limited in scope to avoid disclosure of sensitive system architecture or security details.

In addition, Bayleaf collects certain technical data automatically when users interact with its website or systems. This may include IP addresses, browser and device information, and usage patterns. Such information supports system operation, performance monitoring, and security.

Bayleaf uses only essential cookies required for authentication, session management, and site security. These cookies are necessary for the operation of the website and do not require user consent. We do not use cookies for advertising, analytics tracking, or behavioural profiling purposes.

4. Use of Information

Bayleaf uses personal and operational data solely for legitimate business purposes. These include:

• Delivering development, hosting, and managed services
• Managing and supporting projects and client engagements
• Maintaining system reliability, performance, and security
• Responding to inquiries and communications
• Meeting legal, regulatory, and contractual obligations

Information processed through Atlassian tools is used to plan, execute, and document development work, track service requests, and maintain a record of project and operational activities.

We do not engage in the sale, rental, or commercialisation of personal information, nor do we use such information for advertising or profiling activities.

5. Legal Basis for Processing

Where applicable under laws such as the General Data Protection Regulation (GDPR), Bayleaf processes personal data on recognised legal grounds.

Processing is undertaken where necessary for the performance of contractual obligations, including delivering services and providing access to client systems and tools. Processing may also be based on Bayleaf’s legitimate interests in maintaining secure, reliable, and effective operations, provided those interests are not overridden by individual rights.

In certain circumstances, processing may be required to comply with legal obligations or may be based on consent where individuals voluntarily provide information. Where consent is relied upon, individuals may withdraw that consent at any time.

6. Disclosure of Information

Bayleaf maintains strict controls over the disclosure of personal data. We do not sell personal information under any circumstances.

Personal data may be disclosed to the following categories of recipients:

• Service providers and technology partners supporting delivery, including cloud infrastructure providers and Atlassian Corporation Plc
• Clients, where necessary to support service delivery obligations
• Regulatory and legal authorities where required by law or legal process

All disclosures are limited to what is necessary and subject to appropriate contractual and security controls.

7. Data Processing Roles and Commitments

Depending on the context, Bayleaf may act either as a data controller or as a data processor.

Bayleaf acts as a data controller in relation to website interactions and general business contact information. In the context of client services, Bayleaf typically acts as a data processor, handling data on behalf of its clients in accordance with their instructions.

When acting as a data processor, Bayleaf is committed to processing data only as directed by the client, maintaining strict confidentiality, implementing appropriate technical and organisational safeguards, and supporting clients in fulfilling their data protection obligations.

Bayleaf may engage subprocessors where necessary to deliver services. All subprocessors are subject to appropriate contractual obligations to ensure compliance with applicable data protection standards. A Data Processing Agreement is available upon request.

8. Security

Bayleaf implements a comprehensive set of technical and organisational measures designed to protect information against unauthorised access, disclosure, alteration, or destruction.

These measures include secure transmission protocols, controlled authentication and access management, system monitoring and logging, vulnerability management processes, and regular system maintenance.

Access to systems, including Atlassian platforms, is restricted in accordance with role-based access principles. Permissions are reviewed periodically to ensure appropriate access levels.

The Bayleaf status portal is designed to provide transparent visibility into service availability while deliberately limiting exposure of sensitive or confidential system details.

Despite these safeguards, no system can be completely secure. Bayleaf continuously works to improve its security posture and respond to emerging risks.

9. Data Retention

Bayleaf retains personal and operational data only for as long as necessary to fulfil the purposes for which it was collected, including service delivery, operational continuity, legal compliance, and dispute resolution.

Retention periods may vary depending on contractual requirements, business needs, and applicable laws. Typical retention periods are determined based on these factors, after which data is securely deleted or anonymized where appropriate.

10. Data Breach Notification

Bayleaf maintains incident detection and response procedures designed to identify and manage potential data security incidents.

In the event of a confirmed data breach affecting personal information, Bayleaf will promptly investigate and contain the incident, assess its impact, and notify affected clients without undue delay where required by law or contractual obligations. Appropriate corrective actions will be taken to mitigate the risk of recurrence.

11. International Data Transfers

Bayleaf operates primarily in Canada but may utilise service providers located in other jurisdictions. Where data is transferred outside the originating jurisdiction, Bayleaf implements appropriate safeguards to ensure that personal information remains protected in accordance with applicable legal standards.

12. Individual Rights

Subject to applicable law, individuals may have the right to:

• Request access to their personal information
• Request correction of inaccurate data
• Request deletion of personal data, where applicable
• Object to or restrict certain types of processing

Individuals also have the right to lodge a complaint with an applicable data protection authority if they believe their data has been handled improperly.

Requests may be submitted using the contact information provided below. Bayleaf will respond in accordance with applicable legal requirements.

13. Changes to This Policy

Bayleaf may update this Privacy Policy from time to time to reflect changes in legal requirements, business operations, or data protection practices. Updated versions will be published with a revised effective date.

14. Contact Information

For questions, concerns, or requests related to personal data or privacy rights, please contact: