Trust package

Laplace security, privacy and data processing

A public trust package for Laplace users. The materials cover data processing, Jira OAuth, embeddings, subprocessors, cookies and data deletion.

Laplace does not use Customer Data to train foundation models.

Privacy Policy

Privacy policy

Personal data operator: Alexander Nekrashenko, an individual operating Laplace. Privacy requests: support@laplaceapp.com. This policy applies to SaaS users, workspace members, customer administrators, invitees, support contacts and individuals whose data is submitted by a customer into a workspace or Jira.

This policy does not cover Laplace employees, candidates or contractors. The service is not intended for children, special categories of personal data, biometric data, medical data or other highly sensitive data without a separate written agreement.

  • Laplace acts as the personal data operator for accounts, authentication, service emails, support, billing/subscription, security logs and service administration.
  • Laplace processes Customer Data inside a workspace on the customer instructions: chat messages, assistant messages, Jira data, embeddings, memory and data submitted or connected by the customer.
  • The customer is responsible for the lawful transfer of Customer Data to Laplace, including Jira data and data entered by users into chat.
  • Laplace may process data to provide the AI assistant, retrieval, long-term memory, embeddings, title generation, support, security, anti-abuse, backups and compliance.
  • For Russia, legal bases include contract/terms, processing instruction under Article 6(3) of 152-FZ, consent where required and legal obligations where applicable.
  • For international users, legal bases may include contract, legitimate interests, consent for optional analytics/cookies, legal obligation and processing Customer Data on customer instructions.

Data Categories

Data categories, sources and purposes

Laplace processes different categories of data depending on which features the user or customer uses. Data is not sold to third parties and Laplace does not use Customer Data to train foundation models.

Category
Account data
Source
Signup, login, invite flow and user settings.
Purpose
Account creation, authentication, workspace access, service notices and support.
Retention
While the account is active and then within legal or contractual periods.
Category
Workspace data
Source
User actions inside workspace and organization areas.
Purpose
Workspace management, membership, roles, chats and integration settings.
Retention
While the workspace is active or until confirmed deletion.
Category
Chat content
Source
User messages, assistant messages and data entered into chat.
Purpose
AI assistant delivery, conversation history, retrieval, memory and answer quality inside the service.
Retention
While the chat/workspace is active; removed from active systems when chat/workspace is deleted or after a verified deletion request.
Category
Connected source data
Source
Customer-connected Jira/Atlassian account.
Purpose
Search and answers over Jira data within OAuth scopes and connected account permissions.
Retention
While the integration is active or until disconnect/workspace deletion.
Category
Technical and analytics data
Source
Browser, device, IP address, cookies/browser storage and product events after consent.
Purpose
Security, troubleshooting, abuse prevention, product usage measurement and UX improvement.
Retention
Logs and analytics data are retained within technical needs, provider settings and applicable periods.

Data Processing Addendum

DPA / processing instruction

The DPA describes customer data processing terms for B2B customers. It acts as a personal data processing instruction under Article 6(3) of 152-FZ.

Laplace operates in the Russian Federation under Russian law. The current list of engaged providers is disclosed in the subprocessors section.

Block
Roles
Content
Customer - personal data operator; Laplace - processes Customer Data on the operator instructions.
Block
Categories
Content
Workspace content, chat messages, assistant messages, Jira-originated data, embeddings, memory, account metadata where processed on instructions.
Block
Purposes
Content
Service delivery, AI assistant, retrieval, Jira integration, memory, support, security, backups and compliance.
Block
Instructions
Content
Laplace processes Customer Data only to provide the service and according to customer instructions documented in agreements and product configuration.
Block
Subprocessors
Content
Selectel, Polza.ai, email verification provider, customer-connected Atlassian/Jira and other listed third parties where applicable.
Block
Deletion/return
Content
Request-based deletion with SLA up to 30 days for active systems; backups expire by rotation.
Block
Security appendix
Content
TLS for public web/API, app-level encryption for Jira OAuth tokens, workspace scoping, role checks, source links and notices when context is insufficient.

Data Retention Policy

Data retention and deletion

Laplace retains data only as long as needed for processing purposes, contract, security, compliance and service recovery. Deletion is handled by request through support@laplaceapp.com.

Deletion SLA for active systems: up to 30 days after request verification, unless law or contract requires a longer period. Backups expire through rotation; default expected retention is 14 days.

Category
Account data
Retention / deletion
While the account is active and then within legal or contractual periods. Account data deletion is handled by verified request.
Category
Workspace metadata
Retention / deletion
While the workspace is active. On confirmed deletion, related workspace data is removed from active service systems.
Category
Chat messages
Retention / deletion
While the chat/workspace is active. Chat deletion removes messages and related conversation history from active service systems.
Category
Assistant messages
Retention / deletion
While the chat/workspace is active; used for conversation history and answer quality within the service.
Category
Jira OAuth metadata/tokens
Retention / deletion
While the Jira connection is active. Removed on disconnect or workspace deletion. Tokens are stored encrypted.
Category
Jira data
Retention / deletion
Processed within OAuth scopes and connected Atlassian account permissions. Laplace does not download Jira attachments.
Category
Embeddings/LTM
Retention / deletion
Stored in the service database and associated with the relevant workspace and user. Workspace deletion, user leave/removal from a workspace and user removal from an organization clean up the matching records.
Category
Logs
Retention / deletion
Used for security, reliability and troubleshooting.
Category
Backups
Retention / deletion
Default expected retention: 14 days. Deleted data may remain in backups until rotation expires.

What Laplace Stores

What Laplace stores and does not store

Stored
Registration form data, email verification status, account/session metadata and workspace membership.
Not required / not intentionally collected
Phone numbers, job titles, company name and billing details are not mandatory unless the user provides them in chat/support/pilot/billing flows.
Stored
User chat messages and assistant messages inside a workspace.
Not required / not intentionally collected
Laplace does not pre-limit what users may enter into chat; the user and customer are responsible for lawful submission.
Stored
Jira issue fields, summaries, descriptions, comments, authors/reporters/assignees and project metadata available to the connected account.
Not required / not intentionally collected
Laplace does not download Jira attachments.
Stored
Embeddings and long-term memory records used for retrieval and personalization.
Not required / not intentionally collected
Customer Data is not used by Laplace to train foundation models.

AI And Embeddings

AI, embeddings and foundation models

Customer Data may be processed by the configured AI provider solely to provide the service, including runtime inference, retrieval, embeddings, memory extraction, classification/query expansion and title generation.

Embeddings are treated as Customer Data because they may mathematically reflect source content. Embeddings are stored in pgvector/Postgres and used for retrieval and long-term memory.

  • The AI provider may change as the service evolves. Customer Data is sent to the configured AI provider only to provide AI features of the service.
  • Laplace does not permit the AI provider to use Customer Data to train foundation models unless separately agreed with the customer.
  • Provider retention and processing mode depend on the selected provider and applicable terms. Customers who require specific retention guarantees should document them separately before the relevant processing starts.
  • Current embeddings storage: service database with vector search support.
  • New memory records are associated with the relevant workspace and user.
  • Workspace deletion, user leave/removal from a workspace and user removal from an organization clean up the matching scoped embeddings.

Connected Sources

Jira OAuth and connected sources

Jira is a customer-connected source. Customer decides which Atlassian account is connected to a workspace and what data that account may access. Laplace processes Jira-originated data according to customer instructions and connected account permissions.

For shared workspace connection, customers should use a dedicated Jira user with least privilege where possible.

  • Laplace can read Jira data exposed by granted OAuth scopes and connected account role, including issues, descriptions, comments, authors/reporters/assignees and project metadata.
  • Customer can disconnect the Jira integration; after disconnect, Laplace stops using the connection and removes related tokens/metadata from active systems through the normal deletion process.
  • Workspace deletion or a verified deletion request removes related Jira-derived data from active systems; backups expire through rotation.
  • Laplace currently does not download Jira attachments.
  • Laplace does not change Jira data by default except through actions explicitly initiated by authorized users through available product features.
  • Jira tokens are stored encrypted at application level using AES-256-GCM with a secret-derived key.

Security Claims

Security architecture and access protection

  • Laplace Cloud is hosted in Russia on Selectel for pilot production.
  • Public web/API traffic uses HTTPS/TLS through Caddy and external providers are accessed over HTTPS.
  • Service connections are isolated within the application infrastructure network.
  • Workspace and organization data are scoped by workspace/org identifiers; chat routes are workspace-scoped.
  • Access control is based on organization owner/member and workspace admin/user roles.
  • Extended audit trail is available only under a separate enterprise agreement.
  • Official contact for support, privacy requests and security issues: support@laplaceapp.com. Telegram is not an official privacy/security request channel.

Subprocessors

Subprocessors and third-party services

Provider
Selectel
Purpose
Hosting/cloud infrastructure
Data / notes
Application, Postgres/pgvector and related infrastructure for pilot production.
Region / status
Russia. Used for cloud infrastructure hosting.
Provider
Polza.ai
Purpose
AI model provider/gateway
Data / notes
Customer Data may be processed for runtime inference and related AI service operations.
Region / status
Russia. Processing is used to provide AI features of the service. This table is updated if the provider changes.
Provider
Unisender Go
Purpose
Email verification and service emails
Data / notes
Email address and verification metadata.
Region / status
Used for account verification and service emails.
Provider
Atlassian/Jira
Purpose
Customer-connected third-party source
Data / notes
Jira data is controlled by customer account permissions and OAuth scopes.
Region / status
Customer-managed source used when connected by the customer.
Provider
Gatus
Purpose
Service monitoring
Data / notes
Technical service availability monitoring.
Region / status
Service availability monitoring.
Provider
Google Analytics 4
Purpose
Product analytics
Data / notes
Page views and product usage events after the user consents to analytics cookies/storage.
Region / status
Used only after user consent and when a GA4 measurement ID is configured.
Provider
Yandex Metrica
Purpose
Product analytics
Data / notes
Page views, product usage events, clickmap/link tracking, bounce analytics and webvisor after the user consents to analytics cookies/storage.
Region / status
Used only after user consent and when a Yandex Metrica counter ID is configured.

Deletion Process

Data deletion requests

Users and customers can request deletion through support@laplaceapp.com. Laplace verifies requester authority before deleting workspace or account data.

For B2B customers, deletion confirmation can be provided upon written request.

  • Target SLA: up to 30 days for active systems after request confirmation.
  • Backups are removed through backup rotation and may retain deleted data until retention expires.
  • Account or organization deletion is handled by verified request.

Cookies

Cookies and browser storage

Laplace uses essential browser storage: sessionStorage for auth tokens and localStorage for language, theme, last workspace and the analytics consent choice.

After user consent, Laplace may use Google Analytics 4 and Yandex Metrica for product analytics, including page views, product usage events, referrer/source data, approximate device/browser data and aggregated usage statistics. Without consent, these analytics trackers are not initialized.

If Yandex Metrica is enabled, its features may include clickmap/link tracking, bounce analytics and webvisor/session replay within the counter settings. This data is used to understand UX and troubleshoot interface issues, not to sell data or run advertising cookies.

Laplace does not use advertising cookies.

Age Limits

Children and minors

Laplace is not intended for children and is not designed to knowingly collect minors’ data. If you believe a minor submitted data to Laplace without a proper basis or permission, contact support@laplaceapp.com.

After request verification, Laplace will remove such data from active systems through the standard deletion process unless law or contract requires otherwise.

Updates

Policy changes

Laplace may update this page as the product, providers, integrations, security measures or legal requirements change. The freshness date is shown at the top of the page.

Material changes that significantly affect processing of user or customer data may also be communicated through the product, email or contractual channels where applicable.

Enterprise Options

Additional enterprise options

  • Dedicated tenant, private connector, VPC and on-prem connector are available only under a separate written agreement.
  • Per-user Jira OAuth/ACL may be agreed separately for enterprise scenarios.

Laplace is an early-stage product operated by Alexander Nekrashenko as an individual. For support, privacy, and security questions, contact support@laplaceapp.com.