Privacy Policy

Last updated: 2026-05-04

Civitas Presentations is a self-hosted internal tool for authoring and sharing Slidev-based presentations. This page describes the personal data the application processes, why, and for how long.

What we collect

When you sign in with Atlassian, the application reads:

• Your display name, email address, and profile picture, returned by Atlassian's /me identity endpoint.
• The name of the first Atlassian site you have access to (used as your "organization" label on the hub). Returned by /oauth/token/accessible-resources.
• Your Atlassian account ID, used as a stable identifier to mark deck ownership.

The application does not read project, issue, board, or any other Jira data — only the identity scopes (read:me, read:account, offline_access) are requested.

When you upload a presentation:

• The Markdown source of your deck is stored on the deployment's data volume.
• Your account ID and display name are recorded as the deck's owner.
• Any labels and the visibility setting (private vs shared) you choose are stored alongside the deck.

How we use it

• To authenticate you on subsequent visits and personalise the deck list you see.
• To enforce visibility: private decks are visible only to their uploader; shared decks are visible to every signed-in user.
• To render the user widget on the hub (avatar, name, organization).

Where it lives

• Sessions are stored in an HMAC-signed cookie (civitas_session) on your browser. No session data is stored server-side; the cookie is the entire record.
• Uploaded deck content lives on the deployment's filesystem (typically a Docker bind mount or named volume). It is not transmitted to any third party.
• Atlassian access tokens are discarded after the initial identity lookup. The application does not retain them.

Third parties

• Atlassian — only during the OAuth login round-trip. See Atlassian's privacy policy.
• Google Fonts — to load the brand typefaces (Bricolage Grotesque, Geist, JetBrains Mono). Your IP address is visible to Google when those font files load.
• PlantUML public server — only if a deck contains a PlantUML diagram and the deployment hasn't overridden plantUmlServer. Mermaid diagrams render entirely in your browser with no external calls.

Retention

• Sessions expire seven days after sign-in.
• Uploaded decks are kept until you (the owner) delete them through the hub UI, or until the deployment's data volume is purged.
• Server logs of HTTP requests follow your organisation's standard retention.

Your rights

You can delete any deck you uploaded from the hub at any time. To request deletion of your account profile data (which is otherwise refreshed on every sign-in), or to ask any other privacy-related question, email support@applaudostudios.com.

Changes

We may update this policy. The "last updated" date at the top reflects the most recent change. Material changes will be announced through the usual internal channels.