Transparency

Trust Center

CloudScript.io builds small, focused apps for Confluence Cloud.

This page explains, in plain terms, how those apps handle data, the security model they run on, and where to find our legal documents and report a concern.

Our approach

CloudScript.io is an independent vendor (Patrick Roumanoff trading as Cloudscript.io). We build narrow, single-purpose apps and follow a principle of least data: an app should request the smallest set of permissions it needs and, wherever possible, store nothing at all. We run no advertising and no third-party trackers on this website, and we self-host our fonts. The one measurement we take is a privacy-first page counter, described in full under Website analytics below — including why we chose it and how to opt out.

Website analytics

This website uses GoatCounter, an open-source, privacy-first page counter, and we use it for one purpose: to gauge interest in our different apps. Seeing which app pages and guides are actually read tells us where to put development and documentation effort. There is no advertising or marketing use, and the counts are not shared with or sold to anyone.

We are comfortable running GoatCounter because it is built on the same principle of least data as our apps: it counts pages, not people. It sets no cookies and stores nothing in your browser. It does not record your IP address — your address is used only transiently, in memory, to tell visits apart for a few hours, and is never written to storage. It assigns you no persistent identifier of any kind, so there is nothing that could recognise you on a return visit, follow you to any other website, or feed an advertising profile. What it keeps is aggregate and technical: the page viewed, the referring site, browser and operating-system type, screen size, language, and the country a visit came from. We see counts, not visitors — we cannot identify you and do not try to. We run GoatCounter in its default, most private configuration (aggregate counts only), and its own privacy policy describes its handling in full.

Opting out

If your browser sends the Global Privacy Control signal, we honour it automatically: the counter never loads and you are not counted, with nothing to configure. Otherwise you can opt out here:

Your choice is stored as a small preference flag in this browser's local storage — it never reaches us or GoatCounter, which also means it applies per browser and per device, and it takes effect from your next page view.

Suggestion box

The "Have an app in mind?" box on our homepage is delivered to us by FormSubmit (formsubmit.co), a form-relay service: your message goes to FormSubmit's servers, which forward it to our inbox. The box has no name or email fields and we receive only the message text. Like any web request, FormSubmit handles the technical details of the submission (such as your IP address) in transit — see the FormSubmit privacy policy for how it processes them. If you'd like a reply, email us at contact@cloudscript.io instead.

How our apps run

Our flagship app, CloudScript.io Mermaid, runs on Atlassian Forge, which means it executes inside Atlassian's own hosted, sandboxed environment rather than on servers we operate. The Forge platform blocks any network request an app has not explicitly declared, and any data an app does store is held within Atlassian's infrastructure under its data-residency controls. Our two earlier apps, NikoNiko Calendar and CloudScript for Confluence, are built on Atlassian Connect, the previous-generation framework.

Our apps

The table below lists each CloudScript.io app, the Atlassian platform it runs on, whether it stores personal data, and where to find its legal documents. Adding a future app means adding a row.

App Platform Stores personal data? Documents
CloudScript.io Mermaid Forge No Privacy · Terms
Page Sharing for Confluence Forge Only UserId Privacy · Terms
Cloudscript Typst Renderer Forge No Privacy · Terms
Cloudscript Renderer for MCP Documentation Forge No Privacy · Terms
NikoNiko Calendar Connect (retiring) Yes — a mood value (0–5) and a Confluence account identifier, held on Heroku On its Atlassian Marketplace listing
CloudScript for Confluence Connect (retiring) Runs administrator-authored scripts on Heroku On its Atlassian Marketplace listing

Our Forge apps run on Atlassian's platform, and our Connect apps use the Heroku cloud platform; where our use of sub-processors changes for any future app, we will record it here.

Marketplace trust badges

Atlassian awards badges on the Atlassian Marketplace that signal verified properties of an app. Where one of our apps holds a badge, we show it on this site; the badge on the app's Marketplace listing remains the authoritative record.

Runs on Atlassian is awarded automatically by Atlassian to Forge apps that meet three conditions, and is monitored continuously, so the badge is withdrawn if an app changes: the app runs exclusively on Atlassian-hosted compute and storage; it supports the same data residency as the host Atlassian product; and any external data egress (such as analytics or logs) can be switched off by the customer's admin. The badge describes where an app runs and where data can go. What data an app actually handles is described in that app's own privacy policy, linked from its page on this site.

Cloud Fortified is Atlassian's programme for apps that meet additional reliability, security and support requirements, assessed by Atlassian. Details of both programmes are on the Atlassian developer site.

Reporting a security issue

If you believe you have found a security vulnerability in any CloudScript.io app, please email support@cloudscript.io with the details and the steps to reproduce it. We ask that you give us a reasonable opportunity to investigate and address the issue before disclosing it publicly. We will acknowledge your report and keep you informed as we work through it. We are a small vendor and do not operate a paid bug-bounty program, but we take security reports seriously and are grateful for responsible disclosure.

For the full detail of how we secure our apps, manage vulnerabilities, and respond to incidents, see our Security Policy.

Contact

Questions about privacy, security or compliance: support@cloudscript.io