StagBane- Privacy & Data
This page describes exactly what StagBane reads, what it stores, what it doesn't store, and what happens to your data when you uninstall it. It's written to be precise enough for an Atlassian Marketplace reviewer and clear enough for a customer admin to trust.
In plain English
- StagBane is built 100% on Atlassian Forge and carries the Runs on Atlassian badge.
- Nothing your content touches leaves Atlassian. There are no external servers, no external network calls, and no analytics or telemetry of any kind.
- The scanner reads page metadata and internal links from the spaces you choose to audit. It reads page body text only to extract those links, and then discards it. Page body text is never stored.
- The Rovo agent reads only the specific page(s) you ask about, in the moment you ask, and reads them as you- it can never see a page you can't. (Site admins can also ask it for the queue's ranked stale list- the same view the admin queue already shows them.)
- The agent can act on your confirmation- applying a label, recording a review date, or posting a review-request comment- but only the queue's non-destructive actions. It never edits your content, and it stores no opinion of its own.
- No Personal Access Tokens are required or used.
The rest of this page is the detailed version.
What the scanner reads
To rank pages by staleness, the daily scan reads, from your audited spaces only:
- Page metadata- id, title, space, owner, version number, last-modified date, and parent.
- Labels- specifically
verified-current,pha-evergreen, andneeds-review. - Page body content- but only to extract the internal links on the page, and only for pages whose version changed since the last scan.
What this means: the scanner opens a page's body the way a link-checker would- to see what it links to. It does not keep the prose. After the links are extracted, the body is discarded.
The scanner never reads pages in spaces you didn't audit.
What the Rovo agent reads
The Page Health Auditor agent reads the specific page(s) you ask it about, on demand, at the moment you ask- one page for an audit, two for a comparison, or search results for an overlap check.
- It reads as the asking user. It sees only what that user can already access in Confluence, and never reads a page they can't. It holds no elevated access of its own.
- When a page it audits is already in the review queue, the agent also reads that page's stored band, the rule behind it, and the underlying signals (read-only) so it can cite the queue's position. It never changes them.
- For a site admin, the agent can also return the queue's ranked list of stale pages (titles, bands, and signals- never body text), exactly the view the admin-only queue already shows that admin. A non-admin who asks is refused before any of that is read, and pointed to the queue. This is the same admin-gated disclosure described under restricted pages.
What the Rovo agent can do (with your confirmation)
The agent can trigger the same non-destructive actions as the review queue- nothing more. It never edits, archives, rewrites, or deletes page content, and it stores no verdict of its own. Each action runs only after the agent states what it will do and you explicitly confirm, and only if your Confluence account is allowed:
- Mark a page Verified Current, or Mark it Stale- the page owner or a site admin.
- Request the owner review a page (one @mention comment, within the daily Request Budget), or set the needs-review label- site admins.
Permission is checked on your Confluence identity, never on anything said in chat, and page content can never authorize an action. What the agent writes is identical to the corresponding queue button: a label, a review date, or a single comment.
What StagBane stores
StagBane stores the following, and only the following, in a Forge SQL database inside Atlassian- one isolated database per installation:
- Page metadata and the computed staleness signals and band for each audited page.
- Link relationships only- page-to-page edges recording which audited page links to which. (This is the link map the queue uses for orphan and broken-link detection.)
- A rolling review-request log, used to enforce the daily Request Budget.
- Scan status- when scans ran and their per-space results.
- The
needs-reviewworklist flag on a row- a display/queue marker only, never an input to the band rules.
What StagBane does not store
- Page body text. Bodies are read to extract links and then discarded. StagBane keeps the relationships between pages, never the content of pages.
- The Rovo agent's verdicts. Everything the agent says is chat-only- never written to the database, never written back to the queue, never saved.
- Any usage analytics or telemetry. StagBane records nothing about how you use it.
What leaves Atlassian
Nothing. StagBane makes no external network calls. There is no developer-controlled server for your content to be sent to.
The Rovo agent's reasoning runs on Atlassian's own Rovo platform, using your Rovo credits. That processing happens inside Atlassian's infrastructure- it is not developer-controlled egress, and StagBane sends nothing of its own to any external service. To restate the trust property plainly: your content never leaves Atlassian, not even as analytics.
How restricted pages are handled
The scanner indexes restricted pages the same as any other page- they're often the ones it's most important to keep current.
Because of this, the admin-only review queue can show site admins the title, owner, and staleness signals of a page whose view is restricted. It does not show that page's body content anywhere in the queue.
We disclose this deliberately rather than hiding it. Two things keep it appropriate:
- The queue is gated to site admins, who already hold latent access to restricted content on their site.
- The exposure is limited to title, owner, and signals- never body text.
The Rovo agent applies the same boundary in two ways. For a single page, it reads as the asking user, so it can never surface a restricted page's content- or even its signals- to someone who couldn't already open it. For the site-wide stale list, it applies the queue's own rule: only a site admin gets it (titles, owners, and signals, never body), and a non-admin is refused before anything is read.
Labels and comments that remain after uninstall
Some of StagBane's actions add content to your pages (whether you trigger them from the queue or, on your confirmation, through the agent). That content belongs to your pages, not to the app, so it remains after you uninstall:
- The labels
verified-current,needs-review, andpha-evergreen. - Any Review Request footer comments the app posted.
If you no longer want them, remove them manually. (They are ordinary Confluence labels and comments- you can search and delete them like any other.)
What is removed on uninstall
StagBane's own stored data- the Forge SQL database holding metadata, computed signals and bands, link relationships, the review-request log, and scan status- is deleted when you uninstall, under Atlassian's Forge hosted-storage data lifecycle. The data is soft-deleted at uninstall and then permanently removed on Atlassian's retention schedule. For a limited window after uninstall (21 days, per Atlassian's current policy), a reinstall can be relinked to the prior data; after that it cannot be recovered.
We don't state a fixed number of days to permanent deletion: Atlassian controls that timeline through its platform data-retention policy rather than publishing a single figure. See Atlassian's Data lifecycle for Forge-hosted storage for the authoritative detail.
The labels and comments listed above stay on your pages until you remove them- see the previous section.
Personal Access Tokens
StagBane does not require, request, or use any user's Atlassian Personal Access Token (PAT). All access happens through Forge's permission model and (for the agent) as-the-user scoping.
Support
Questions about data handling: support@<your-domain>.