top of page
CTA-bg-1.png

Goldfinger Holdings, Inc. Privacy Policy

Version 2.1  |  Effective Date: March 13, 2026

 

This Privacy Policy applies to Goldfinger Holdings, Inc. and its software products including TestRay, Plum CRM, and CAC/PIV Authentication Manager (collectively, "our Products"). It describes how we collect, use, store, and protect personal information across our website and Products, including when deployed in government cloud environments.

1. Who We Are

Goldfinger Holdings, Inc. ("Goldfinger," "we," "us," or "our") is a Nevada corporation operating under the trade name Goldfinger Software. We develop and maintain enterprise software products for teams using Atlassian Jira Cloud and related platforms.
 

Our Products include:

  • TestRay — test and requirements management for Jira Cloud, including deployment within Atlassian Government Cloud (AGC) for U.S. government customers

  • Plum CRM — customer relationship management integrated with Jira

  • CAC/PIV Authentication Manager — smart card authentication for Atlassian environments

 

Each Product may process different categories of personal data. Where a Product has additional or more specific privacy terms — such as the TestRay AGC Privacy Policy for government deployments — those terms supplement and, where they conflict, take precedence over this general Policy for that Product.

2. Scope of This Policy

This Policy applies to:

  • Personal information collected through our website at https://www.goldfingersoftware.com and www.testray.com

  • Personal information processed in connection with our Products when used by customers and their authorized users

  • Personal information we receive from customers as part of delivering support, professional services, or training

 

This Policy does not apply to:

  • Personal information processed by Atlassian as primary platform provider (governed by Atlassian's own privacy policy)

  • Government-classified information — TestRay deployments within Atlassian Government Cloud are subject to the TestRay AGC Privacy Policy in addition to this Policy

3. Personal Information We Collect

3.1 Information You Provide Directly

  • Name, job title, and employer organization

  • Business email address, mailing address, and telephone number

  • Account credentials managed through Atlassian (we do not store passwords)

  • Support requests, feedback, and correspondence submitted to our helpdesk

  • Details provided during sales inquiries, demos, or training engagements

3.2 Information Collected Through Our Products
What Goldfinger collects and processes depends on both the Product and the deployment model. For Cloud deployments, Goldfinger hosts and processes customer data on AWS infrastructure and acts as a data processor. For Data Center deployments, the software runs on the customer's own servers — Goldfinger does not host, store, or have access to customer application data in those environments.
 

3.3 Information Collected Automatically

  • Browser session data, device type, operating system, and IP address (website visits only)

  • Page views, traffic patterns, and referral sources for website analytics

  • Application logs and diagnostic information generated by our Products for operational and security purposes

  • Cookies and similar tracking technologies on our website (see Section 10)

Note: Our Products do not collect behavioral analytics, advertising tracking data, geolocation data, or browser/device fingerprints for product functionality purposes.

3.4 Information We Do Not Collect

  • Payment or financial information — all billing is handled by Atlassian Marketplace

  • Authentication credentials or passwords — managed entirely by Atlassian for Cloud products

  • CAC/PIV smart card credentials, authentication tokens, or PIV data — the CAC/PIV Authentication Manager runs entirely on the customer's Data Center environment and Goldfinger retains none of this data

  • Customer application data for any Data Center deployment — TestRay Data Center and Plum CRM Data Center run on customer-managed infrastructure; Goldfinger has no access to data stored in those environments

  • Sensitive personal data (health, biometric, racial, religious data) — not required by any of our Products

 

3.5 CCPA Data Categories (California Residents)
The California Consumer Privacy Act (CCPA) requires us to disclose the categories of personal information we collect, how we obtain it, and how we use it. The table below covers activity in the preceding 12 months across all Goldfinger products.
 

We do not sell personal information. We do not use or disclose sensitive personal information for purposes beyond those permitted by the CCPA without your consent. We will not collect additional categories of personal information without informing you.

4. Legal Bases for Processing

We process personal information on one or more of the following lawful bases, depending on the context:

For EU/EEA customers, processing is conducted in accordance with the General Data Protection Regulation (GDPR). See Section 12 for GDPR-specific rights.

5. How We Use Personal Information

We use personal information for the following purposes:

  • Providing, operating, and improving our Products and services

  • Processing and fulfilling orders, licenses, and subscription agreements

  • Providing customer support, technical assistance, and training

  • Communicating product updates, security notices, and service-related information

  • Sending marketing communications where you have consented or where we have a legitimate interest (with opt-out available at any time)

  • Verifying identity and preventing fraud or unauthorized access

  • Conducting internal analytics to improve user experience and Product performance

  • Complying with legal obligations, including government audit and regulatory requirements

  • Maintaining security through monitoring, logging, and incident response activities

 

We will not use personal information for purposes that are incompatible with those described above without providing prior notice and, where required, obtaining consent.

6. How We Share Personal Information

We do not sell personal information to third parties. We do not share customer data with advertisers or data brokers.

6.1 Infrastructure and Platform Providers
We engage the following categories of third-party service providers who may process personal information on our behalf:
 

6.2 Other Permitted Disclosures
We may also share personal information in the following circumstances:

  • With employees, contractors, and advisors who need access to perform their job responsibilities, subject to confidentiality obligations

  • With a successor entity in connection with a merger, acquisition, or sale of all or part of our business — you will be notified of any such transfer

  • With law enforcement, courts, regulators, or government authorities when required by applicable law, court order, or to protect the rights, safety, or property of Goldfinger or others

  • With your consent, for any other purpose you have expressly authorized

 

We do not share personal information with resellers, marketing partners, or other third parties for their own commercial purposes.

7. Infrastructure and Data Storage

7.1 Cloud Infrastructure
Our Products are hosted on Amazon Web Services (AWS). AWS maintains widely recognized security certifications including SOC 2, SOC 3, ISO 27001, and FedRAMP authorizations for applicable services. We do not use Google Cloud Platform or Microsoft Azure for hosting customer application data.
Microsoft Dynamics 365 and Salesforce are used in connection with Plum CRM. Salesforce serves as a CRM platform for Plum CRM customers; Microsoft Dynamics 365 provides additional CRM integration and business operations support. Neither platform receives TestRay test data, CAC/PIV authentication data, or AGC government data.

7.2 Data Residency

8. Government Cloud Deployments

TestRay is available within Atlassian Government Cloud (AGC), a FedRAMP Moderate authorized environment (Authorization ID: FR2412062433) designed for U.S. federal, state, and local government agencies.
For AGC deployments:

  • All customer data is stored and processed within the United States

  • Data processing is subject to FISMA, the Privacy Act of 1974, and applicable NIST SP 800-53 controls

  • The TestRay AGC Privacy Policy and Data Processing Addendum govern data processing and take precedence over this general Policy for those deployments

  • Security incidents are reported in accordance with FedRAMP IR-6, including notification to US-CERT/CISA where required

  • Goldfinger participates in Atlassian's Cloud Fortified partner program for AGC-compatible Marketplace apps

9. Data Retention

We may retain data beyond these periods where required by applicable law, regulatory obligation, or to resolve disputes and enforce agreements. Where we retain data beyond standard periods, we will restrict its use to the permitted purpose only.

10. Cookies and Tracking Technologies

We use cookies and similar technologies on our websites (https://www.goldfingersoftware.com and www.testray.com) to operate the site, understand traffic patterns, and improve user experience.

You can control cookies through your browser settings. Disabling essential cookies may affect site functionality. Our Products (TestRay, Plum CRM, CAC/PIV) do not use advertising or behavioral tracking cookies.

11. Security

We implement administrative, technical, and physical safeguards to protect personal information from unauthorized access, disclosure, alteration, or destruction. These include:

  • TLS 1.2 or higher encryption for all data in transit

  • AES-256 encryption at rest within AWS infrastructure

  • Role-based access control and least-privilege enforcement

  • Multi-factor authentication for privileged system access

  • Continuous operational monitoring and security logging

  • Documented incident response procedures with customer notification obligations

  • Annual security reviews and vulnerability management programs

 

If we become aware of a security incident affecting your personal information, we will notify you without undue delay and within 72 hours of confirming the breach, in accordance with applicable law. For AGC deployments, we additionally comply with FedRAMP incident reporting requirements.
To report a security concern, contact us at security@goldfingerholdings.com.

12. Rights of EU/EEA Individuals (GDPR)

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

To exercise any of these rights, contact us at the details in Section 15. We will respond within 30 days. Where we cannot fulfill a request, we will explain why.


International Data Transfers
Where personal data originating from the EU/EEA is transferred to the United States or other countries, we rely on appropriate safeguards including:

  • EU-US Data Privacy Framework (DPF) certifications maintained by our infrastructure providers

  • Standard Contractual Clauses (SCCs) incorporated into our agreements with sub-processors

  • Adequacy decisions by the European Commission where applicable

 

Our primary infrastructure providers — Atlassian and Amazon Web Services — maintain recognized international data transfer mechanisms. Details are available in their respective privacy documentation.
If you are dissatisfied with our handling of your personal data, you have the right to lodge a complaint with your local data protection supervisory authority.

13. Rights of U.S. Individuals

Depending on your state of residence, you may have additional privacy rights under applicable U.S. state law. The following rights apply to residents of California (CCPA), Colorado (CPA), Virginia (VCDPA), Connecticut (CTDPA), Utah (UCPA), and other states with applicable privacy laws, to the extent those laws apply:

13.1 How to Exercise Your Rights
To exercise any of the rights above, contact us at privacy@goldfingerholdings.com or by mail at 10845 W Griffith Peak Dr, Suite 200, Las Vegas, NV 89135. We will acknowledge your request within 10 business days and respond within 45 days. If we need additional time (up to 90 days total), we will inform you in writing. We may need to verify your identity before processing your request.

13.2 Authorized Agents
California residents may designate an authorized agent to submit privacy rights requests on their behalf by providing written authorization. We may require verification of both the agent's authority and the consumer's identity before processing the request.

13.3 Right to Appeal (Colorado, Virginia, and Connecticut Residents)
If we decline to take action on your privacy rights request, you may appeal our decision. To appeal, respond to our denial correspondence within 30 days with "Privacy Rights Appeal" in the subject line and explain why we should reconsider. We will respond within 60 days. If we deny your appeal, we will provide information on how to contact your state Attorney General.

13.4 Shine the Light (California Residents)
California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes. For questions, contact us at privacy@goldfingerholdings.com.

For U.S. government employees or contractors using TestRay within AGC, additional rights and protections apply under the Privacy Act of 1974 and FISMA. Please refer to the TestRay AGC Privacy Policy for details.
To exercise your rights, contact us at privacy@goldfingerholdings.com.
 

14. Children's Privacy

Our Products and website are designed for business and government use and are not directed at children under the age of 13 (or 16 in the EU/EEA). We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us at privacy@goldfingerholdings.com and we will promptly investigate and delete the information.

15. Contact Us

For any privacy-related questions, requests, or concerns regarding this Policy or our data practices, please contact us through any of the following:

16. Changes to This Policy

We may update this Policy periodically to reflect changes in our Products, business practices, or applicable law. When we make material changes, we will:

  • Update the version number and effective date at the top of this document

  • Post the revised Policy on our website

  • Notify active customers by email or in-app notice where changes materially affect their rights

 

We encourage you to review this Policy periodically. Continued use of our Products after notice of material changes constitutes acceptance of the updated Policy.

This Policy is provided for informational and compliance transparency purposes. For contractual data processing obligations, please refer to the applicable Data Processing Addendum (DPA) or product-specific privacy documentation.

bottom of page