Atlassian's Opt-Out Only Comes in Enterprise

Introduction

Atlassian processes your team's bug reports, product roadmaps, sprint notes, and Confluence documentation. Starting August 17, 2026, all of it trains Atlassian's AI by default, at no charge to Atlassian. The only way to fully opt out is the Enterprise tier, which has no published price and requires a sales call to find out what it costs.

What the Tier Table Actually Does

The new Data Contribution settings page splits Atlassian customers into four bands by how much money each plan sends Atlassian, and the privacy controls follow the revenue line.

Free and Standard customers have metadata collection locked "on" with no toggle. Premium customers also have metadata locked on, though in-app data defaults to off. Only Enterprise customers get a working opt-out for both data types. Atlassian's Head of Product Communications, Arseny Tseytlin, told The Register the quiet part directly: "If an Atlassian customer's highest active plan is Free, Standard, or Premium, metadata contribution is always on, and they are not able to opt out."

Atlassian has turned privacy into a paid add-on bundled inside a sales-gated enterprise contract, and the tier structure is doing upgrade-pressure work on top of the same data flow that feeds Rovo, the AI product meant to justify Atlassian's valuation.

What "Metadata" Actually Means

Atlassian's own Trust page defines metadata more broadly than "anonymized statistics." The list includes readability scores, semantic similarity scores, story points, sprint end dates, and phrases and keywords extracted from search queries and Rovo Chat conversations. Some of those fields are configuration data. Others are derived content, meaning the phrases your team searches and the keywords your team chats, turned into training signal.

If your team has ever written a Jira ticket describing a specific customer bug, searched Confluence for an acquisition target by name, asked Rovo Chat about an unreleased feature, or run a sprint retro tagged with a client account, those inputs produce extracted metadata that Atlassian considers in scope for training starting August 17. Atlassian says this is de-identified before use, which is a narrower claim than "we don't look at what your team typed," because the metadata is generated by looking at what your team typed.

The Receipts Atlassian Left on Its Own Site

Here's the part that made me stop and check the URL twice. Atlassian's support page titled "Rovo and Atlassian Intelligence customer data is not used for AI model training" was last updated November 6, 2025. As of today, it still says, verbatim: "Customer data, including data submitted to or generated by Rovo and Atlassian Intelligence, is never used to train, fine-tune, or improve AI models or services."

The page is live and indexed right now on Atlassian's own domain, promising "never," while less than six months after its last update the company announced a policy that begins training on that same customer data on August 17, 2026. The company's defense is that the prior commitment covered AI session inputs (prompts and responses to Rovo) while the new policy covers platform operational data (Jira tickets, Confluence pages). That's a distinction the prior page does not draw, and it's a distinction most customers reading "customer data is never used to train AI models" were not making in their heads when they chose to keep their bug reports on Atlassian.

Then there's the timing. On March 11, Atlassian cut 1,600 jobs (about 10% of its workforce), framing the cuts in its own blog as a way to "self-fund further investment in AI and enterprise sales." Five weeks later, on April 17, the data contribution policy was announced. The layoffs pay for the AI build, and the policy supplies the training corpus that build needs.

The GDPR Gap Nobody's Filled

The EU side of this is where the legal foundation gets thin. Atlassian's GDPR commitment page and its Data Processing Addendum do not specify the lawful basis for metadata collection from EU customers. The EDPB's December 2024 opinion on AI models set out a three-step test for legitimate interest as a basis for AI training: legitimate interest, strict necessity, and balancing of rights. The balancing step requires data subjects to "reasonably expect" such uses.

A B2B SaaS customer signing up to manage sprints and track bugs is probably not "reasonably expecting" that their ticket titles, sprint velocities, extracted search phrases, and Rovo Chat keywords will feed a vendor's AI product. CNIL, France's data protection authority, went a step further in its June 2025 guidance, requiring a documented Legitimate Interest Assessment on a case-by-case basis for AI training uses. Atlassian has not published one. Whether it has one internally is a question regulators can ask after August 17.

Zoom, Two Years and Four Days Ago

In March 2023, Zoom added Terms of Service language granting itself a license to use customer "audio, video, chat, screen-sharing, attachments or other communications" for "machine learning, artificial intelligence, training, testing." After public backlash in early August 2023, Zoom reversed the policy in four days. CEO Eric Yuan called it "a process failure internally." TechCrunch's legal analysis at the time noted that Zoom's drafting mixed bundled consent and pre-checked opt-ins that weren't compatible with EU consent frameworks.

Zoom had four days. Atlassian has four months until August 17, and the live question is whether the policy survives its own comment period with the tier structure intact.

The Free-Tier Healthcare Hole

A dental practice on Atlassian's free tier posted in the Atlassian Community forum asking how to opt out. The thread's Community Champions confirmed that free-tier users currently "have little to no control" over data contribution, and the admin settings described in Atlassian's documentation are not accessible at the free license level.

Atlassian's exemption language says HIPAA-covered entities are excluded from data contribution. The exclusion requires a specific HIPAA account designation. A healthcare organization on a standard free plan has PHI flowing through Jira tickets and no technical switch to stop it. That particular thread has no official Atlassian response.

Who Benefits

Atlassian Corporation (NASDAQ: TEAM), and in two specific ways that compound.

The first is data economics. Atlassian's FY2025 earnings release reported $5.215 billion in revenue, $2.669 billion in R&D spend (51.2% of revenue), and 2.3 million AI monthly active users. The Teamwork Graph, Atlassian's proprietary index of 100+ billion objects and connections across Jira, Confluence, and connected tools, is the competitive moat. Training AI on the content of those objects makes Atlassian's AI measurably better than Linear or any competitor without equivalent enterprise workflow data, and if the training data arrives without consent cost, the margin on Rovo improves directly.

The second is upsell mechanics, and it's the tier table doing structural work. Any customer who cares about data use has exactly one product path to a full opt-out, and that path goes through an Enterprise sales rep. Atlassian does not publish Enterprise pricing. Privacy has been repositioned from a default setting into a line item on a custom quote. Every Standard and Premium customer with a compliance team now has a new reason to schedule the Enterprise call. Atlassian's stock was $66.94 on April 17, market cap $18.65 billion, max drawdown 75.13% from peak.

The Counter-Argument, and Why It Doesn't Hold

Atlassian offers three defenses worth examining: the data is de-identified before use, regulated sectors get full exemptions, and Free through Premium customers can toggle off in-app data.

De-identification means direct identifiers are stripped, not that the resulting dataset can't be fingerprinted. The metadata in scope includes extracted search phrases, keywords, and semantic similarity scores derived from what users type into Jira and Rovo Chat, which is usage-pattern data. The research track record on metadata de-anonymization is consistent: pattern matching against supplementary sources can re-identify organizations from aggregated usage signals without a single name attached. Atlassian's claim is that it stripped the names. The stronger claim, that the data can't be reconstructed, is not one they're making.

The regulated-sector exemptions look like protections until you read them as admissions. HIPAA, Government Cloud, Isolated Cloud, and BYOK customers are all carved out. If de-identification genuinely neutralized the data sensitivity, those sectors wouldn't need special treatment. Atlassian exempted them because their data is sensitive regardless of whether names are stripped, which is exactly the argument critics are making about everyone else's data.

Qualifying for an exemption also isn't automatic. It requires the right account designation, a step that Atlassian's own Community forum suggests free-tier organizations may not be able to complete. The dental practice asking how to opt out got "little to no control" as an answer, not a form to fill in.

The in-app toggle is real. Free, Standard, and Premium customers can turn off Jira ticket bodies and Confluence page text. But metadata (the derived signals from search patterns, chat keywords, and sprint data) has no switch below Enterprise, and no one at Atlassian has answered what fills that gap.

The Bottom Line

The next four months tell us which direction this settles. Zoom reversed a structurally similar policy in four days under public pressure. Atlassian has a longer runway and a stronger financial incentive to keep the tier structure intact, which is exactly why the comment period matters and why the November 2025 support page is the evidence to watch. If Atlassian quietly edits that page to match the new policy, it's conceding the contradiction without admitting it. As of today, the page still reads "never."

The open question: if a European data protection authority reads the new policy and asks Atlassian for its Legitimate Interest Assessment, what do they hand over? The company has until August 17 to have an answer.