ADO Sprint Report

Privacy Policy

Last updated: 2026-04-09

What This Extension Does

ADO Sprint Report is a browser extension that provides sprint analytics for Azure DevOps. It reads your Azure DevOps sprint data and displays it in a dashboard with burndown charts, effort analysis, and scope change tracking.

Optionally, the extension can also connect to Dynamics 365 CRM to compare CRM project data (resource bookings, time entries, budgets) with ADO sprint metrics. This CRM integration is configured separately and requires an Azure app registration.

Data Collection

What we access

• Azure DevOps session cookies — used to authenticate API calls to Azure DevOps on your behalf. These cookies are read from your browser session and are never stored, transmitted to third parties, or persisted to disk.
• Azure DevOps API data — sprint data (work items, effort hours, states) is fetched from your Azure DevOps organisation via the REST API and Analytics OData service. This data is used solely to render the dashboard.
• Page URL information — the extension reads the current page URL on Azure DevOps pages to extract organisation, project, team, and sprint context. This is used to pre-fill the dashboard with the correct parameters.
• Dynamics 365 CRM data (optional) — if you enable CRM integration, the extension authenticates with Microsoft Entra ID (Azure AD) using OAuth2 with PKCE to access the Dynamics 365 Web API. It fetches project details, resource bookings, and time entries. This data is passed to the dashboard for display but is never sent to any other server.
• Microsoft Entra ID authentication (optional) — the extension uses chrome.identity.launchWebAuthFlow to perform OAuth2 authentication with your Microsoft Entra ID account. This is a standard browser-based sign-in flow. No client secret is used (public client / PKCE). The access token is stored locally in the extension and is never transmitted to any server other than Dynamics 365.

What we store

• Dashboard URL preference — stored locally in chrome.storage.local. Default: https://ado.stelk-consulting.uk.
• Previously used organisations — stored locally in your browser's localStorage for convenience.
• CRM configuration (optional) — if CRM integration is enabled, the Tenant ID, Client ID, Organisation URL, and selected Project ID are stored in chrome.storage.local. These are identifiers only, not secrets.
• CRM access and refresh tokens (optional) — stored in chrome.storage.local. These tokens are used to authenticate with Dynamics 365 and are automatically refreshed. They never leave the extension except in API calls to Dynamics 365 directly.

What we DO NOT collect

• No telemetry or analytics (unless you opt in — see Analytics section below)
• No personal information beyond what Azure DevOps provides
• No usage tracking or behavioural data
• No advertising data
• No data is sold or shared with third parties
• No Personal Access Tokens are stored (the extension eliminates the need for PATs)

Data Transmission

• To Azure DevOps — the extension makes read-only API calls to dev.azure.com and analytics.dev.azure.com using your existing browser session. These calls fetch the same data you can see in Azure DevOps.
• To Dynamics 365 (optional) — if CRM integration is enabled, the extension makes read-only API calls to your Dynamics 365 organisation (e.g. *.crm4.dynamics.com) using an OAuth2 access token. Only project, booking, time entry, and resource data is fetched.
• To Microsoft Entra ID (optional) — for CRM authentication, the extension communicates with login.microsoftonline.com to obtain and refresh OAuth2 tokens. This is the standard Microsoft identity platform flow.
• To the dashboard — if you use the hosted dashboard at ado.stelk-consulting.uk, sprint data is displayed in your browser. CRM data is passed from the extension to the dashboard page as structured data (not tokens). The dashboard server does not store your data.
• To the companion app — if you install the optional companion desktop app, the extension can share ADO session cookies with it via a secure localhost WebSocket connection. This is opt-in and only works on your local machine (127.0.0.1). CRM tokens are never shared with the companion app.
• No other servers — no data is sent anywhere else (unless you opt in to analytics — see below). There is no crash reporting, no remote logging.

Analytics (Opt-in)

If you choose to enable analytics in the dashboard settings, we use Microsoft Clarity to collect anonymous usage data. This is completely optional and off by default — you must explicitly opt in.

What Clarity collects when enabled

• Click and scroll behaviour — where you click and how far you scroll
• Session replays — anonymous DOM-based recordings of page interactions (mouse movement, clicks, scrolling). These are reconstructions from page structure, not screen recordings
• Frustration signals — automatic detection of rage clicks and dead clicks
• Browser and device metadata — browser type, OS, screen size
• Page URLs — which pages you visit within the dashboard
• Two first-party cookies (_clck, _clsk) — used to link page views into sessions

What Clarity does NOT collect

• Input field content, passwords, or Personal Access Tokens
• Personal data beyond browser metadata
• All sensitive content is masked by default and never leaves your browser

Technology and data handling

• Provider: Microsoft Clarity (free, open-source tracking code)
• GDPR compliant — covered by the Microsoft Privacy Statement
• Data storage: Microsoft Azure
• Retention: Session recordings are kept for 30 days, heatmap data for up to 13 months
• Microsoft does not sell this data

Your control

• Analytics is off by default — opt in via Settings → Privacy in the dashboard
• You can opt out at any time — analytics stops on the next page load
• No server-side data is associated with your identity — there is nothing to delete on our end

Security

• All ADO API calls are read-only (GET requests only)
• All CRM API calls are read-only (GET requests only)
• CRM authentication uses OAuth2 with PKCE — no client secret is required or stored
• CRM access tokens are stored only in chrome.storage.local within the extension and are never sent to the dashboard server or any third party
• Cookie brokering (for the companion app) is restricted to Azure DevOps domains only — CRM tokens are never shared via the cookie broker
• The companion app connection is localhost-only (127.0.0.1) with origin verification
• No credentials are ever written to disk outside of Chrome's extension storage

Your Rights

• You can uninstall the extension at any time, which removes all locally stored preferences including CRM tokens
• You can sign out of CRM via the extension popup at any time, which clears all stored tokens
• You can clear your browser's localStorage to remove saved organisation preferences
• The extension has no server-side account — there is nothing to delete on our end

Changes to This Policy

We may update this privacy policy from time to time. Changes will be reflected in the "Last updated" date above.