When installing Smart Guess or when significant changes are made, users need to grant the solution the following access:

...

Where the heading says:

...

Smart Guess for Sprint Planning would like to access your Atlassian account

...

The following table describes the permissions Smart Guess requires and why they are needed:

Required permissions	Why is it needed?
Share data with domain: api.smartguess.is	Smart Guess Realtime Engine shares key user actions with everyone the team taking part in the estimation, when it happens. Critical so that all team members can see who has joined, who has given an estimate, etc. The Realtime Engine, doesn’t process or store any personal data, in line with the GDPR principle of 'purpose limitiation'.
View Jira issue data	Allows Smart Guess to read the issue key in order to retrieve current state of the planning session for the issue. Furthermore retrieve current story point value to show users if story points needs saving.
View user profiles	Used to identify who has joined the planning session, who has given an estimate and retrieve users name, profile picture displayed to users. Notice that Smart Guess does not store any personal data. Only retrieves it on demand, in line with GDPR principle of ‘data minimisation’.
Create and manage issues	Allows Smart Guess to: check if the story point field can be updated save the story point value selected	View user profile	Used to retrieve the following information about the currently logged-in user: has the user already joined the planning session users estimate
App storage scope	Allows Smart Guess to store current state of the planning session for the current issue. In other words; what users have joined and their estimates. Notice that Smart Guess does not store any personal data. Only retrieves it on demand, in line with the GDPR principle of data minimisation.
Write Jira User Property	Used to track if the current user has already seen user onboarding messages new release messages So that these messages are only displayed once for each user.
Write Jira Field	Used to keep the following information up to date: Estimated by - who has estimated the issue T-shirt estimate

Why other apps on the marketplace do not require “Allow access”?

Jira Cloud apps that don’t ask users to “Allow access” are built on the older Atlassian Connect framework, where the app servers and data are operated and maintained by the app developer. Atlassian moving away from this setup and is working towards Unifying Atlassian Connect and Forge.

With the new Forge framework, Atlassian is

giving customers confidence in app security with more control and visibility into which apps have access to what data”

New apps built on Forge fundamentally differ from ones built using the Atlassian Connect cloud development framework. With Forge, apps are built and run within the boundaries of Atlassian’s cloud platform, unlocking new benefits for developers and customers.

...

Platform compliance

Forge lets developers keep customer data hosted in the Atlassian cloud, making it easier to comply with GDPR and other regulatory requirements. Atlassian is working towards SOC2 certification for Forge, as well as making Forge meet the needs of customers’ data residency requirements in the future.

...

More information about this here https://www.atlassian.com/blog/announcements/forge-launch