Privacy Policy

01Who we are

Atlas is operated by Arthea ("Atlas", "we", "us"). For the personal data described here, Atlas is the data controller for its own account and marketing data, and a processor for the data inside your workspace (see our DPA).

For any privacy question, email legal@arthea.io.

02Data we collect

Account data you provide: name, work email, company, role, and billing details. Workspace data you connect: your store, channels, and the metrics, content, and records those integrations expose. Usage and device data: log data, IP address, browser type, and product telemetry needed to operate and secure the service. Support communications: the messages and context you share when you contact us.

We do not intentionally collect special-category personal data, and we ask that you not put it into the product.

03How we use data, and our legal bases

To provide the service and operate your workspace, including running agents on your behalf (performance of our contract with you). To secure, debug, and improve the service, and to understand usage in aggregate (our legitimate interests). To send service and, where permitted, marketing messages (consent or legitimate interests, with an opt-out in every marketing message). To meet legal, tax, and accounting obligations (legal obligation).

We never sell your data, and we never use your workspace data to train machine-learning models, ours or anyone else’s.

04Sharing and sub-processors

We share data only with vetted sub-processors that help us run the service, hosting, model inference, email delivery, payments, and analytics, under contracts that require equivalent protection. The current sub-processor list is available on request.

We may also disclose data where required by law, to protect our rights, or as part of a merger or acquisition (you will be notified of any change of controller).

05Where your data lives, and transfers

Data is hosted in the European Union (Frankfurt) by default, with per-tenant Postgres row-level isolation so one workspace can never read another. Where a sub-processor requires a transfer outside the EEA, we rely on adequacy decisions or the European Commission’s Standard Contractual Clauses.

06How long we keep it

We keep account and workspace data for as long as your account is active. On closure, we export your shared memory as JSON on request and delete or anonymise personal data within 30 days, except where we must retain limited records to meet legal obligations.

07Security

We protect data with encryption in transit and at rest, per-tenant isolation, least-privilege access controls, audit logging of agent actions, and regular review. SOC 2 Type II is in progress. No system is perfectly secure, but we treat your data as we treat our own.

08Your rights

Subject to applicable law, you can access, correct, export, restrict, or delete your personal data, object to certain processing, and withdraw consent at any time. Email legal@arthea.io and we respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

09Cookies

We use a small set of essential and privacy-respecting analytics cookies. See the Cookie Policy for details and controls.

10Children

Atlas is a business product not directed to children, and we do not knowingly collect data from anyone under 16.

11Changes and contact

We will post material changes here and, where appropriate, notify you in-product or by email. Questions or requests: legal@arthea.io.