Atlas
Sign inGet started

Legal

Privacy Policy

Last updated: April 24, 2026

This Privacy Policy describes how Atlas (“we,” “us,” “our”) collects, uses, shares, and protects information when you use the Atlas website, web applications, APIs, and related services (collectively, the “Service”). This Policy applies to all users of the Service, with supplemental disclosures in the California / CPRA, EU / EEA / UK GDPR, and Children’s privacy sections below.

1. Information we collect

Account information

When you create an account, our identity provider (Clerk, Inc.) collects your email address, display name, and any authentication credentials you configure (password, social sign-in tokens, or passkeys). We receive a stable user identifier from Clerk that lets us associate your uploaded data with your account. We do not store passwords ourselves.

Portfolio data you upload

When you upload a trade ledger (.xlsx) or enter holdings manually, we receive and process the contents: trade dates, tickers, quantities, prices, fees, cash flows, account labels, and any Investment Policy Statement targets you provide. This data is stored so your tearsheet is ready for you on your next visit.

Derived analytics

We generate and store analytics computed from your inputs — risk metrics, factor loadings, stress results, tax-lot positions, AI-generated memos, and similar derivations. These are retained for the same duration and with the same access scope as the underlying portfolio data.

Usage data and server logs

We log basic information about how the Service is used — pages viewed, actions taken, timestamps, IP address (truncated where feasible), user agent, and error traces — to operate and improve the Service, detect abuse, and debug issues. Server logs are retained for up to 90 days.

Cookies and similar technologies

We use strictly necessary cookies for authentication and session management (via Clerk) and for CSRF protection. We do not use third-party advertising cookies, cross-site tracking pixels, or analytics providers that fingerprint visitors. Your browser also keeps a localStorage cache of your most-recent tearsheet so the dashboard loads quickly; clearing your browser data removes it.

2. How we use information

  • To provide the Service, including computing analytics on your uploaded data;
  • To authenticate you and secure your account;
  • To respond to support requests and communicate important Service updates;
  • To monitor, debug, and improve the Service (using de-identified or aggregated data where feasible);
  • To detect, prevent, and address fraud, abuse, or violations of our Terms;
  • To comply with legal obligations, respond to lawful requests, and enforce our Terms of Service.

3. What we do not do

  • We do not sell your data to third parties.
  • We do not share your data with third parties for cross-context behavioral advertising.
  • We do not show advertising based on your portfolio contents.
  • We do not train our own or third-party machine-learning models on your uploaded portfolio data.
  • We do not share your portfolio data with other Atlas users.

4. Automated decision-making

Atlas applies automated processing to your uploaded data to produce analytics (including AI-generated commentary via Anthropic’s Claude). No legally significant decisions about you are made solely by automated means. Outputs are shown to you for educational purposes; Atlas does not execute trades, approve credit, or make any binding determination about you based on these outputs. If you are an EU/UK data subject, you have the right to request human review of any automated processing per Article 22 of the GDPR; see Section 11.

5. Third-party sub-processors

We rely on the following sub-processors to operate the Service:

  • Vercel, Inc. — cloud hosting, serverless compute, edge routing, and request logs. Data is processed primarily in the United States.
  • Clerk, Inc. — user authentication and session management.
  • Upstash / Redis by Vercel — managed key-value store for your tearsheet, IPS, and portfolio index. Scoped by your Clerk user identifier.
  • Resend, Inc. — transactional email delivery (welcome, receipts, contact-form intake).
  • Anthropic, PBC — AI-model inference for Atlas Brief, What-If commentary, and rebalance narratives. Per Anthropic’s API terms, your data sent to the Claude API is not used to train Anthropic models.
  • Yahoo Finance (via yfinance) and FRED (via fredapi) — public-market-data lookups. We send ticker symbols and receive public market data; no personal data is transmitted.

Each sub-processor has its own privacy and security practices. We share only the minimum information needed for each service to function. We may add or replace sub-processors; material changes will be reflected in this Policy.

6. How your portfolio is stored (technical detail)

When you upload a trade ledger, Atlas parses it, pulls live prices, and computes your tearsheet. A JSON snapshot of that tearsheet (plus the source rows we need for Refresh and What-If) is saved so it's ready for you on your next visit. Specifically:

  • Storage layer: managed Redis-compatible key-value store (Upstash via Vercel integration) hosted in the United States.
  • Encryption in transit: TLS 1.2+ on every connection between Atlas servers and Upstash. No plaintext traffic on the wire.
  • Encryption at rest:AES-256 on the managed provider’s disks. If a physical drive were removed from the data center, the bytes are unreadable without the provider’s keys.
  • Per-user scoping: every record is keyed by your Clerk user identifier (e.g.atlas:portfolio:v2:user_XXXX:portfolio_YYY). Every server route checks your authenticated session and binds every read and write to your user ID.
  • Retention: 90 days from your last upload. After that, the record auto-expires. You can delete any individual portfolio, or your entire dataset, from the Portfolios page or Account page at any time.
  • Local cache: for speed, your browser also keeps a copy of the latest tearsheet in localStorage, scoped to your user ID. Clearing browser data removes it.

7. What we never store

To keep the blast radius of any incident small, Atlas is deliberately designed to avoid touching the following:

  • Brokerage account passwords, API keys, or OAuth tokens.
  • Account numbers, routing numbers, or tax identifiers (SSN / ITIN / EIN).
  • Payment methods, credit card numbers, or bank account details.
  • Your real name, mailing address, phone number, or date of birth (beyond what your Clerk profile contains for sign-in purposes).

8. Data retention

Your portfolio snapshots auto-expire 90 days after their last upload. Investment Policy Statements auto-expire 365 days after their last save. Account information (email, sign-in details) is retained while your account is active. Server logs are retained up to 90 days. When you delete your account, we delete or anonymize your data within 30 days, subject to narrow legal and operational exceptions (e.g., backup retention cycles, fraud prevention, legal holds).

9. Security and breach notification

We use industry-standard encryption in transit (TLS) and at rest (AES-256), per-user data scoping, and authenticated API routes. Despite our safeguards, no system is perfectly secure. In the event of a security incident involving unauthorized access to your personal data, we will notify you and applicable regulators in accordance with applicable law, including — where applicable — within 72 hours under Article 33 of the GDPR, and without unreasonable delay under state data-breach laws such as California Civil Code § 1798.82. Report suspected security issues via our contact form with subject line “Security.”

10. California / CPRA disclosures

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you the following rights. Atlas’s practices with respect to the categories of personal information defined under Cal. Civ. Code § 1798.140 are as follows:

Category collectedSourcePurposeShared / Sold?
Identifiers (email, user ID)You, via ClerkAuthentication, service operationNot sold. Not shared for cross-context ads.
Commercial information (portfolio ledger)You, via upload or manual entryComputing your analyticsNot sold. Not shared except to sub-processors listed in Section 5.
Internet/device activity (IP, user agent, pages)Your browser, server logsSecurity, debugging, abuse preventionNot sold. Not shared for cross-context ads.
Inferences (derived analytics)Atlas engine (from your inputs)Displaying the Service to youNot sold. Not shared for cross-context ads.
Sensitive PINone collectedN/AN/A

Your CPRA rights: the right to know what personal information we have collected, used, disclosed, or sold; the right to delete personal information; the right to correct inaccurate personal information; the right to opt out of sale or sharing (we do not sell or share for cross-context behavioral advertising, so there is nothing to opt out of, but we honor opt-out signals for any future change); the right to limit use of sensitive personal information (we do not collect any); and the right to non-discrimination for exercising these rights. To exercise any right, contact us via our contact form with subject line “California privacy request” from the email on your account.

Do Not Sell or Share My Personal Information. Atlas does not sell or share personal information as those terms are defined under the CPRA. This notice is provided in compliance with the CPRA disclosure requirement.

Shine the Light (Cal. Civ. Code § 1798.83): California residents may request information about any disclosure of personal information to third parties for direct-marketing purposes. Atlas does not make such disclosures.

11. EU / EEA / UK GDPR disclosures

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (and UK GDPR) give you specific rights. The controller of your personal data is Atlas. You may reach us via the contact form.

Legal bases for processing:

  • Contract(Article 6(1)(b) GDPR) — processing necessary to provide the Service you requested (account creation, tearsheet computation, data storage).
  • Legitimate interests(Article 6(1)(f)) — security, fraud prevention, service improvement, and responding to support requests, balanced against your rights and freedoms.
  • Consent(Article 6(1)(a)) — where required, for specific processing activities such as optional email communications beyond account-related messaging.
  • Legal obligation(Article 6(1)(c)) — compliance with applicable law, court orders, and regulatory requests.

Your rights under the GDPR / UK GDPR include:

  • Access (Article 15) — obtain a copy of your personal data.
  • Rectification (Article 16) — correct inaccurate data.
  • Erasure / “right to be forgotten” (Article 17).
  • Restriction of processing (Article 18).
  • Data portability (Article 20) — receive your data in a structured, commonly used format.
  • Objection (Article 21) — object to processing based on legitimate interests.
  • Withdraw consent at any time (Article 7(3)) where processing is based on consent, without affecting prior processing.
  • Complain to a supervisory authority (Article 77) in your country of residence.

International data transfers.Atlas is operated from the United States and some of our sub-processors are U.S.-based. Where we transfer personal data from the EEA, UK, or Switzerland to the United States, we rely on the European Commission’s Standard Contractual Clauses (2021 Module 2 controller-to-processor, or Module 1 controller-to-controller as appropriate), the UK’s International Data Transfer Addendum, and the Swiss FDPIC mechanism. Specific SCC text is available upon request.

Data Protection Officer. Given our scale, we have not appointed a DPO, which is consistent with Article 37(1) criteria. You may raise data-protection questions via our contact form with subject line “GDPR request.”

12. Children’s privacy (COPPA)

The Service is not directed to and is not intended for children under 13, and the eligibility provision in our Terms requires all users to be at least 18. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA/UK). If you believe a child has provided us with personal information in violation of applicable law, contact us via our contact form with subject line “COPPA,” and we will delete the information promptly.

13. International users

Atlas is operated from the United States. If you access the Service from outside the US, you consent to the transfer of your information to the US, which may have different data-protection rules than your home jurisdiction. EEA/UK/Swiss residents: see Section 11 for applicable safeguards.

14. Changes to this Policy

We may update this Privacy Policy from time to time. For material changes, we will provide notice at least 30 days in advance via the email associated with your account and/or a prominent in-product notice. Non-material changes take effect upon posting. The “Last updated” date at the top of this page indicates the most recent revision.

15. Contact

Questions or requests — including any of the CPRA, GDPR, or COPPA rights described above — should be directed to our contact form with a clear subject line.

This Policy is provided in good faith and should be reviewed by a licensed attorney familiar with applicable privacy law (including the GDPR, UK GDPR, CPRA, and other regional requirements) before the Service is scaled to a larger or more regulated user base.