Privacy Policy

This Privacy Policy explains how Atlas DevHQ ("Atlas", "we", "us", "our") collects, uses, and protects your information when you use Atlas Cloud at app.useatlas.dev.

If you self-host Atlas, your data stays entirely on your infrastructure. This policy applies to Atlas Cloud only.

We collect the following categories of data:

Account information. Name, email address, and organization details provided during signup. If you use SSO, we receive identity attributes from your identity provider.

Query and conversation history. The natural-language questions you ask, the SQL queries Atlas generates, and the results returned. This data is stored in your workspace and is accessible to your team.

Semantic layer configuration. Entity definitions, metrics, glossary terms, and query patterns you configure to describe your datasources.

Usage metrics. Query counts, token usage, feature usage, and performance data. These are used for billing, capacity planning, and service improvement.

Audit logs. Records of administrative actions (user management, configuration changes, access events) for security and compliance.

Technical data. IP addresses, browser type, and device information collected automatically for security and debugging.

• Service operation. Processing your queries, managing your workspace, and providing the Atlas agent experience.
• Billing. Tracking usage against your plan limits and processing payments through Stripe.
• Security. Detecting abuse, enforcing rate limits, and maintaining audit trails.
• Service improvement. Aggregate, anonymized usage patterns to improve Atlas. We do not use your queries, results, or datasource content to train AI models.
• Communication. Account notifications, security alerts, and product updates. You can unsubscribe from non-essential emails at any time.

Atlas sends your natural-language questions, relevant semantic context, and query results to the configured LLM provider (Anthropic, OpenAI, or another provider you select) so the agent can generate SQL, interpret results, and respond. Result data is not stored by Atlas beyond what is retained in your conversation history.

Each LLM provider has its own data handling policies. When using BYOT (bring your own token), your queries are processed under your direct agreement with the LLM provider.

• Conversation history. Retained for the duration of your subscription. Workspace administrators can configure retention periods.
• Audit logs.Retained according to your plan's audit retention policy (configurable for Enterprise).
• Account data. Retained while your account is active. After cancellation, data is available read-only for 30 days, then permanently deleted.
• Backups. Encrypted backups are retained for disaster recovery and are purged on the same schedule as primary data.

You can request immediate deletion of your data at any time by contacting privacy@useatlas.dev.

We use the following subprocessors to operate Atlas Cloud:

Enterprise customers with data residency requirements can choose their deployment region. We will notify you of changes to our subprocessor list at least 30 days in advance.

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation:

• Access. Request a copy of the personal data we hold about you.
• Rectification. Request correction of inaccurate personal data.
• Erasure.Request deletion of your personal data ("right to be forgotten").
• Portability. Request your data in a structured, machine-readable format.
• Restriction. Request that we limit the processing of your data.
• Objection. Object to processing based on legitimate interests.

To exercise these rights, contact privacy@useatlas.dev. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with your local data protection authority.

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

• Right to know. You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, and the business purposes for collecting it.
• Right to delete. You may request deletion of your personal information, subject to certain exceptions (e.g., data needed to complete a transaction or comply with legal obligations).
• Right to opt-out of sale. We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
• Non-discrimination. We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact privacy@useatlas.dev. We will verify your identity before processing your request and respond within 45 days.

Atlas Cloud uses only essential cookies required for the service to function:

• Session cookies. Used to maintain your authenticated session. These expire when you log out or after a period of inactivity.
• Preference cookies. Used to remember your workspace settings (theme, layout).

We do not use third-party tracking cookies, advertising cookies, or analytics cookies. We do not participate in cross-site tracking or behavioral advertising.

We implement industry-standard security measures to protect your data:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access control (RBAC) with configurable custom roles for Enterprise.
• SQL validation through a 4-layer pipeline to prevent injection and unauthorized data access.
• IP allowlisting and SSO/SCIM integration for Enterprise customers.
• Audit logging of all administrative and data access events.
• PII detection to flag sensitive data in query results.
• Sandboxed code execution for explore operations.

For details on our security practices, see our Data Processing Agreement.

Atlas Cloud is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notice at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

For privacy-related questions or requests, contact us at privacy@useatlas.dev.

For general inquiries, contact support@useatlas.dev.