Privacy Policy
This Privacy Policy explains how Hypergrowth AB ("we", "us", "our"), the company behind the Atlas platform, collects, uses, stores, and protects personal data. It applies to all users of the Atlas platform at https://useatlas.io and to individuals whose personal data is processed through the platform on behalf of our customers.
| Legal Entity | Hypergrowth AB |
| Address | Rökubbsgatan 6, 115 59 Stockholm, Sweden |
| Contact | admin@useatlas.io |
| Supervisory Authority | Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) |
1. About Atlas
Atlas is a B2B AI-powered prospecting and outreach platform. It helps businesses identify, research, and engage potential business contacts through multi-channel outreach, contact enrichment, CRM synchronisation, and AI-assisted content generation.
Atlas is designed exclusively for business-to-business use. It is not directed at consumers or individuals acting in a personal capacity.
2. Our Dual Role Under Data Protection Law
Hypergrowth AB operates in two distinct capacities under the General Data Protection Regulation (EU) 2016/679 ("GDPR"):
2.1 Controller
We act as a data controller for the personal data of individuals who register for and use the Atlas platform ("platform users"). This includes account data, authentication data, billing data, and application monitoring data. We determine the purposes and means of processing this data.
2.2 Processor
We act as a data processor for prospect, contact, campaign, CRM, and enrichment data that our customers process through Atlas. Our customers (the data controllers) determine the purposes and means of this processing, including which individuals to prospect, what messages to send, and which data to synchronise with their CRM systems. We process this data solely on our customers' documented instructions.
Our obligations as a processor are set out in our Data Processing Agreement ("DPA"), which forms part of our Terms of Service.
3. Personal Data We Collect as Controller
When you create an account and use Atlas, we collect and process the following categories of personal data:
3.1 Account and Profile Data
| Data | Purpose |
|---|---|
| Full name | Account identification, display in the application |
| Email address | Authentication, transactional communications, account recovery |
| Profile image URL | Display in the application |
3.2 Authentication and Security Data
| Data | Purpose |
|---|---|
| Login timestamps | Security monitoring, session management |
| Onboarding status | Application experience personalisation |
| IP addresses | Session security validation, abuse prevention |
| User agent strings | Session security validation, device verification |
| Session tokens | Authentication, session management |
3.3 Organisation and Billing Data
| Data | Purpose |
|---|---|
| Organisation name | Multi-tenancy, account management |
| Billing contact email | Invoicing and payment communications |
| Stripe customer ID | Payment processing |
| Stripe subscription ID | Subscription management |
| Credit usage records | Metered billing, usage tracking |
3.4 Feature Targeting Data
| Data | Purpose |
|---|---|
| User ID | Feature flag evaluation |
| Email address | Feature flag targeting |
| Organisation ID | Feature flag targeting |
| Organisation name | Feature flag targeting |
Feature flag evaluation is performed server-side only. No cookies or client-side tracking scripts are used for this purpose.
4. Personal Data We Process on Behalf of Customers (Processor Role)
When our customers use Atlas, we process personal data on their behalf and under their instructions. The full details of this processing are documented in our Data Processing Agreement (DPA), Annex I. A summary of the categories of data processed includes:
- Contact and prospect data — names, professional email addresses, phone numbers, job titles, LinkedIn profile URLs, profile photos, professional skills, and business locations
- Campaign and engagement data — outbound message content (email and LinkedIn), engagement metrics (opens, clicks, replies, bounces)
- CRM data — contact, company, and deal records synchronised between Atlas and the customer's CRM system
- AI interaction data — prompts containing business context (contact names, job titles, company information) and AI-generated content (message drafts, research summaries, analysis)
- Call metadata — phone numbers, call duration, timestamps, and call recordings when enabled by the customer with appropriate participant consent
- Uploaded documents — files uploaded by the customer, which may contain personal data at the customer's discretion
If you are a prospect or contact whose data is being processed through Atlas, the data controller is the Atlas customer who initiated the processing. Please contact them directly to exercise your data protection rights. See Section 10 for further details.
5. Legal Bases for Processing (GDPR Article 6)
5.1 Data We Control (Platform User Data)
| Legal Basis | Processing Activities |
|---|---|
| Art. 6(1)(b) — Contract performance | Account creation and management, authentication, platform feature delivery, billing and subscription management, credit usage tracking |
| Art. 6(1)(c) — Legal obligation | Retention of accounting records and billing data as required by Swedish and EU tax and accounting law |
| Art. 6(1)(f) — Legitimate interest | Security monitoring (IP logging, session validation), application error tracking, feature flag evaluation for platform improvement |
For processing based on legitimate interest, we have conducted balancing assessments to ensure our interests do not override the rights and freedoms of data subjects.
5.2 Data We Process on Behalf of Customers
Our customers are responsible for establishing a valid legal basis for their processing activities. Common legal bases our customers rely on include:
- Art. 6(1)(f) — Legitimate interest for B2B prospecting and outreach to professional contacts
- Art. 6(1)(b) — Contract performance for processing data of their existing business relationships
6. Cookies and Tracking Technologies
Atlas uses a minimal set of cookies and tracking technologies. We do not use analytics cookies, marketing trackers, or third-party advertising cookies.
| Technology | Type | Purpose | Duration |
|---|---|---|---|
| Better Auth session cookie | Strictly necessary | User authentication and session management | Session-based with automatic expiry |
| sidebar_state | Functional | Remembers the user's UI sidebar preference | 7 days |
6.1 Error Monitoring
Atlas uses Sentry for client-side error tracking. When enabled, unhandled JavaScript errors are captured and transmitted via a server-side tunnel. Sentry does not set cookies, does not perform performance tracing, and is only active when configured by the deployment. Error reports may include the URL where the error occurred, browser information, and a stack trace.
6.2 Feature Flags
Atlas uses GrowthBook for feature flag management. All flag evaluation occurs server-side. No cookies are set on the client, and no client-side scripts are loaded. The attributes sent for flag evaluation are limited to user ID, email address, organisation ID, and organisation name.
7. Data Sharing and Sub-Processors
We share personal data with third-party service providers ("sub-processors") only to the extent necessary to operate the Atlas platform. We maintain written agreements with all sub-processors that impose data protection obligations no less protective than those in our DPA.
7.1 Sub-Processors for Controller Data
| Provider | Location | Purpose |
|---|---|---|
| Supabase | EU (Stockholm) | Database hosting |
| Vercel | EU (Stockholm) | Application hosting |
| Stripe | EU | Payment processing and subscription management |
| Resend | EU | Transactional email delivery (account notifications) |
| Grafana Labs | EU (Germany) | Application monitoring and observability |
7.2 Sub-Processors for Customer Data (Processor Role)
The full list of sub-processors used when processing data on behalf of customers is maintained in our Data Processing Agreement, Annex III. Key categories include:
- EU-based providers — Airscale (contact enrichment), Unipile (messaging), Langfuse (LLM observability)
- US-headquartered, EU data processing — Supabase, Azure OpenAI, AWS Bedrock, Azure Speech, Grafana, Upstash, Stripe, Vercel, Resend, Telnyx
- US data processing — Forager (person search), Nango (CRM middleware)
7.3 CRM Providers
When a customer connects their CRM system (HubSpot, Salesforce, Attio, or Upsales), data is synchronised with that provider under the customer's own agreement with the CRM provider.
7.4 Sub-Processor Changes
We notify customers at least 14 days in advance of any intended addition or replacement of sub-processors, in accordance with our DPA.
7.5 No Sale of Personal Data
We do not sell personal data to third parties. We do not share personal data with third parties for their own marketing purposes.
8. International Data Transfers
The majority of personal data processing occurs within the European Economic Area (EEA), with our primary infrastructure hosted in the EU (Stockholm, Sweden).
Where personal data is transferred to countries outside the EEA that do not benefit from an adequacy decision by the European Commission, we ensure appropriate safeguards are in place:
- EU Standard Contractual Clauses (SCCs) adopted pursuant to Commission Implementing Decision (EU) 2021/914, as required following the Schrems II ruling
- EU-US Data Privacy Framework (DPF) certifications where applicable
Specifically:
- US-headquartered providers with EU data processing (Supabase, Azure OpenAI, AWS Bedrock, Vercel, Telnyx, and others): Data is processed in EU regions. SCCs are in place as a safeguard given the providers' US headquarters.
- US data processing (Forager, Nango): Data is processed in the United States with EU SCCs in place.
Full details of our transfer mechanisms are set out in our Data Processing Agreement, Section 6.
9. Data Retention
9.1 Controller Data (Platform User Data)
| Data Category | Retention Period |
|---|---|
| Account and profile data | Duration of the contractual relationship. Deleted upon account deletion. |
| Authentication and session data | Automatically expired and rotated. Deleted upon account deletion. |
| Billing and accounting records | Retained indefinitely as required by applicable accounting and tax law. |
| Feature flag targeting data | Not persisted beyond the server-side evaluation request. |
| Error monitoring data | Retained according to Sentry's default retention period (90 days). |
9.2 Customer-Controlled Data (Processor Role)
Data processed on behalf of customers is retained until the customer deletes it or until the termination of the Agreement, at which point it is deleted or returned in accordance with our DPA, Section 7. Customers may delete their data at any time through the platform.
10. Your Rights
10.1 Rights Under the GDPR and UK GDPR
If you are located in the European Economic Area or the United Kingdom, you have the following rights with respect to your personal data:
| Right | Description |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete personal data |
| Erasure (Art. 17) | Request deletion of your personal data where there is no compelling reason for continued processing |
| Restriction (Art. 18) | Request restriction of processing in certain circumstances |
| Data Portability (Art. 20) | Receive your personal data in a structured, commonly used, machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interest, including for direct marketing purposes |
We do not engage in solely automated decision-making that produces legal or similarly significant effects on individuals (GDPR Article 22).
10.2 Rights Under US State Privacy Laws (CCPA and Others)
If you are a resident of California or another US state with applicable privacy legislation, you have the following rights:
- Right to know what personal data we collect, use, and disclose
- Right to delete your personal data, subject to certain exceptions
- Right to opt out of the sale of personal data — Atlas does not sell personal data
- Right to non-discrimination for exercising your privacy rights
10.3 How to Exercise Your Rights
For data Atlas controls (platform user data): Contact us at admin@useatlas.io. We will respond within 30 days (GDPR/UK GDPR) or 45 days (CCPA). We may request verification of your identity before fulfilling your request.
For data Atlas processes on behalf of a customer: Please contact the Atlas customer (the data controller) who is responsible for the processing of your data. If you contact us directly and we are able to identify the relevant customer, we will redirect your request to them.
10.4 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY):
- Website: https://www.imy.se
- Address: Box 8114, 104 20 Stockholm, Sweden
You may also contact the supervisory authority in your country of residence.
11. AI and Automated Processing
Atlas uses artificial intelligence systems to provide core platform functionality, including:
- Content generation — drafting outbound messages (email and LinkedIn) based on prospect and company context
- Research analysis — summarising company information and identifying relevant business signals
- Sentiment analysis — analysing responses to categorise engagement
- Message suggestions — recommending follow-up content based on conversation history
11.1 Human Oversight
All AI-generated outputs are presented as suggestions and require human review and approval before use. No outbound communication is sent without explicit user action.
11.2 No Automated Individual Decision-Making
Atlas does not make solely automated decisions that produce legal or similarly significant effects on individuals, as contemplated by GDPR Article 22.
11.3 AI Model Provider Data Practices
Our AI model providers (Azure OpenAI and AWS Bedrock) do not retain input or output data for model training purposes.
11.4 LLM Observability
LLM interaction traces, which may contain personal data included in prompts (such as contact names, job titles, and company context), are sent to Langfuse GmbH (EU-hosted) for quality monitoring and evaluation. Langfuse is SOC 2 Type II and ISO 27001 certified and operates under a GDPR-compliant DPA with AES-256 encryption at rest and TLS 1.2+ in transit.
11.5 EU AI Act Transparency (Article 50)
In accordance with Article 50 of the EU AI Act, we disclose that Atlas deploys AI systems for the purposes described above. Users interact with AI-generated content through the platform interface, where it is clearly presented as AI-generated and subject to human review.
12. Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit using TLS 1.2+ for all communications
- Encryption at rest for databases and file storage
- Organisation-based multi-tenancy with architectural enforcement preventing cross-tenant data access
- Session security with IP address validation, user agent verification, and automatic session expiry
- Schema-based input validation on all API endpoints
- Production access restricted to authorised personnel on a need-to-know basis
- Application monitoring via OpenTelemetry and Grafana Cloud (EU region)
- Automated database backups with point-in-time recovery
Detailed technical and organisational measures are documented in our DPA, Annex II.
13. Children
Atlas is a business-to-business platform and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.
For material changes, we will notify platform users via email or in-app notice at least 30 days before the changes take effect. Non-material changes (such as clarifications or formatting updates) may be made without advance notice.
We encourage you to review this Privacy Policy periodically. The "Last Updated" date at the top of this document indicates when the most recent revision was made.
15. Contact Us
If you have any questions about this Privacy Policy, our data practices, or wish to exercise your rights, please contact us:
| admin@useatlas.io | |
| Address | Hypergrowth AB, Rökubbsgatan 6, 115 59 Stockholm, Sweden |
