Privacy Policy

Last updated: March 2026

Atlas is local-first. Your notes, files, and personal knowledge never leave your device unless you explicitly use cloud AI features.

1. What Data We Collect

Account Information (Supabase)

If you create an account to use cloud AI features, we collect:

  • Email address — for authentication and account recovery
  • Password (hashed) — stored securely by Supabase, never in plaintext
  • Account creation date — for subscription management

Usage Metrics

When you use paid cloud AI features, we track:

  • Message counts — number of chat messages sent to our AI service
  • STT usage — minutes of speech-to-text transcription
  • TTS usage — characters converted to speech via text-to-speech
  • Web search requests — number of web searches initiated

This data is used solely to enforce your subscription tier limits and prevent abuse. We do not analyze the content of your conversations.

Analytics (Umami)

Our website uses Umami, a privacy-focused analytics platform that:

  • Does not use cookies — no tracking cookies placed on your browser
  • Does not collect personal data — no IP addresses, user agents, or fingerprinting
  • Provides aggregate statistics only — page views, referrers, and country-level geography

2. What Data We Do NOT Collect

Atlas is designed to keep your knowledge private. We do not collect, store, or access:

  • Your vault contents — notes, files, and documents remain 100% local on your device
  • CRM data — people, organizations, and relationships are stored only in your vault
  • Session history — conversation transcripts are stored locally as JSONL files in your vault
  • Calendar events — Google Calendar integration runs entirely on your machine
  • Memory files — your persona, goals, and long-term memory files never leave your device
  • Search queries — local vault search happens entirely offline
  • File metadata — we don't know what files you have or how they're organized

When you use cloud AI features (chat, voice transcription, text-to-speech), only the specific text you send in a conversation reaches our servers. Our backend is stateless—we process your request and immediately discard it. We do not store conversation logs on our servers.

3. How We Use Your Data

We use the limited data we collect for:

  1. Authentication — verifying your identity when you log in
  2. Billing — processing payments and managing subscriptions via Stripe
  3. Usage enforcement — ensuring you stay within your subscription tier limits
  4. Service improvement — understanding aggregate usage patterns (e.g., which features are popular) to prioritize development
  5. Support — helping you troubleshoot issues if you contact us

We do not use your data for advertising, marketing analytics, or selling to third parties. We do not train AI models on your conversations.

4. Third-Party Services

Atlas integrates with the following third-party services:

Supabase (Authentication & Database)

We use Supabase for user authentication and storing account metadata (email, subscription status, usage records). Supabase is SOC 2 Type II certified and GDPR compliant. Your password is hashed using industry-standard bcrypt before storage.

Stripe (Payment Processing)

We use Stripe to process subscription payments. Stripe handles all payment card information—we never see or store your credit card details. Stripe is PCI DSS Level 1 certified.

Anthropic Claude (AI Services)

When you use cloud AI features (chat, voice transcription, text-to-speech), your messages are sent to Anthropic's Claude API for processing. Data sent only when you explicitly initiate a cloud AI feature:

  • Chat messages — only the text you send and relevant context from your conversation
  • Voice input — audio recordings you create (transcribed via Whisper, then deleted)
  • Text-to-speech — text you choose to have spoken aloud

Anthropic does not train models on API data. See Anthropic's Privacy Policy for details.

OpenAI (Voice Services)

Voice transcription (STT) and text-to-speech (TTS) are powered by OpenAI's Whisper and TTS APIs. Audio data is processed in real-time and not stored by OpenAI. See OpenAI's Privacy Policy.

Google Calendar (Optional Integration)

If you enable Google Calendar integration, Atlas requests read-only access to your calendar events. This integration runs entirely on your local machine using OAuth 2.0—calendar data is never sent to our servers. You can revoke access at any time via Google Account Permissions.

Google Fonts

Our website loads typefaces (Cormorant Garamond and Inter) from Google Fonts. When you visit our site, your browser makes a request to Google's servers to fetch the font files. This transmits your IP address to Google. See Google Fonts Privacy FAQ for details.

NOAA Weather API (Optional Feature)

If you use the weather feature in the Atlas desktop app, your configured latitude and longitude are sent to the U.S. National Oceanic and Atmospheric Administration (NOAA) via our cloud backend to retrieve weather data. No personally identifiable information is included in these requests.

5. Data Retention and Deletion

Account Data

Your account information (email, subscription status) is retained for as long as your account is active. If you delete your account via Settings → Account in the Atlas app, we permanently delete:

  • Your email and authentication credentials
  • All subscription and billing records
  • All usage tracking data

Deletion is irreversible and typically completes within 30 days. Stripe may retain billing records for legal compliance (tax, fraud prevention).

Usage Records

Usage data (message counts, STT/TTS minutes) is retained for the current billing period plus 12 months for auditing and dispute resolution. After 13 months, usage data is automatically purged.

Local Data (Your Vault)

All vault data—notes, files, CRM, conversation history, memory files—lives exclusively on your local machine. To delete this data, simply delete the vault folder on your computer. We have no access to it and cannot recover it.

6. Your Rights

You have the following rights regarding your personal data:

  • Access — Request a copy of your account data and usage records
  • Correction — Update your email address or other account information
  • Deletion — Permanently delete your account and all associated data
  • Portability — Export your usage data in machine-readable format (JSON)
  • Objection — Opt out of analytics (use ad blockers or disable JavaScript for Umami)

To exercise these rights, contact us at info@atlasnotes.io. We will respond within 30 days.

7. Security

We take security seriously and implement industry-standard protections:

  • Encryption in transit — All API calls use HTTPS/TLS 1.3
  • Password hashing — Passwords are hashed using bcrypt with salt
  • JWT authentication — Secure token-based authentication via Supabase
  • Rate limiting — Protection against abuse and denial-of-service attacks
  • Least privilege — Our backend only accesses the minimal data needed to process your request

Despite our precautions, no system is perfectly secure. If you discover a security vulnerability, please report it to info@atlasnotes.io.

8. Children's Privacy

Atlas is not intended for children under 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, contact us immediately at info@atlasnotes.io and we will delete it.

9. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. If we make material changes, we will notify you via email (if you have an account) and update the "Last updated" date at the top of this page.

Your continued use of Atlas after policy changes constitutes acceptance of the updated terms.

10. Contact Us

If you have questions about this privacy policy or how we handle your data, contact us at:

Email: info@atlasnotes.io

Website: https://atlasnotes.io