Privacy Policy
Last updated: 2026-04-21
Atlas Concept SASU — SIRET 98002778300011
1. Data Controller
Atlas Concept SASU
Legal form: Société par actions simplifiée unipersonnelle
SIRET: 98002778300011 | VAT: FR72980027783
RCS Strasbourg
Registered address: 8 rue Alfred Kastler, 67300 Schiltigheim, France
DPO: info@atlasiq.app
Pursuant to Regulation (EU) 2016/679 (GDPR) and French Data Protection Act No. 78-17, Atlas Concept SASU is the data controller for personal data collected through the AtlasIQ platform.
2. Data We Collect
Account Data
- First name, last name
- Email address
- Password (bcrypt hashed)
- Profile photo (optional)
- Company (optional)
Usage Data
- IP address
- Browser type and OS
- Pages visited and actions
- Session timestamps
OAuth Tokens
- Meta Ads (AES-256-GCM encrypted)
- TikTok Ads (encrypted)
- Google Ads (encrypted)
- Shopify/Amazon (encrypted)
- CJ Dropshipping (encrypted)
Payment Data
- Processed by Stripe — NOT stored
- Billing email
- Transaction history
3. Legal Basis (GDPR Art. 6)
| Purpose | Legal Basis | Art. |
|---|---|---|
| Account creation and management | Contract performance | 6(1)(b) |
| AI service delivery | Contract performance | 6(1)(b) |
| OAuth connection to platforms | Contract performance | 6(1)(b) |
| Payment processing | Contract performance | 6(1)(b) |
| Transactional emails | Contract performance | 6(1)(b) |
| Security and fraud prevention | Legitimate interest | 6(1)(f) |
| Product improvement and analytics | Legitimate interest | 6(1)(f) |
| Error tracking (Sentry) | Legitimate interest | 6(1)(f) |
| Analytics/targeting cookies | Consent | 6(1)(a) |
| Invoice retention (10 years) | Legal obligation | 6(1)(c) |
4. Sub-Processors
| Name | Purpose | Country | Transfer |
|---|---|---|---|
| Supabase (PostgreSQL) | Primary database hosting | EU (Frankfurt) | EU hosting, no international transfer |
| Redis (Self-hosted) | Caching and session management | France (OVH) | EU hosting, no international transfer |
| OVH SAS | VPS infrastructure hosting | France | No international transfer |
| OpenAI | AI content generation (ad copy, product descriptions) | United States | Standard Contractual Clauses (SCCs) |
| Stripe | Payment processing | United States / Ireland | Standard Contractual Clauses (SCCs), Stripe is PCI DSS Level 1 certified |
| SendGrid (Twilio) | Transactional email delivery | United States | Standard Contractual Clauses (SCCs) |
| Sentry | Error tracking and application monitoring | United States | Standard Contractual Clauses (SCCs) |
| AWS (S3/SES) | File storage and email infrastructure | EU (eu-west-3, Paris) | EU hosting, no international transfer |
| Meta Platforms | Ad campaign management via user OAuth | United States / Ireland | Standard Contractual Clauses (SCCs) |
| TikTok (ByteDance) | Ad campaign management via user OAuth | Singapore / Ireland | Standard Contractual Clauses (SCCs) |
| Google (Google Ads) | Ad campaign management via user OAuth | United States / Ireland | Standard Contractual Clauses (SCCs), EU–US Data Privacy Framework |
5. International Transfers
Transfers outside the EEA are governed by Standard Contractual Clauses (SCCs) pursuant to GDPR Articles 46(2)(c).
OpenAI
US
SCCs
AI content only — NO personal data
Meta
US/IE
SCCs
Campaigns via user OAuth
TikTok
SG/IE
SCCs
Campaigns via user OAuth
Stripe
US/IE
SCCs + PCI DSS L1
Payments
US/IE
SCCs + DPF
Campaigns via OAuth
SendGrid
US
SCCs
Transactional emails
6. Security Measures
OAuth Encryption
AES-256-GCM, per-tenant keys
Transport
TLS 1.3
Passwords
bcrypt, cost ≥ 12
Access Control
RBAC
Backups
Encrypted, daily, 30d retention
Audit
Full audit logging
AtlasIQ does not hold SOC 2 Type II or ISO 27001 certifications.
7. Data Retention
| Data | Active | Post-Delete | Legal |
|---|---|---|---|
| Account data (name, email) | Duration of account | 30 days (soft delete) | Invoices: 10 years (French Commercial Code) |
| OAuth tokens (Meta, TikTok, Google, Shopify) | Duration of integration connection | Immediately revoked and deleted | None |
| Usage logs and analytics | 24 months rolling | Anonymized after 30 days | Connection logs: 1 year (LCEN) |
| Payment data | Processed by Stripe — not stored on our servers | N/A (managed by Stripe) | Transaction records: 10 years |
| Support tickets and communications | Duration of account + 12 months | Deleted after 30 days | None |
| Cookie consent records | 13 months (CNIL guideline) | Deleted with account | Proof of consent: 3 years (statute of limitations) |
8. Your Rights (GDPR)
Right of Access
Obtain a copy of your data via "Export" in your account or by email.
Right to Rectification
Correct or update your data through account settings.
Right to Erasure
Request deletion (30-day soft delete). Excludes invoices (10 years, Commercial Code).
Right to Restriction
Restrict processing in certain circumstances.
Right to Portability
Receive your data in JSON or CSV format.
Right to Object
Object to processing based on legitimate interest.
Withdraw Consent
Withdraw cookie consent anytime via the banner.
CNIL Complaint
Lodge a complaint with CNIL (see section 10).
Contact info@atlasiq.app. Response within 1 month (Art. 12(3) GDPR).
9. Children's Privacy
Per GDPR Article 8, AtlasIQ is not intended for persons under 16 (minimum age in France). We do not knowingly collect data from minors.
10. DPO & CNIL
Data Protection Officer
Atlas Concept SASU — 8 rue Alfred Kastler, 67300 Schiltigheim, France
Email: info@atlasiq.app
CNIL
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
Phone: +33 1 53 73 22 22
11. Policy Changes
For material changes, we will notify you by email, display a banner in the app, and update the date above. If the change concerns consent-based processing, new consent will be requested.