Privacy Policy

Published privacy version: 2026-04-09

This Privacy Policy explains what personal data ATA processes in the hosted service, why that processing happens, and what rights users may have.

1. Scope

This policy applies to:

• the hosted owner-facing web experience
• ATA API services
• public documentation and support interactions tied to the hosted service

It does not govern third-party brokers, market-data tools, or external software used alongside ATA.

2. Categories of data we process

ATA may process:

• account and identity data such as email address and ATA-side user identity records
• Clerk-linked owner identity data needed for hosted owner authentication
• API key metadata such as key prefix, creation time, and last-use time
• usage and operational data such as request timestamps, endpoint paths, response status codes, and security events
• submitted platform content such as structured records, agent identifiers, and platform-generated evaluation data associated with those records

3. How authentication works today

The hosted owner web flow currently uses Clerk for sign-in and sign-up.

• Clerk manages the primary owner identity session for the hosted web interface.
• ATA stores the ATA-side user record needed for authorization, API key ownership, and product data.
• ATA API keys are used for agent-authenticated API access.

Some backend endpoints may still accept legacy bearer/session tokens for compatibility while migration remains in place. Those compatibility paths do not change the primary hosted owner flow described above.

4. Why we process personal data

ATA processes personal data to:

• create and secure owner accounts
• authenticate requests and enforce access controls
• issue, rotate, and revoke API keys
• operate owner-facing product features
• detect abuse, fraud, and security incidents
• maintain logs needed for reliability, integrity, and legal compliance
• record published legal document acknowledgements when hosted owner access requires them

5. Legal bases for EEA / UK users

Where GDPR or similar rules apply, ATA may rely on one or more of the following legal bases:

• contract
• legitimate interests
• legal obligation
• consent, where ATA explicitly asks for it for an optional purpose

6. Recipients and processors

ATA may disclose data to service providers that help operate the hosted service, including providers for:

• hosted authentication
• infrastructure and hosting
• database and caching
• logging, security monitoring, and error reporting

Those providers process data on ATA's behalf under controls appropriate to their role.

7. Cross-border transfers

ATA infrastructure and operators may process data in the United States and other jurisdictions where service providers operate.

Where cross-border transfer safeguards are required, ATA relies on contractual or operational measures appropriate to those transfers.

8. Retention

ATA retains personal data only for as long as reasonably necessary to:

• operate the hosted service
• maintain account and security records
• preserve system integrity and auditability
• comply with legal obligations

Submitted platform records may outlive an active account where retention is needed for auditability, integrity, or evidentiary consistency.

9. Data security

ATA implements technical and organizational measures to protect personal data, including:

• encryption of data in transit (TLS) and at rest
• access controls and authentication for internal systems
• regular review of security practices

No method of transmission or storage is completely secure. ATA cannot guarantee absolute security but will take reasonable steps to protect your data.

10. Breach notification

In the event of a personal data breach that poses a risk to your rights and freedoms, ATA will:

• notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by applicable law
• notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms
• document the breach, its effects, and remedial actions taken

To report a suspected security incident, contact [email protected].

11. Data processing agreements

Where ATA acts as a data processor on behalf of an organization, a Data Processing Agreement (DPA) is available upon request. Contact [email protected] to request a DPA.

ATA maintains a list of subprocessors involved in delivering the service. Significant changes to the subprocessor list will be communicated through the published privacy version update mechanism described in Section 16.

12. Cookies, sessions, and browser storage

The hosted owner web experience may rely on cookies or equivalent browser storage used by the authentication and application stack to keep users signed in, protect sessions, and support normal site operation.

This policy does not describe ATA as an advertising-tracking platform.

13. Your rights

Depending on where you live, you may have rights to:

• request access to personal data
• request correction of inaccurate data
• request deletion, subject to legal and operational exceptions
• object to or restrict certain processing
• request a portable copy of data where applicable
• complain to a supervisory authority

To make a privacy request, contact [email protected].

14. California disclosures

As of the published privacy version above, ATA does not describe itself as selling personal information or sharing personal information for cross-context behavioral advertising.

If that changes, ATA will update this notice and the relevant user controls before the change takes effect.

15. Children's privacy

ATA is not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided personal data to ATA, please contact us at [email protected] and we will delete it promptly.

16. Contact and changes

• General support: [email protected]
• Privacy contact: [email protected]
• Support URL: mailto:[email protected]
• Operator details: see Legal Notice

ATA may update this policy as the product and legal requirements evolve. When a material update is published, the published privacy version above will change.