Privacy Policy

Data controller: [TO BE COMPLETED] (legal name, registered address, SIRET, contact email).

Atlas is a B2B SaaS review platform where verified professionals rate the tools they use at work. We operate under French law and comply with the EU General Data Protection Regulation (GDPR) and the Digital Services Act (DSA).

If you have any questions about how we handle your personal data, contact us at [TO BE COMPLETED].

We collect the following categories of personal data:

• Account data: your professional email address (used to verify your employer), your first and last name, and optionally your LinkedIn profile URL.
• Reviews and tool stack: the software ratings and written reviews you submit, and the tools you declare in your professional stack.
• Employment information: your current employer (matched via your email domain or your LinkedIn profile) and your job title or function, where provided.
• Usage and technical data: standard server logs (IP address, browser type, pages visited, timestamps) and error reports generated when something goes wrong in the application.

We do not collect payment card data, government ID numbers, or any sensitive categories of personal data under GDPR Article 9.

• Providing the service (contract, Art. 6(1)(b)): we process your account data and reviews to create and maintain your Atlas account, authenticate you, and display your contributions on the platform.
• Review authenticity and platform integrity (legitimate interest, Art. 6(1)(f)):we verify that reviewers are genuine professionals and that no competitor reviews a rival's product. This is the core trust guarantee of Atlas. Our legitimate interest outweighs the limited privacy impact because the verification relies only on your professional email domain.
• Security and error monitoring (legitimate interest, Art. 6(1)(f)): we use logs and error data to detect abuse, fix bugs, and keep the platform stable.
• Legal obligations (Art. 6(1)(c)): we may retain certain data to comply with applicable French and EU law (accounting records, legal requests).

We share data only with the vendors necessary to operate Atlas. Each is bound by a data processing agreement. Some of these providers are based outside the EU; see the International Transfers section below.

• Supabase (PostgreSQL database and file storage, hosted in the European Union [TO BE COMPLETED: confirm region]) - processes account data, reviews, and stack data.
• Vercel (application hosting and edge network, USA) - processes request logs and serves the application.
• OpenAI (content enrichment, USA) - may receive limited text content (e.g. provider descriptions) for AI-assisted enrichment. No review text is sent without your awareness.
• Resend (transactional email, USA) - processes your email address to send verification and notification emails.
• Sentry (error monitoring, USA) - receives error reports and stack traces that may include session context.

We do not sell your data to third parties or share it for advertising purposes.

• Active account: your personal data is retained for as long as your account is active.
• After account closure:we anonymize or delete personal data within [TO BE COMPLETED] days of account deletion. Your reviews are retained in anonymized form (your name and employer are replaced with generic identifiers) to preserve the integrity of the platform's historical data.
• Legal retention: certain data (invoicing records, legal correspondence) may be kept for [TO BE COMPLETED] years as required by French law.
• Error logs: retained for [TO BE COMPLETED] days for security and debugging purposes.

Under the GDPR and the French Data Protection Act, you have the following rights with respect to your personal data:

• Right of access (Art. 15): obtain a copy of the personal data we hold about you.
• Right to rectification (Art. 16): correct inaccurate or incomplete data directly in your profile settings.
• Right to erasure (Art. 17): request deletion of your account and personal data. You can initiate this process by contacting us at [TO BE COMPLETED]. Once account deletion is complete, your personal data is anonymized and your reviews are retained only in de-identified form.
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format. Contact us to request an export.
• Right to object (Art. 21): object to processing carried out under legitimate interest (for example, error monitoring). We will stop unless we have compelling legitimate grounds that override your interests.
• Right to lodge a complaint: if you believe we have not handled your data lawfully, you may lodge a complaint with the CNIL (the French data protection authority) at www.cnil.fr.

To exercise any of your rights, contact us at [TO BE COMPLETED]. We will respond within 30 days.

Several of our subprocessors (Vercel, OpenAI, Resend, Sentry) are based in the United States, which is outside the European Economic Area. We ensure appropriate safeguards are in place for these transfers:

• Standard Contractual Clauses (SCCs):[TO BE COMPLETED] - we rely on the European Commission's standard contractual clauses with each subprocessor.
• Data Processing Agreements: each subprocessor has signed a DPA that binds them to GDPR-equivalent protections.

You can request a copy of the relevant SCCs by contacting us at [TO BE COMPLETED].

We use a limited set of cookies, strictly necessary for authentication and platform stability. We do not use advertising or cross-site tracking cookies.

For the full details of what cookies we use and why, see our Cookies Policy.

Data Protection Officer (DPO): [TO BE COMPLETED].

For any privacy-related request, write to us at: [TO BE COMPLETED] (email) or at our registered address [TO BE COMPLETED].

We aim to respond to all requests within 30 days. For complex requests, we may extend this period by a further two months and will notify you accordingly.