Privacy Policy · ATOM Labs

This Privacy Policy describes how Atom Labs ("we," "us," or "our") collects, uses, stores, and protects information in connection with the ATOM Governance Platform ("Platform"). By using the Platform, you agree to the practices described in this policy.

1. Information We Collect

We collect and store the following:

Account information: Company name, name, email address, and billing information provided during registration or upgrade.

Governance metadata per AI call:

Which provider and model was called
The governance decision (allow / block / warn)
RIS integrity score (RIS-0 through RIS-4)
CII cognitive integrity score (0.0 to 1.0)
Timestamp and unique event identifier
Policy evaluation results

We do NOT collect or store:

The content of your AI prompts
The content of model responses
Any personally identifiable information contained in your AI calls

Your AI call content passes through ATOM's governance evaluation and is immediately discarded. Only the governance verdict is persisted.

Usage data: Call counts, latency metrics, rate limit events, and provider usage statistics.

Configuration data: Governance policies, enforcement settings, model allowlists, and BYOK provider preferences you configure.

2. How We Use Information

We use collected information to:

Provide, operate, and improve the Platform
Authenticate requests and enforce governance policies
Generate audit trails and compliance reports for your organization
Detect and prevent abuse, fraud, and security incidents
Send transactional emails (account credentials, trial expiry, billing)
Calculate usage metrics and enforce plan limits
Respond to support inquiries and resolve disputes

We do not sell your data to third parties. We do not use your API request content to train AI models.

3. Governance Audit Data

The Platform maintains governance event logs including request metadata, risk scores (RIS), coherence indices (CII), governance decisions (allow/block/shadow), and timestamps. These logs are accessible to authorized users within your tenant and to Atom Labs for platform operations and compliance verification. Audit logs are retained for the duration of your active subscription plus 90 days.

4. Your Provider Keys

When you register provider API keys:

Keys are encrypted using AES-128-CBC with HMAC-SHA256 (Fernet encryption)
Encryption uses a secret key stored only in the platform environment
The database stores only ciphertext
The full key is never returned via API
Only the last 4 characters are shown as a confirmation preview
Keys can be deleted at any time from Settings and will be immediately purged

Your ATOM API keys are stored as SHA-256 cryptographic hashes. The plaintext key is returned once at creation and is never recoverable from the system.

5. Data Sharing

We share data with third parties only in the following circumstances:

Infrastructure providers: Cloud hosting, database, and monitoring services necessary to operate the Platform
Payment processing: Stripe processes payment information on our behalf. We do not store full credit card numbers
Email delivery: SendGrid is used to send transactional emails
Legal compliance: When required by law, court order, or to protect the rights and safety of Atom Labs or others
Business transfers: In the event of a merger, acquisition, or sale, data may be transferred to the acquiring entity

When AI requests are routed to third-party providers (Groq, Anthropic, Google Gemini, Mistral, OpenAI), your request data is transmitted to those providers subject to their own privacy policies. BYOK users transmit directly under their own provider agreements.

6. Data Security

We implement industry-standard security measures to protect your data, including:

Encryption of credentials and sensitive data at rest
TLS encryption for all data in transit
API key authentication for all Platform access
Rate limiting and anomaly detection
Immutable audit logging

No system is completely secure. If you discover a security vulnerability, please report it to [email protected].

7. Data Retention

We retain data for the following periods:

Account data: Duration of account plus 90 days after closure
Governance audit logs: Duration of active subscription plus 90 days
Usage metrics: 13 months for billing verification
Security logs: 12 months

You may request deletion of your account data by contacting [email protected]. Deletion requests are processed within 30 days, subject to legal and compliance retention requirements.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: Request a copy of personal data we hold about you
Correction: Request correction of inaccurate data
Deletion: Request deletion of your data, subject to retention requirements
Portability: Request your data in a portable format
Objection: Object to processing of your data for certain purposes

To exercise these rights, contact [email protected].

9. Cookies and Tracking

The Platform console uses session cookies for authentication and preference storage. We do not use tracking cookies, advertising cookies, or cross-site tracking. Usage analytics are collected server-side from API logs, not via client-side tracking scripts.

10. International Transfers

The Platform is operated in the United States. If you access the Platform from outside the United States, your data may be transferred to and processed in the United States. By using the Platform, you consent to this transfer. We implement appropriate safeguards for international transfers as required by applicable law.

11. Children's Privacy

The Platform is not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that we have collected data from a minor, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will provide notice of material changes via email or through the Platform at least 14 days before they take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.

13. Contact

For privacy questions or data requests, contact us at [email protected].

For security concerns, contact [email protected].

Atom Labs is headquartered in the United States.