Privacy Policy

Last updated: December 13, 2024

Atlas Forms ("Atlas," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our form backend service at atlasforms.app (the "Service").

1. Information We Collect

1.1 Account Information

When you create an Atlas account, we collect:

• Email address — Required for account creation and communication
• Password — Securely hashed, never stored in plain text
• Name — Optional, for personalization
• Profile photo — Optional, if you upload one or sign in via OAuth

1.2 Form Submission Data

When end users submit forms created with Atlas, we collect:

• Form field data — Whatever fields you configure (name, email, message, etc.)
• File uploads — Documents, images, or videos attached to submissions
• Submission metadata — Timestamp, submission ID

1.3 Technical Information

For security and abuse prevention, we automatically collect:

• IP address — Used for rate limiting and spam prevention
• User agent — Browser and device information
• Referrer URL — The page where the form was submitted from
• Request timestamps — When actions occurred

1.4 Usage Information

We collect information about how you use the Service:

• Features accessed and actions taken
• API calls and webhook deliveries
• Error logs and performance data

2. How We Use Your Information

We use the information we collect to:

• Provide the Service — Process form submissions, deliver webhooks, store files
• Communicate with you — Send submission notifications, account alerts, and service updates
• Prevent abuse — Detect spam, enforce rate limits, block malicious actors
• Improve the Service — Analyze usage patterns, fix bugs, develop new features
• Provide support — Respond to your questions and troubleshoot issues
• Comply with legal obligations — Respond to lawful requests and protect our rights

3. Data Retention

We retain data based on your plan:

After the retention period, submission data is automatically deleted. Account data is retained until you delete your account. Security logs and audit trails may be retained longer for legal and compliance purposes.

4. How We Share Your Information

We do not sell your personal information. We may share data with:

4.1 Service Providers

We use trusted third parties to operate the Service:

• Supabase — Database hosting, authentication, and storage (PostgreSQL)
• Cloudflare — Content delivery, DDoS protection, image optimization, and edge computing
• Mailgun — Transactional email delivery for notifications

4.2 Webhooks (Your Configuration)

If you configure webhooks, submission data is sent to the URLs you specify. You are responsible for the security and privacy practices of your webhook endpoints.

4.3 Legal Requirements

We may disclose information if required by law, court order, or to protect our rights, property, or safety.

5. Data Security

We implement industry-standard security measures:

• Encryption in transit — All data transmitted via HTTPS/TLS
• Encryption at rest — Database and file storage encryption
• Password hashing — Passwords are hashed using secure algorithms
• API key security — API keys are hashed (SHA-256) and only the prefix is visible
• Webhook signatures — HMAC-SHA256 signatures for webhook verification
• Access controls — Role-based access and audit logging
• Rate limiting — Protection against brute force and abuse

6. Your Rights and Choices

Depending on your location, you may have the following rights:

6.1 Access and Portability

You can access your data through the dashboard. Export your submissions in CSV or JSON format at any time.

6.2 Correction

You can update your account information in your dashboard settings.

6.3 Deletion

You can delete individual submissions, forms, projects, or your entire account. Account deletion permanently removes all associated data.

6.4 Opt-Out

You can unsubscribe from marketing emails. Transactional emails (submission notifications, security alerts) cannot be disabled while using the Service.

7. International Data Transfers

Atlas operates globally. Your data may be processed in the United States or other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses where required.

8. Cookies and Tracking

We use minimal cookies necessary for the Service to function:

• Authentication cookies — To keep you logged in
• Session cookies — To maintain your session state

We do not use third-party tracking cookies, advertising cookies, or analytics services that track you across websites.

9. Children's Privacy

Atlas is not intended for children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.

10. Your Responsibilities as a Customer

When you use Atlas to collect data from your users, you act as the "data controller" (under GDPR) or equivalent. You are responsible for:

• Having a valid legal basis to collect and process personal data
• Providing your own privacy policy to your users
• Obtaining necessary consents (especially for sensitive data)
• Responding to data subject requests from your users
• Complying with applicable privacy laws (GDPR, CCPA, etc.)

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we may also send you an email notification.

12. Contact Us

If you have questions about this Privacy Policy or want to exercise your rights, contact us at:

• Email: privacy@atlasforms.app