Privacy Policy

Last updated: October 7, 2025

This Privacy Policy explains how Atlas ("we," "our," "us") collects, uses, and safeguards information when you use our mobile app, APIs, and related services (collectively, the "Service"). It reflects the capabilities delivered in Phase Two of the platform, including personality assessments, personalized goal suggestions, and expanded verification options.

Information We Collect

Account & Subscription Data

• Profile details such as your name, email address, time zone, and authentication tokens needed to sign in via Supabase. Tokens are stored securely on device using Expo Secure Store when available.
• Billing metadata and payment method identifiers managed via Stripe. We store only tokenized references necessary to process configured penalties.

Goals, Verifications & Penalties

• Goal definitions, schedules, and penalty configurations you create inside the app.
• Evidence you submit for verification—including text, photo, audio, and video—which is processed by our AI verification pipeline powered by OpenAI models.
• Verification outcomes, penalty history, and related audit logs retained to enforce accountability and comply with financial regulations.

Personalization & Recommendations

• Personality quiz responses, chronotype inputs, life-stage selections, and derived trait scores that drive personalization of suggestions.
• Interest selections, personalization cache entries, execution history, and suggestion bundles generated for you, including overlay card defaults and ranking scores.
• Feedback on suggestion cards, including likes, skips, completions, and metadata we use to adapt future recommendations.

Usage, Analytics & Diagnostics

• Interaction events, latency metrics, and funnel analytics captured through PostHog unless you opt out in-app.
• Crash reports and structured logs from our backend services to diagnose reliability issues.

Notifications & Device Signals

• Expo push tokens and notification preferences required to send reminders, re-engagement nudges, and goal updates.
• Camera and photo library permissions on iOS plus camera and notification permissions on Android so you can capture or upload verification evidence and receive alerts.

How We Use Information

• Create and maintain your account, including syncing sessions across devices and enforcing authentication requirements.
• Schedule goals, trigger reminders, and evaluate verification evidence using AI.
• Manage penalties, payment retries, and refunds through Stripe when configured consequences are triggered.
• Personalize suggestion bundles, overlay activities, and profile insights based on your quiz results, interests, completion history, and feedback signals.
• Improve the Service via analytics, QA instrumentation, bug reports, and feature telemetry while honoring your tracking preferences.
• Send reminders, deadline alerts, re-engagement nudges, and other notifications you configure.

Data Sharing & International Transfers

We share information with trusted third-party processors to deliver the Service:

• Supabase for authentication, profile storage, personalization caches, and application data persistence.
• OpenAI to analyze uploaded verification evidence with machine learning models.
• Stripe for secure payment processing and penalty execution.
• PostHog for product analytics and funnel reporting when enabled.
• Expo for push notification delivery and device credential management.

These providers may process or store data in regions outside your country. We ensure each has appropriate safeguards in place and rely on their published compliance programs.

We do not sell personal information. We only disclose data outside this list when required by law, to protect rights, or with your explicit consent.

Security Measures

• Sessions and auth tokens are stored in Expo Secure Store on native platforms and transmitted over HTTPS.
• Back-end services validate inputs, sanitize AI responses, and limit retries to mitigate abuse.
• Access to production infrastructure is restricted to authorized personnel and protected by role-based access controls.

Retention

• Profile, goal, penalty, personalization, and payment records persist while your account is active to maintain context and support regulatory obligations.
• Verification evidence and associated AI outputs are retained as long as necessary to resolve disputes, audit outcomes, and satisfy compliance requirements.
• Analytics events are stored in aggregated form; opt-outs stop new tracking while preserving historic reports.
• When you delete your account, we remove profile data and dependent records from Supabase before invoking Supabase's account deletion APIs, except where retention is legally mandated.

Your Choices & Rights

• Access & Deletion: You may request an export of your data or delete your account within the app. Account deletion removes profile, goals, personalization caches, notifications, and related records subject to compliance retention needs.
• Notifications: Manage push reminders, penalty warnings, and marketing opt-ins directly in settings. Revoking notification permissions on your device may limit reminder delivery.
• Analytics: Toggle tracking inside the app; when disabled we stop sending new events to PostHog while keeping core functionality available.
• Evidence Management: You control what verification media you upload. Removing local copies or revoking camera/photo permissions may prevent new submissions.

Contact

Questions about this policy or your data rights? Reach us at privacy@nmctechnologies.com.au. We will respond within a reasonable timeframe consistent with applicable privacy laws.