Your data belongs to you. We collect only what we need to operate the service you paid for. We do not sell it. We do not correlate it with third-party data sets to build profiles. We do not use your queries to train artificial intelligence models.
When you create an account, we collect: your name, email address, and password (hashed, never stored in plain text). If you choose to personalize the platform, you may voluntarily share additional information — your company, role, industry, interests, or concerns. You may also register social media handles you wish us to monitor. All voluntary data is clearly labeled and can be removed at any time.
When you use the platform, we record: the queries you submit, the reports generated, module usage, timestamps, and technical metadata (IP address, browser type, device information) needed for security and service operation.
When you pay, we do not collect or store payment card details. Paddle.com processes payments as merchant of record and stores those details under their own compliance regime.
Your data is stored in PostgreSQL databases hosted by Supabase, a SOC 2 Type II certified infrastructure provider. Each account operates under strict Row-Level Security — the database itself enforces that no user can read or modify another user's data, not even accidentally. All data is encrypted in transit using TLS 1.3, and encrypted at rest using AES-256.
Authentication sessions are managed through secure, HTTP-only cookies. Passwords are hashed using modern cryptographic standards before storage. We never have access to your plain-text password and cannot recover it — we can only reset it.
The following third parties process limited data strictly to operate the service:
No other third parties receive your data. No advertisers. No analytics providers that enable cross-site tracking. No data brokers.
Under the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the UK Data Protection Act, Turkish KVKK, and equivalent legislation elsewhere, you have legally enforceable rights over your personal data. These rights apply to every user regardless of jurisdiction because we extend them universally.
To exercise any of these rights, email atlasalpaytr@gmail.com. We will respond within 30 calendar days. We will not charge you a fee for exercising these rights unless the request is manifestly unfounded or excessive, and we will inform you in advance if we intend to apply any fee.
When you use the platform to conduct open-source intelligence research on a third party, that third party's data is not stored by us beyond the resulting report in your account. We do not maintain a database of people researched through the platform. Each query is processed independently and the intermediate search results are discarded.
If you are a subject of a search and wish to have information about you removed from our systems, email us. We will verify your identity and delete any relevant reports within 30 days. Note that we do not control the upstream public sources that originally published information about you — removing their content requires approaching them directly, which our Make Me Invisible feature helps subscribed users with.
Our Breach Console allows authenticated users to check whether specific email addresses appear in known data breaches. The breach data itself is aggregated from publicly disclosed incidents and does not originate from us. Users may only search for emails they have legitimate reason to check — their own, or those of accounts they administer. Unauthorized lookups of third parties may violate data protection law and our Acceptable Use Policy.
Account data, profile data, reports, and notes are retained for the lifetime of your account. Session logs and technical metadata are retained for up to 90 days for security purposes. Payment records are retained per Paddle's retention policy and applicable tax law — typically seven years. Upon account deletion, personal data is irreversibly removed within 30 days, except where we are legally required to retain specific records (financial transactions, law enforcement requests).
Data may be processed in servers located in the European Union, the United States, and Türkiye. Transfers between jurisdictions are safeguarded by Standard Contractual Clauses approved by the European Commission, supplementary technical measures (end-to-end encryption, data minimization), and — in the case of the United States — the EU-U.S. Data Privacy Framework where applicable.
In the unlikely event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the incident, as required by GDPR Article 33. Notifications will describe the nature of the breach, the likely consequences, and the measures we have taken in response.
We respect lawful orders from competent authorities. We do not voluntarily disclose user data to any government or law enforcement agency. When we receive a legally binding request, we evaluate it against the laws of the jurisdiction in which we operate, narrow its scope where possible, and — unless legally prohibited from doing so — notify the affected user before disclosure so they may challenge the request. We publish an annual transparency report summarizing the requests we receive.
For any data-related inquiry, contact our data protection point of contact at atlasalpaytr@gmail.com. This page will be updated as our practices evolve; the current version is always accessible from the footer of every page.