Your data belongs to you.
We collect only what we need, use it only to serve you, and never train models on your data. Plain language, no weasel words.
Overview
Atlantic AI Inc. (“Atlantic”, “we”, “our”) operates the Atlantic platform at app.getatlantic.ai and the marketing site at getatlantic.ai. This Privacy Policy explains what data we collect, why we collect it, and your rights over that data.
Effective date: 2026-06-02.
Company: Atlantic AI Inc., 8 The Green STE D, Dover, Delaware 19901, USA.
Contact: info@getatlantic.ai.
Data we collect
Account & identity data. When you sign up, we collect your name, email address, company name, and a password hash. For SSO (Google / Microsoft), we receive the profile fields your provider grants.
Usage & product analytics. We use PostHog to capture product events (page visits, feature interactions, session replays) to improve the product. Session recordings are subject to your cookie consent selection. Raw event data is stored in the EU (PostHog EU Cloud) and not shared with ad networks.
Integration data. When you connect third-party services (Slack, Google Drive, Jira, etc.), Atlantic receives only the OAuth scopes you grant. That data is processed on your behalf as described in our Data Processing Addendum and is never used for model training.
Communications. If you contact support or book a demo, we retain the content of those communications to resolve your request.
Technical & infrastructure data. Logs include IP addresses, user-agent strings, and timestamps, retained for up to 90 days for security and debugging.
Purposes & legal bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide and operate the Atlantic platform | Performance of contract (Art. 6(1)(b)) |
| Send transactional emails (account, invoices, security) | Performance of contract (Art. 6(1)(b)) |
| Product analytics and session replay | Legitimate interest + consent (Art. 6(1)(a)(f)) |
| Security, fraud prevention, abuse detection | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Marketing to existing customers (product updates) | Legitimate interest (Art. 6(1)(f)); opt-out always available |
Retention
We retain your account data for the duration of your subscription plus 90 days after termination, unless a longer period is required by law.
Temporary conversations (when “Temporary Chat” is enabled) are soft-deleted immediately on session end and hard-deleted after 30 days.
Infrastructure logs are retained for 90 days. Analytics events are retained for 24 months, after which they are aggregated or deleted.
Sub-processors
We share data with a limited set of sub-processors necessary to deliver the service. Each sub-processor is subject to a data processing agreement with Atlantic. The full list is available at getatlantic.ai/sub-processors.
We will notify you at least 30 days before adding a new sub-processor that processes personal data.
No training on your data
Atlantic does not use customer data to train, fine-tune, or evaluate AI models. This commitment is contractual and applies to all tiers, including free trials. Your knowledge base, chat history, and integration data remain yours.
Model inference is performed via AWS Bedrock (Anthropic Claude). AWS Bedrock does not use API inputs to train Amazon models. See AWS’s Bedrock data privacy page for details.
International transfers
Atlantic is incorporated in the United States. If you are located in the EU/EEA, UK, or Turkey, your personal data may be transferred to and processed in the United States and other countries.
We protect such transfers using Standard Contractual Clauses (SCCs) approved by the European Commission. Our Data Processing Addendum (available at /dpa) incorporates the SCCs by reference.
For Turkish users, we comply with KVKK requirements, including explicit consent for international transfers where required, and maintain data residency for Turkish customer data in-region where technically feasible.
Your rights
Depending on your jurisdiction, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate data.
- Erasure — ask us to delete your personal data (“right to be forgotten”).
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest.
- Restriction — request we limit processing while a dispute is resolved.
- Withdraw consent — where processing is based on consent (e.g. session replay), withdraw at any time via cookie settings.
To exercise any right, email info@getatlantic.ai. We will respond within 30 days. You may also lodge a complaint with your local data protection authority.
Security
Atlantic is SOC 2 audited (report available under NDA on request). We apply AES-256 encryption at rest with customer-managed keys (BYOK) available on Enterprise plans, TLS 1.3 in transit, and role-based access control throughout.
On-prem airgap deployment is available for customers where no data leaves their network. Contact us to discuss your requirements.
Changes to this policy
We will update this policy when our practices change materially. We will notify active subscribers by email at least 30 days before changes take effect. The current version is always at getatlantic.ai/privacy.