Atlas
Sign inGet started

Legal

Privacy Policy

Last updated: April 23, 2026

This Privacy Policy describes how Atlas ("we," "us," "our") collects, uses, and shares information when you use the Atlas website, applications, APIs, and related services (collectively, the "Service").

Information we collect

Account information

When you create an account, our identity provider (Clerk) collects your email address, name, and any authentication method you choose (password, social sign-in). We receive a user identifier from Clerk that lets us associate your uploaded data with your account. We do not store passwords.

Portfolio data you upload

When you upload a trade ledger (.xlsx), we receive and process the contents of that file: trade dates, tickers, quantities, prices, fees, cash flows, and any Investment Policy Statement targets you provide. We store this data to generate your analytics and keep historical runs available to you.

Usage data

We log basic information about how the Service is used — pages viewed, actions taken, timestamps, IP address (truncated where feasible), user agent — to operate and improve the Service, detect abuse, and debug issues.

How we use information

  • To provide the Service, including computing analytics on your uploaded data;
  • To authenticate you and secure your account;
  • To respond to support requests and communicate important Service updates;
  • To monitor, debug, and improve the Service;
  • To comply with legal obligations and enforce our Terms of Service.

What we do not do

  • We do not sell your data to third parties.
  • We do not show advertising based on your portfolio contents.
  • We do not train machine-learning models on your uploaded portfolio data.
  • We do not share your portfolio data with other users.

Third-party processors

We rely on the following trusted third parties to run the Service:

  • Vercel — hosting, serverless compute, and request routing.
  • Clerk — user authentication and session management.
  • Upstash Redis — managed key-value store for your latest portfolio tearsheet, scoped to your user identifier.
  • Yahoo Finance (via yfinance) — public market-data lookups for the tickers you hold.
  • Anthropic — optional AI-generated commentary (only when you click Generate memo or Make it dumb).

Each of these processors has its own privacy and security practices. We share only the minimum information needed for each service to function.

How your portfolio is stored (technical detail)

When you upload a trade ledger, Atlas parses it, pulls live prices, and computes your tearsheet. A JSON snapshot of that tearsheet is saved so it's ready for you on your next visit. Here's exactly what that entails:

  • Storage layer: Upstash Redis (a managed Redis-compatible key-value store integrated via Vercel).
  • Encryption in transit: TLS 1.2+ between Atlas servers and Upstash. No plaintext traffic on the wire.
  • Encryption at rest:AES-256 on Upstash's managed disks. Even if a physical drive were removed from the data center, the bytes are unreadable without their keys.
  • Per-user scoping: every record is keyed by your Clerk user identifier (e.g. atlas:portfolio:v1:user_XXXX). The server route checks your authenticated session and binds every read and write to your user ID — no Atlas user can access another user's data.
  • Retention: 90 days from your last upload. After that, the record auto-expires and is removed. You can delete it earlier at any time from the Account page.
  • Local cache: for speed, your browser also keeps a copy of the latest tearsheet in localStorage, scoped to your user ID. Clearing browser data removes it. Deleting via the Account page removes both the server copy and the local cache.

What we will never store

To keep the risk surface small, Atlas is deliberately designed to avoid touching the following:

  • Brokerage account passwords, API keys, or OAuth tokens.
  • Account numbers, routing numbers, or tax identifiers (SSN / ITIN / EIN).
  • Payment methods, credit card numbers, or bank account details.
  • Your real name, mailing address, phone number, or date of birth (beyond what your Clerk profile contains for sign-in purposes).

We don't ask for any of these, and they are not required to use Atlas. The worst-case blast radius of any data-layer breach is a portfolio snapshot — sensitive, yes, but not identity-theft sensitive.

Data retention

Your portfolio snapshot auto-expires 90 days after your last upload. Account information (email, sign-in details) is retained while your account is active. When you delete your account, we delete or anonymize your data within 30 days, subject to legal and operational exceptions (e.g., backup retention, fraud prevention, legal holds). You can also delete your portfolio payload on demand from the Account page.

Your rights

Depending on where you live, you may have the right to access, correct, delete, or export your personal data, and to object to or restrict certain processing. Practically speaking, Atlas gives you one-click access to all of these through the Account page: delete your portfolio data, or delete your entire account. For anything else, use our contact form.

Security

We use industry-standard encryption in transit (TLS) and at rest for stored data. No system is perfectly secure. Notify us immediately via our contact form (mark the subject “Security”) if you suspect your account has been compromised.

Children

The Service is not intended for children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

International users

Atlas is operated from the United States. If you access the Service from outside the US, you consent to the transfer of your information to the US, which may have different data-protection rules than your home jurisdiction.

Changes

We may update this Privacy Policy. Material changes will be announced via email or a prominent Service notice. Continued use of the Service after an update constitutes acceptance of the updated Policy.

Contact

Questions: send us a note via our contact form.

This is a template policy and should be reviewed by a licensed attorney familiar with applicable privacy law (including GDPR, CCPA, and other regional requirements) before the Service is made public.