Legal

Privacy Policy

Effective date: March 2026. Governed by the laws of Delaware, United States.

Atlas (“we”, “us”, or “our”) operates the Atlas e-signature API at atlaswork.ai. This policy explains what data we collect, how we use it, and your rights around it. If you have questions, email support@atlaswork.ai.

1. Data we collect

Account data

When you create an account, we collect your email address, name, and a hashed copy of your password. We also store the API keys you generate and the webhook URLs you configure.

Document data

When you send an envelope, we store the uploaded PDF or DOCX file, any field values you prefill, and the extracted field structure returned by our document analysis service. Documents are stored encrypted at rest.

Signature data

Drawn signatures are captured as PNG images and stored alongside the signed document. We compute and store a SHA-256 hash of the final signed document to provide tamper-evident proof.

Usage data

We record API call counts, envelope send and sign events, and aggregate usage metrics tied to your account. This data is used to enforce rate limits and generate the analytics available in your dashboard.

Technical data from signing events

When a signer opens and completes a signing session, we collect their IP address, browser user agent, the timestamp they signed, and the number of seconds they spent reviewing the document. This data forms part of the legally admissible audit trail attached to each envelope.

2. How we use your data

  • Providing and operating the Atlas service, including routing documents to signers and delivering webhooks
  • Generating audit trails and cryptographic records required for ESIGN Act compliance
  • Detecting and preventing fraud and abuse
  • Sending transactional emails (signing requests, completion notifications, account alerts) via our email delivery provider
  • Improving our field detection accuracy and overall product quality using anonymized, aggregated data
  • Complying with legal obligations, including responding to lawful requests from courts or regulatory bodies

We do not use document contents or signer data to train machine learning models without explicit consent.

3. Data retention

  • Signed envelopes: Retained for 7 years from the date of signing to meet standard legal recordkeeping requirements.
  • Draft and pending envelopes: Deleted automatically when they expire. The default expiry is 30 days; you can configure a shorter window via the expires_in_days parameter.
  • Account data: Retained while your account is active. If you close your account and request deletion, we will delete your account data within 30 days, subject to our obligation to retain signed envelope records.
  • API keys: Revoked and deleted immediately when you delete them from the dashboard.

4. Data sharing

We do not sell your data. We do not share document contents or signer information with third parties for advertising purposes. We share data only with the following infrastructure providers, each of which has executed a Data Processing Agreement (DPA) with us:

  • Supabase — database and file storage. Your documents, envelope records, and account data are stored on Supabase-hosted infrastructure in the United States.
  • Vercel — application hosting and edge delivery. API requests and signing sessions are served through Vercel infrastructure.
  • Resend — transactional email delivery. Signer emails, completion notifications, and account emails are sent via Resend. We pass the recipient address and email content to Resend for delivery.
  • Extend AI — document field detection. When you submit a PDF or DOCX for smart send, we pass the document to Extend AI to detect and classify fields. Extend AI processes the document for inference only and does not retain document contents beyond the duration of the inference call.

We may disclose data if required by law, court order, or to protect the rights, property, or safety of Atlas, our users, or the public.

5. Security

  • All data is encrypted in transit using TLS 1.2 or higher
  • Documents and signature images are encrypted at rest in Supabase storage
  • Each signed document receives a SHA-256 hash stored in the audit record, providing tamper-evident proof that the document has not changed since signing
  • Webhook deliveries include an HMAC-SHA256 signature in the X-Atlas-Signature header so you can verify authenticity
  • API keys are stored as hashed values. We cannot recover your key if you lose it.

6. ESIGN Act compliance and consent records

Atlas is designed for compliance with the Electronic Signatures in Global and National Commerce Act (ESIGN Act, 15 U.S.C. § 7001) and the Uniform Electronic Transactions Act (UETA). For each envelope, we capture and retain the following consent and audit record: the signer's IP address, the user agent of their browser, the timestamp they completed signing, and the time they spent reviewing the document. Consumer disclosure consent is recorded where applicable. These records are available via the audit trail endpoint and are retained for 7 years.

7. Signer rights

If you signed a document through Atlas and want to access, correct, or request deletion of your personal data (including your signature image and IP address from the audit trail), email us at support@atlaswork.ai. Note that audit trail records tied to signed envelopes may be subject to retention obligations and cannot always be deleted.

8. Cookies and tracking

We use session cookies for authentication on the Atlas dashboard. We do not use third-party advertising cookies. We do not run cross-site tracking. We use basic server-side analytics (request counts and endpoint usage) to monitor performance and detect abuse.

9. Changes to this policy

We may update this policy from time to time. For material changes, we will notify registered users by email at least 30 days before the change takes effect. The effective date at the top of this page reflects the date of the most recent version.

10. Contact

Questions or requests related to privacy: support@atlaswork.ai

Atlas is operated by Hostfi Inc. (dba Atlas), governed by the laws of Delaware, United States.