Legal

Privacy Policy

Effective date: April 2026. Governed by the laws of Delaware, United States.

Atlas (“we”, “us”, or “our”) operates the Atlas e-signature service at atlaswork.ai. Atlas is an e-signature SaaS. We store documents, route them to signers, collect legally binding signatures, and return signed documents with a cryptographic audit trail. This policy explains what data we collect, how we use it, who we share it with, and your rights. If you have questions, email support@atlaswork.ai.

1. Data we collect

Account data

Your email address, name, and a hashed copy of your password. We also store the API keys you generate and the webhook URLs you configure. Atlas authenticates with email and password. Passwords are stored as hashes only.

Document data

When you send an envelope, we store the uploaded PDF or DOCX file, any field values you prefill, and the extracted field structure returned by our document analysis service. Documents are stored encrypted at rest in Supabase.

Signer data

The email address of each person you send a document to. If you pass names, phone numbers, or other signer attributes through the API, we store those as part of the envelope record.

Signature data

Drawn signatures are captured as PNG images and stored alongside the signed document. We compute and store a SHA-256 hash of the final signed document to provide tamper-evident proof.

Signing session data (audit trail)

When a signer opens and completes a signing session, we collect: their IP address, browser user agent, the timestamp they signed, and the time they spent reviewing the document. This data forms part of the legally admissible audit trail attached to each envelope and is required for ESIGN Act compliance.

Usage data

API call counts, envelope send and sign events, and aggregate usage metrics tied to your account. This data is used to enforce rate limits and generate the analytics visible in your dashboard.

MCP and AI agent integration data

When you use Atlas through an AI agent such as Claude (Anthropic) or ChatGPT (OpenAI) via our MCP tools, we record the API key used, the tools called, and the parameters passed to those tools. Those parameters can include document URLs and signer email addresses. Additionally, when an AI agent calls an Atlas MCP tool, the document URL, signer email, and any other parameters you provide pass through the AI model's context window on their way to our API. This means the AI provider (Anthropic or OpenAI) processes that data as part of handling the tool call. We do not control what those providers do with data in their context windows. If you use Atlas through Claude or ChatGPT, review Anthropic's and OpenAI's privacy policies as well.

2. How we use your data

Providing the Atlas service: routing documents to signers, collecting signatures, and delivering webhooks
Generating audit trails and cryptographic records required for ESIGN Act compliance
Detecting and preventing fraud and abuse
Sending transactional emails (signing requests, completion notifications, account alerts) via our email delivery provider
Detecting signature fields in uploaded documents using our document analysis pipeline
Enforcing rate limits and plan quotas
Improving our field detection accuracy and overall product quality using anonymized, aggregated data
Complying with legal obligations, including responding to lawful requests from courts or regulatory bodies

We do not use document contents or signer data to train machine learning models without explicit consent.

3. Data retention

Signed envelopes: Retained for 7 years from the date of signing to meet standard legal recordkeeping requirements. This retention period applies even if you close your account.
Draft and pending envelopes: May be deleted after a retention period if they are not sent or completed.
Account data: Retained while your account is active. If you close your account and request deletion, we will delete your account data within 30 days, subject to our obligation to retain signed envelope records.
API keys: Revoked and deleted immediately when you delete them from the dashboard.
Usage and analytics data: Retained for up to 12 months in identifiable form, then aggregated or deleted.

4. Data sharing and recipients

We do not sell your data. We do not share document contents or signer information with third parties for advertising purposes. We share data only with the following parties:

Infrastructure providers

Each infrastructure provider has executed a Data Processing Agreement (DPA) with us:

Supabase — database, authentication, and file storage. Your documents, envelope records, and account data are stored on Supabase-hosted infrastructure in the United States.
Vercel — application hosting, edge delivery, and Web Analytics on our public site (page views, referrer, and coarse device/browser signals). API requests and signing sessions are served through Vercel infrastructure.
Resend — transactional email delivery. Signer emails, completion notifications, and account emails are sent via Resend. We pass the recipient address and email content to Resend for delivery.
Extend AI — document field detection. When you submit a PDF or DOCX for smart send, we pass the document to Extend AI to detect and classify fields. Extend AI processes the document for inference only and does not retain document contents beyond the duration of the inference call.

AI model providers (MCP integrations)

When you invoke Atlas through an AI agent (Claude via Anthropic, or ChatGPT via OpenAI), tool call parameters including document URLs and signer email addresses pass through that AI provider's infrastructure. Anthropic and OpenAI are independent data controllers for data that passes through their systems. We do not control their data handling. See their respective privacy policies for details.

Legal disclosures

We may disclose data if required by law, court order, or to protect the rights, property, or safety of Atlas, our users, or the public.

5. Data we do not collect

Atlas does not collect:

Payment card numbers or financial account details. Payments are handled by Stripe. We receive only a customer ID and subscription status.
Government-issued ID numbers (Social Security numbers, passport numbers, tax IDs)
Protected health information (PHI) as defined by HIPAA
Biometric data other than drawn signatures, which are treated as document content and stored with the envelope record
Passwords in plaintext. We store hashed passwords only.

If your use case involves any of the above sensitive data types, do not pass it through Atlas tools or API fields.

6. Security

All data is encrypted in transit using TLS 1.2 or higher
Documents and signature images are encrypted at rest in Supabase storage
Each signed document receives a SHA-256 hash stored in the audit record, providing tamper-evident proof that the document has not changed since signing
Webhook deliveries include an HMAC-SHA256 signature in the X-Atlas-Signature header so you can verify authenticity
API keys are stored as hashed values. We cannot recover your key if you lose it.

7. ESIGN Act compliance and consent records

Atlas is designed for compliance with the Electronic Signatures in Global and National Commerce Act (ESIGN Act, 15 U.S.C. § 7001) and the Uniform Electronic Transactions Act (UETA). For each envelope, we capture and retain: the signer's IP address, the user agent of their browser, the timestamp they completed signing, and the time they spent reviewing the document. Consumer disclosure consent is recorded where applicable. These records are bundled into the signed certificate PDF and are retained for 7 years.

8. Your rights and controls

Account holders (senders)

Account deletion: Email support@atlaswork.ai to request deletion of your account and associated data. We process deletion requests within 30 days. Signed envelope records are subject to a 7-year retention obligation and may not be deleted during that period.
Data export: You can export your envelope list and audit records at any time via the Atlas API using your API key.
API key management: Revoke and generate API keys from the dashboard at any time.
Webhook management: Add or remove webhook endpoints from the dashboard at any time.

Signers

If you signed a document through Atlas and want to access, correct, or request deletion of your personal data (including your signature image and IP address from the audit trail), email us at support@atlaswork.ai. Audit trail records tied to signed envelopes may be subject to retention obligations and cannot always be deleted on request.

9. GDPR rights (EEA and UK users)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) or UK GDPR:

Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Ask us to correct inaccurate or incomplete personal data.
Right to erasure: Request deletion of your personal data, subject to retention obligations (e.g., signed envelope audit trails required for ESIGN Act compliance).
Right to restriction: Ask us to restrict processing of your data in certain circumstances.
Right to data portability: Receive your data in a structured, machine-readable format.
Right to object: Object to processing based on legitimate interests.
Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

Our legal basis for processing is: contract performance (operating the Atlas service), legal obligation (ESIGN Act audit trail retention), and legitimate interests (fraud prevention, security). We rely on consent only where explicitly noted.

Data we collect is stored in the United States. Where we transfer data outside the EEA, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards with our infrastructure providers (Supabase, Vercel, Resend).

To exercise any of these rights, email support@atlaswork.ai. We respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

10. California privacy rights (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
Right to delete: Request deletion of personal information we have collected, subject to exceptions for legal compliance and fraud prevention.
Right to correct: Request correction of inaccurate personal information.
Right to opt out of sale or sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out is required.
Right to limit use of sensitive personal information: We collect only the sensitive personal information necessary to provide the service (e.g., signature images as part of legally binding records).
Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email support@atlaswork.aiwith the subject line “California Privacy Request.” We will verify your identity and respond within 45 days.

11. Cookies and tracking

We use session cookies for authentication on the Atlas dashboard. We do not use third-party advertising cookies. We do not run cross-site ad tracking or retargeting.

For our marketing site and other public pages, we use Vercel Web Analytics to count page views and understand traffic (paths visited, referrer, and coarse device/browser information). That is separate from the account usage metrics in your dashboard.

We also collect server-side request logs (request counts and endpoint usage) to monitor performance and detect abuse.

12. Changes to this policy

We may update this policy from time to time. For material changes, we will notify registered users by email at least 30 days before the change takes effect. The effective date at the top of this page reflects the date of the most recent version.

13. Contact

Privacy questions and requests: support@atlaswork.ai

Atlas is operated by Hostfi Inc. (dba Atlas), governed by the laws of Delaware, United States.