Privacy Policy

Who we are

Atlas is operated by Troy Smith ("we," "us"). Once Snowbird Labs LLC is registered, this policy will be updated to reflect the entity change. Contact: troy@snowbird-labs.com.

What we collect

Atlas only collects data you explicitly connect. We never buy data, never run third-party trackers, and never collect anything you haven't actively connected.

• Account info from your sign-in provider (email, name, Apple- or Google-issued user ID, profile image URL). Used to sign you in and label your data inside the app.
• Profile fields you choose to set: sex and birthdate. Used solely to look up the right age + sex cohort for percentile-based scoring on health metrics. Never shared.
• Health & fitness data from Apple HealthKit — the metrics and workout types you authorize on the system permission sheet (steps, sleep, heart rate, HRV, weight, workouts, etc.). Read-only; we never write back to HealthKit.
• Data from optional integrations if you connect them — Monarch Money (financial accounts and transactions), GHIN (golf rounds and handicap), TrackMan / Rapsodo (golf swing metrics), BTWB (CrossFit sessions), PADI (scuba dive logs).
• Server logs — standard request logs (IP, user-agent, timestamp, status code) retained for up to 30 days for security and abuse-prevention purposes.

Apple HealthKit data — special handling

Apple requires explicit disclosure of how HealthKit data is used. For Atlas:

• HealthKit data is read on your device and uploaded to Atlas's backend (Neon Postgres on Vercel) so it can populate your dashboard across devices and the web.
• We never use HealthKit data to advertise or market to you, share it with advertisers or data brokers, or use it to inform an ad platform.
• We never sell HealthKit data.
• We never use HealthKit data to derive third-party rights (e.g. licensing it for AI training).
• HealthKit data is stored alongside the rest of your account in encrypted-at-rest Postgres. Deleting your account removes every row immediately.

Where it lives

All data is stored in a Neon Postgres database with encryption at rest, hosted on the Vercel platform (US East). Third-party integration credentials (Monarch passwords, GHIN tokens, etc.) are additionally wrapped in AES-256 application-level encryption with a key that is never sent to the browser.

What we do with it

Your data is used to populate yourdashboard. That's the only purpose. We do not:

• Sell your data, ever.
• Share your data with third parties for marketing or analytics.
• Use your data to train AI models.
• Show you ads.

Aggregated, fully de-identified statistics (e.g. "users who connected GHIN played 12 rounds on average last month") may be used internally for product analytics, but never in a form that identifies an individual user.

Sub-processors

Atlas relies on a small set of infrastructure vendors. Each is a data processor only — they hold data on our behalf and cannot use it for their own purposes.

• Vercel — application hosting, serverless functions, edge logging.
• Neon — managed Postgres database.
• Anthropic— AI inference for the optional Action Plan generator. Data passed to Anthropic is limited to your low-scoring metric labels and current values; it is sent with the API's zero-data-retention setting and is not used for model training.

Cookies + analytics

Atlas sets a session cookie via NextAuth so signing in persists across page loads. Vercel Analytics provides aggregate traffic counts; it is cookieless and does not track individual users. No third-party advertising or social-media trackers run on Atlas.

Your rights

You can, at any time:

• Disconnect any integration from Settings → Integrations. Removing an integration immediately deletes its stored credentials.
• Export everything — Settings → Account → Download account data. The download is a JSON file containing every row keyed to your user ID.
• Delete your account — Settings → Account → Danger zone → Delete account. Deletion is immediate; every row keyed to your user ID is removed via cascade. Backups are retained up to 30 days for disaster-recovery purposes and are never used for any other purpose.

If you are an EU/UK resident, you also have the rights granted by GDPR (access, rectification, erasure, restriction, portability, objection). Email us to exercise any of these rights, or use the export and delete affordances above.

Children

Atlas is not directed to children under 13. We do not knowingly collect data from anyone under 13. If you believe a child has signed up, contact us and we will delete the account.

Security

We use industry-standard practices: TLS 1.2+ in transit, encryption at rest at the database layer, AES-256 application-layer encryption for integration credentials, OAuth bearer tokens that expire and can be revoked, and no third-party access to production data. No system is perfectly secure; if we ever experience a breach affecting your data, we will notify you within 72 hours of confirming the breach.

International users

Atlas is hosted in the United States. By using the service from outside the US, you consent to your data being processed in the US. Where required by law (GDPR), we use Standard Contractual Clauses with our sub-processors to cover transfers.

Changes to this policy

We'll update this page when material things change and bump the "Last updated" date at the top. Substantive changes will be communicated via email to active users at least 14 days before taking effect.