Home
ATLAS

Privacy policy

Last updated: May 16, 2026 | Version 1.0

1. Introduction

ATLAS ("we," "us," or "our") operates a music education and career platform. We are committed to protecting your privacy and handling your personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the Dutch General Data Protection Regulation (AVG).

This Privacy policy explains how we collect, use, process, and protect your personal data when you use the platform. Where we rely on consent, we ask for it separately and you can withdraw it as described in this policy.

We may update this Privacy policy from time to time. When we make changes, we will update the "Last updated" date and notify you of material changes. Continued use of the Service after changes constitutes acceptance of the updated policy.

2. Data controller

The data controller responsible for processing your personal data is:

ATLAS
Location: The Netherlands
Email: remy@toolkit.music

For any questions about this Privacy policy or our data practices, please contact us using the information above.

3. Information we collect

We collect and process the following categories of personal data:

3.1. Account information

  • Email address (required)
  • Password (hashed and encrypted, required)
  • Name (required)
  • Username (required)
  • Profile picture/avatar (optional)
  • IPI code (optional, for music industry identification)

3.2. Content you upload

  • Songs, tracks, and audio files
  • Artwork and images
  • Lyrics and text content
  • File attachments
  • Song metadata (title, artist, genre, tags, etc.)
  • Comments and messages

3.3. Usage information

  • Last login timestamp
  • Onboarding completion status
  • Feature usage patterns
  • Credit balances, purchases, subscriptions, and booking activity

3.4. Payment information

  • Stripe customer ID and payment references
  • Subscription status and plan name
  • Billing information processed securely by Stripe, not stored directly by us

3.5. Communication data

  • Email communication history
  • Marketing preferences (opt-in/opt-out)
  • Notification preferences

3.6. Consent records

  • Terms of service acceptance timestamp and version
  • Privacy policy acceptance timestamp and version
  • Cookie preference choices and timestamp
  • Marketing opt-in status and timestamp

3.7. AI tool inputs

When you use AI tools, such as guided AI sessions, artist bio assistance, Spotify pitch drafting, or social script generation, we process prompts, answers, generated drafts, conversation history, selected flow metadata, and credit usage.

3.8. Technical and log data

  • IP address and approximate location derived from it
  • Browser, device, and operating-system information
  • Request URLs, timestamps, response codes, and security events
  • Cookie identifiers, session identifiers, and referral attribution where applicable

4. Legal basis for processing

We process your personal data based on the following legal grounds under GDPR Article 6:

  • Contract performance: To provide and maintain the Service, process payments, and fulfill our contractual obligations to you
  • Consent: For marketing communications (you can withdraw consent at any time), and for analytics and advertising measurement cookies
  • Legitimate interests: To improve our Service, prevent fraud, ensure security, keep operational logs, handle support, and send transactional emails necessary for service delivery
  • Legal obligation: To comply with applicable laws and regulations, including tax and accounting requirements

5. How we use your information

We use your personal data for the following purposes:

  • To provide, maintain, and improve the platform
  • To process your account registration and authenticate your identity
  • To store, organize, and make your content accessible to you
  • To process payments and manage subscriptions and credits
  • To book, manage, and remind you about coaching or live sessions
  • To generate AI-assisted drafts when you request them
  • To send transactional emails (welcome emails, password resets, session reminders, etc.)
  • To send marketing communications (only if you have opted in)
  • To respond to your inquiries and provide customer support
  • To ensure security, prevent fraud, and enforce our Terms of service
  • To comply with legal obligations and resolve disputes
  • To analyze usage patterns and improve our Service

6. Data sharing and third-party services

We share your personal data with the following third-party service providers to operate the Service:

6.1. Payment processing

Stripe: We use Stripe to process credit purchases, subscriptions, direct purchases, invoices, refunds, and payment disputes. Stripe processes payment details securely. We store limited billing identifiers, transaction metadata, and subscription state, not full card details.View Stripe privacy information.

6.2. File storage and media delivery

Uploaded files, course media, product assets, artwork, service order files, and related attachments may be stored or delivered through tenant-configured Bunny Storage, Bunny Stream, Bunny CDN, S3-compatible storage such as Wasabi, or Supabase Storage. Files are used only to provide the Service, deliver assets, and support the workflows you choose to use.

6.3. Authentication and database

We use Supabase for user authentication and session management, and a self-hosted PostgreSQL database for account and content data. View Supabase privacy information.

6.4. Email services

We use Amazon SES to send transactional emails. Your email address is shared with Amazon SES only for the purpose of sending emails related to the Service.

6.5. AI processing

OpenAI: When you actively use AI tools, prompts, answers, profile context, and relevant workflow data may be sent to OpenAI to generate responses. We do not send this data unless you request an AI-assisted action.

6.6. Analytics and advertising measurement

Meta: If you grant analytics consent, we may use Meta Pixel and Meta Conversions API to measure page views, registrations, checkout events, purchases, and subscriptions. Server-side events are also gated by your analytics consent. If you decline analytics cookies, we do not send Meta analytics events. See our Cookie policy.

6.7. Other sharing

  • If required by law or legal process
  • To protect our rights, property, or safety, or that of our users
  • In connection with a business transfer (merger, acquisition, etc.)

7. International data transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our third-party service providers are located.

We ensure that such transfers comply with GDPR requirements by:

  • Using service providers certified under appropriate frameworks (e.g., EU-U.S. Data Privacy Framework)
  • Implementing Standard Contractual Clauses (SCCs) where applicable
  • Ensuring adequate data protection measures are in place

8. Data retention

We retain your personal data for as long as necessary to provide the Service, unless a longer retention period is required by law:

  • Account data and content: Retained while your account is active. When you delete your account, deletion from active systems starts immediately. Backups, caches, and processor logs may be purged on rolling cycles after deletion.
  • Payment records: Retained for 7 years as required by tax and accounting laws
  • Consent records: Retained to demonstrate compliance with data protection requirements
  • Marketing preferences: Retained until you withdraw consent or delete your account
  • Security and server logs: Typically retained for up to 90 days, unless needed for an active security, fraud, support, or legal investigation

Important: Account deletion is permanent. We cannot recover your data after deletion is complete. Please back up any content you wish to keep before deleting your account.

9. Your rights under GDPR/AVG

You have the following rights regarding your personal data:

  • Right of access: You can request a copy of the personal data we hold about you
  • Right to rectification: You can request correction of inaccurate or incomplete data
  • Right to erasure ("right to be forgotten"): You can request deletion of your personal data (subject to legal obligations)
  • Right to restrict processing: You can request that we limit how we process your data
  • Right to data portability: You can request a copy of your data in a structured, machine-readable format
  • Right to object: You can object to processing based on legitimate interests
  • Right to withdraw consent: You can withdraw consent for marketing communications and analytics cookies at any time

To exercise these rights, please contact us at remy@toolkit.music. We will respond to your request within one month.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe we have violated your data protection rights.

10. Privacy rights for US residents

Depending on where you live, US state privacy laws may give you rights to know, access, correct, delete, or receive a portable copy of personal information, and to opt out of certain sharing or targeted advertising.

We do not sell personal information for money. Where analytics or advertising measurement may be treated as sharing for targeted advertising, you can opt out by rejecting analytics cookies or changing your cookie preferences.

11. Data security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption of data in transit (HTTPS/TLS)
  • Encryption of data at rest
  • Secure password hashing (bcrypt)
  • Regular security assessments and updates
  • Access controls and authentication
  • Regular backups of your data

No method of transmission over the internet is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

12. Cookies and tracking technologies

We use cookies and similar technologies to operate the Service, authenticate users, and remember your preferences. For detailed information, please see our Cookie policy.

13. Children's privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly.

14. Marketing communications

We only send marketing communications if you have explicitly opted in. You can opt out at any time by updating your preferences in your account settings, clicking the unsubscribe link in any marketing email, or contacting us directly.

Even if you opt out of marketing communications, we may still send transactional emails necessary for the Service (account notifications, session reminders, etc.).

15. Changes to this Privacy policy

When we make material changes we will update the "Last updated" date, notify you via email or through the Service, and for significant changes may require you to review and accept the updated policy.

16. Contact us

If you have any questions, concerns, or requests regarding this Privacy policy or our data practices, please contact us:

ATLAS
Email: remy@toolkit.music
Location: The Netherlands

For complaints regarding data protection, you can also contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

Terms of serviceRefund policyCookie policyHome