Privacy Policy
Last updated: 2026-05-12 · Version 1.1
ATLOM ("we", "our", "us") is operated by Groupe ATLOM Inc., a corporation registered in Québec, Canada (123 rue Sommerville, Montréal QC H3L 1A1). This policy explains what personal information we collect, why we collect it, and the rights you have over that information. It applies to atlom.com, the ATLOM web application at app.atlom.com, and the ATLOM mobile applications for iOS and Android.
1. Who we are
ATLOM is the data controller for personal information processed through our products. Privacy office: info@atlom.com.
2. Scope
This policy covers:
- the marketing website atlom.com,
- the web application at app.atlom.com,
- the ATLOM mobile applications distributed on the Apple App Store and Google Play.
3. Accounts and parental consent
Accounts are created only by adults aged 18 or older — typically a parent, legal guardian, or coach. The adult creates a profile for the young athlete under their own account; the child does not have a separate login or direct credentials. The adult confirms consent at signup; that consent timestamp is stored alongside the account.
The adult is responsible for the lawful basis to enrol the athlete and may at any time review, export, or delete the athlete's data.
4. Information we collect
| Category | Examples | Purpose |
|---|---|---|
| Account | Email, name, password hash, date of birth (≥ 18), consent timestamp | Authenticate, contact you, age-gate |
| Athlete profile | First name, date of birth, sex, country, program assignment (branch, level, week), onboarding answers | Adapt training to age and ability |
| Training data | Sessions completed, duration, RPE, completion rate, badges, optional drill audio, optional profile photo | Provide adaptive feedback and progress reports |
| AI-coach context | Athlete first name + age + current program state are sent to an LLM provider to generate coach utterances and TTS audio | Power the in-app coach experience |
| Subscription / billing | Plan tier, source (Stripe / Apple / Google), Stripe customer id, RevenueCat / store entitlement ids — never card numbers | Manage paid access |
| Security telemetry | Hashed session IP, browser and OS family for refresh-token replay detection | Detect account hijacking |
| Diagnostics (web only today) | Crash reports, performance metrics | Improve reliability |
| Marketing-site analytics (optional) | Aggregated page-view counts when Plausible is enabled — no cookies, no individual tracking | Understand site traffic |
5. Children (COPPA, GDPR-K, Quebec Law 25)
ATLOM supports athlete development for young players, but accounts are held by an adult parent or guardian who provides verifiable parental consent before any athlete profile is created. We do not knowingly collect personal information from a child without that consent.
We do not show third-party advertising. The mobile application contains no third-party advertising or behavioural-tracking SDKs. Parents may review, export, or delete any data associated with their athlete at any time from the parent dashboard or by emailing info@atlom.com.
6. Lawful bases (GDPR / UK GDPR)
We process personal information under one or more of the following bases: contract performance (delivering the service you signed up for), legitimate interests (security, fraud prevention, product analytics in aggregated form), consent (optional features such as marketing analytics), and legal obligation (tax, accounting, child-safety reporting).
7. Your rights
Subject to applicable law, you may request: access to your data, correction, deletion ("right to be forgotten"), restriction of processing, portability of your data in a machine-readable format, and to object to processing based on legitimate interests. We respond to verifiable requests within 30 days.
To exercise any of these rights, email info@atlom.com or use the in-app "Export my data" and "Delete my account" controls.
8. International transfers
ATLOM data is hosted on Railway (compute, PostgreSQL) and AWS (S3 object storage and CloudFront content delivery). When data moves between regions or to sub-processors, we rely on Standard Contractual Clauses or equivalent safeguards.
9. Retention
We retain account and training data while your account is active. After a deletion request, personal data is purged within 30 days. Payment records are retained for the period required by law (typically up to 7 years). Security logs are kept for up to 90 days. Backups roll on a 30-day window. See Data retention.
10. Sub-processors
The following processors receive personal data on our behalf, strictly to deliver the service:
- Railway — compute and managed PostgreSQL
- AWS S3 + CloudFront — media storage and CDN (profile pictures, data
exports, video catalogue served via
cdn.atlom.app) - Stripe — web subscription billing
- Apple App Store / Google Play — in-app purchases
- RevenueCat — subscription receipt verification and webhook events
- OpenAI — large-language-model completions for the coach and program planner (athlete first name, age, and program state may be transmitted)
- Anthropic — large-language-model completions used as a fallback for the coach brain when configured
- ElevenLabs — text-to-speech synthesis of coach utterances
- Upstash Redis — rate limiting and short-lived cache
- Sentry — error and performance monitoring (web and marketing site only)
- Transactional email provider (SMTP) — verification, password reset, product notifications
- Plausible — privacy-respecting marketing-site analytics, only when enabled; no cookies, no individual tracking
We update this list when processors change; see also Sub-processors.
11. Security
Data is encrypted in transit (TLS 1.2+) and at rest. Passwords are stored with strong one-way hashing. Session IPs are hashed for replay defence. Production access is limited to authenticated personnel and audited. In the event of a data breach, we notify affected users and competent authorities within 72 hours of becoming aware.
12. PIPEDA (Canada) and Quebec Law 25
Canadian residents have rights under the federal PIPEDA and, for Québec, Law 25. Our privacy officer is reachable at info@atlom.com.
13. CCPA (California) and LFPDPPP (Mexico)
California residents may request access, correction, or deletion of their personal information and may opt out of any sale of personal information — we do not sell personal data.
Mexican residents may exercise their ARCO rights (Access, Rectification, Cancellation, Opposition) under LFPDPPP by contacting info@atlom.com.
14. Data we do not collect
ATLOM does not collect phone numbers, precise GPS location, the device contacts list, browsing history outside the application, biometric identifiers, or payment-card numbers (card data is handled exclusively by Stripe, Apple, and Google under PCI-DSS).
15. Changes to this policy
We post material changes on this page and, where required by law, notify you at least 30 days in advance by email and in-app.
16. Contact
ATLOM — Privacy Office
info@atlom.com
www.atlom.com
You may also lodge a complaint with the competent authority in your country — in the United States the Federal Trade Commission, in Canada the Office of the Privacy Commissioner, in Mexico the INAI.