Privacy.

Atlas Strategy Ltd(“Atlas”, “we”, “us”) is a private limited company registered in England & Wales, company number 17183923.

Registered office: 4th Floor, Silverstream House, 45 Fitzroy Street, Fitzrovia, London W1T 6EB, United Kingdom.

Atlas is registered with the UK Information Commissioner’s Office (ICO) as a data controller, registration reference ZC165071.

Atlas is a one-person operation. The founder, Alexander Berkmann, is the sole operator and the named contact for all data protection matters. We are below the statutory threshold for appointing a Data Protection Officer under UK GDPR Article 37; Alex performs the internal DPO function and is reachable directly at alex@atlasstrategy.co.uk.

Atlas handles personal data in three distinct contexts. Each is covered below.

a) Visitors to this website

• Waitlist signups (historic). The homepage previously offered an email waitlist form. That form has been removed. Any address collected through it is retained only to send a single launch notice, then deleted.
• Server logs. For abuse prevention and rate limiting, we record the IP address, user-agent, and timestamp of requests to the site. Logs are kept for no longer than is necessary for those purposes.

We do not use third-party analytics, advertising cookies, or fingerprinting on this site.

Our homepage includes an AI advisor. If you type a message into it, that text is sent to Anthropic (Claude) in the United States to generate a reply. Anthropic may retain it for up to 30 days for abuse monitoring and does not use it to train its models (see Sections 5 and 10). We do not keep the conversation on our servers. It is saved only in your own browser (local storage) for 24 hours so a page refresh does not lose it, and clearing your browser data removes it. Please do not enter personal or sensitive information there.

b) Prospects and clients

• Identifiers and contact details for the named representatives at organisations Atlas is talking to (name, role, work email, phone).
• Business and commercial information shared during scoping, proposal, the optional free MVP phase, and any signed engagement (under the confidentiality terms of the Client Services Agreement).
• Account-administration data Atlas needs to provide its services (invoicing details, billing addresses, signatory information).

c) End-users of the client’s services

Where a client engages Atlas to build or operate a tool that interacts with its customers (for example, a veterinary practice using Atlas-built reactivation messaging), Atlas processes personal data about those customers strictly as the client’s processor. The categories are defined in each Scope of Work and DPA, but typically include: name, contact details, customer-relationship metadata, and the content of any messages sent or received.

The source of this data is always the client’s own systems — never collected by Atlas directly from end-users.

Atlas runs every client engagement under one of three hosting tiers, fixed in the Scope of Work and reflected in the DPA. The tier determines where production client data lives:

• Tier 1 — Productised wedge (Atlas-hosted, narrow scope). Production data lives on an Atlas-owned, per-client Supabase project in an EU region. Used for narrow productised tools where the data shape is bounded.
• Tier 2 — Bespoke build, Client-hosted (default). Production infrastructure (Supabase, Vercel, Railway, GitHub, payment provider, etc.) is owned and paid for by the Client. Atlas holds team-member operator access, which the Client can revoke at any time from their own admin panel. Production client data does not reside on Atlas-owned infrastructure in this Tier, except during build (see below).
• Tier 3 — Bespoke build, Atlas-hosted (exception). For engagements where the Client cannot or will not own infrastructure. Available only on a written exception with an additional hosting fee.

Build-phase rule (applies across all tiers). During active build, Atlas works in an Atlas-owned development environment. Any client data in that environment is purged within 14 days of build handover, with written confirmation. Production-data copies used during build are governed by the signed DPA and limited to the development project for the build duration.

The lawful bases under UK GDPR we rely on are:

• Article 6(1)(b) — performance of a contract. For our direct business relationships (prospects, clients) and for any transactional message we send to end-users on a client’s behalf that is tied to an existing customer relationship.
• Article 6(1)(f) — legitimate interests. For website server logs (security and abuse prevention) and for certain client engagements involving reactivation messaging to a client’s lapsed customers, where the client has documented a Legitimate Interests Assessment.
• Article 6(1)(a) — consent. For waitlist signups on this site, and for any consent-based messaging the client has chosen to operate.

Where Atlas acts as processor for a client, the client (as controller) is responsible for selecting and documenting the lawful basis for processing the data it provides to Atlas. Atlas processes on the client’s documented instructions.

Atlas builds with Claude, Anthropic’s AI model. Two commitments apply to your data:

• Atlas does not use client data to train AI models. Not for the client itself, not for other clients, not for Atlas’s own general-purpose tools. This is in the Client Services Agreement (Section 3.6) and the DPA.
• Anthropic does not use API inputs and outputs to train its models. Atlas uses Claude under Anthropic’s published Commercial Terms. Inputs and outputs are retained by Anthropic for up to 30 days for abuse monitoring only, then deleted. The published terms and Anthropic’s DPA reference are available at anthropic.com/legal/commercial-terms.

The following third parties act as sub-processors for Atlas. We maintain the canonical list in every client DPA and notify clients at least 30 days before any change.

Atlas implements technical and organisational measures appropriate to the risk under UK GDPR Article 32:

• Encryption in transit: all data flows are over TLS 1.2 or higher.
• Encryption at rest: cloud-provider-managed encryption on Supabase, Vercel, and Railway.
• Access control:per-user team-member credentials on every system — no shared logins. Multi-factor authentication enforced where the provider supports it. Operator access is revocable at any time by the client through their own admin panel (Tier 2) or by written request (Tier 1 and 3).
• Credential storage: Bitwarden zero-knowledge encrypted vault, with per-client folders and rotation at retainer end.
• Operator device: strong authentication, auto-lock after 10 minutes idle, kept in locked premises. Client data on the operator device is transient and subject to the 14-day build-handover purge rule.
• No client data in source control. Ever. A pre-commit secret scan runs on every operator machine.
• Native cloud audit logs. Supabase, Vercel, Railway, and GitHub each provide their own audit trail; in Tier 2 engagements the client owns and can inspect these directly.

Atlas does not currently hold ISO 27001, Cyber Essentials Plus, or SOC 2 certifications. We operate in alignment with UK GDPR, the Data Protection Act 2018, and Cyber Essentials guidance, and we’re clear about that distinction with prospects whose procurement processes require certified vendors.

Retention is governed by the engagement lifecycle:

• Waitlist signups— held until the launch-announcement email goes out, then deleted unless the recipient opts into ongoing contact.
• Prospect and proposal records— retained for the duration of the relationship and for a reasonable period thereafter to support follow-on work or audit; deleted on written request.
• Client data during a live engagement— retained for the duration of the engagement on infrastructure owned by whichever party the hosting tier specifies (see Section 3).
• 14 days post-handover— any client data resident in Atlas’s development environment is purged.
• 30 days post-retainer (Tier 1 and Tier 3 only)— production data on Atlas-hosted infrastructure is purged or transferred back to the client. Written confirmation is sent.
• Statutory record-keeping— financial records and other documents required by law are kept for the period the relevant statute specifies.

For engagements where Atlas operates outbound messaging to a client’s customers (for example, reactivation messages to a veterinary practice’s lapsed pet owners), the following applies in addition to the rest of this page.

Consent is captured by the client business. Recipients give consent to clinical, transactional, and reactivation contact at the point they register with the client business. The client documents the consent record (timestamp, channel, statement wording, customer identifier) in its own systems; Atlas mirrors that record into the engagement audit log.

Opt-out is two-path.Every message includes both a carrier-handled STOP keyword and an unsubscribe link in the footer (HMAC-signed where the channel and platform support it). Opt-outs are recorded and propagated to the client’s system within one business day. Reply START to resubscribe.

Atlas does not message recipients without opt-in evidencesourced from the client business’s consent record.

End-user enquiries about the underlying customer relationship — appointments, care, billing, insurance — should be directed to the client business that sent the message. Data protection enquiries can be raised with either the client business (as controller) or Atlas (as processor); see Section 11.

Atlas’s default position is to host client data in UK or EU regions of its sub-processors. The exception is Anthropic, which processes AI inference in the United States.

Transfers to Anthropic are covered by the UK International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU Standard Contractual Clauses, referencing Anthropic’s published Commercial Terms and DPA. Inputs and outputs are retained by Anthropic for up to 30 days for abuse monitoring only, then deleted, and are never used to train Anthropic models.

Some sub-processors (Twilio, Resend, Bitwarden) operate predominantly from the US with EU availability. Transfers to these providers are covered by their own DPAs and the UK Addendum to SCCs. US hosting on any other system is only used on a client’s written request and flagged in the Scope of Work.

Under UK GDPR you have the right to:

• Access the personal data we hold about you (subject access request).
• Rectify data that is inaccurate or incomplete.
• Eraseyour data (“right to be forgotten”) where the lawful basis allows.
• Object to processing carried out under legitimate interests, including any direct-marketing-style contact.
• Restrict processing in certain circumstances.
• Data portability for data you provided to us under consent or contract.
• Withdraw consent at any time where consent is the lawful basis (this does not affect the lawfulness of earlier processing).
• Not be subject to a decision based solely on automated processing where it produces legal or similarly significant effects (Article 22). Atlas does not currently make such decisions about individuals.

How to route your request. If your data is held by Atlas in its capacity as data controller (e.g. you submitted the waitlist form, or you are a prospect/client contact), email alex@atlasstrategy.co.uk and we’ll respond within 30 days.

If your data is held by Atlas in its capacity as data processor (e.g. you are a customer of one of our client businesses), you can raise your request with either the client business directly or with us. We’ll route it to the controller and support them in responding. The controller has the final say on outcomes such as erasure, because they hold the relationship with you.

You also have the right to complain to the Information Commissioner’s Office (ico.org.uk). We’d ask you to raise the issue with us first.

Atlas’s services are not directed at children. We do not knowingly collect personal data from anyone under the age of 13 via this website, and our prospect and client relationships are with UK businesses. Where Atlas processes data on behalf of a client business whose customer relationships may include minors (for example, a veterinary practice where a pet owner is a young person), Atlas processes that data strictly on the client’s instructions and relies on the client to discharge its UK GDPR Article 8 obligations as data controller.

If we become aware of a personal data breach, we will notify the affected client within 24 business hours of discovery, by direct phone or SMS to the agreed point of contact, followed by a written summary. Where the incident meets the UK GDPR Article 33 threshold for ICO notification, we support the client (as controller) in making that 72-hour notification.

Atlas is a solo operation. Incident response is best-effort across business hours and evenings, not a round-the-clock SLA — we’re explicit about that. The full runbook is available to clients at proposal stage.

For privacy questions, requests, or complaints — email alex@atlasstrategy.co.uk.

We review this page at least once a year and whenever our processing materially changes. The “last updated” date at the top of this page is the date of the most recent revision. Material changes affecting active clients are notified in writing under the signed Client Services Agreement with at least 30 days’ notice.