Privacy Policy

1. Who is responsible for your data?

The controller within the meaning of Article 4 No. 7 GDPR is:

We have not appointed a Data Protection Officer (DPO). Under Article 37 GDPR a DPO is not mandatory for our current scale of processing. We will reassess this obligation on incorporation and again before launching the consumer health product.

2. Scope of this Privacy Policy

This Privacy Policy applies to the website atlascove.healthand its sub-pages (the “Website”). The Atlas Cove product (mobile and web application, residency programmes, coaching) is not yet available to the public. A separate Consumer Health Data Privacy Policy and product Terms of Service will apply to that product when it launches and will be linked from this page at that time.

3. What personal data we process and why

We process personal data only where we have a clear purpose and a valid legal basis under Article 6 (or, for special categories, Article 9) GDPR. The following sections describe each processing activity individually.

3.1 Server access logs

When you visit our Website, our servers automatically log the following technical data: shortened IP address, date and time of the request, the URL requested, HTTP status, referrer URL, user agent string. We use this data to operate, secure and troubleshoot our infrastructure.
Legal basis: Article 6 (1)(f) GDPR (legitimate interest in a secure, functioning service).
Retention: 30 days. IP addresses are redacted in our application logs by our logger (Pino).

3.2 Website analytics (Plausible, self-hosted)

We measure aggregate Website usage with Plausible Analytics, hosted by us on our own infrastructure at OVHcloud (France). Plausible is cookieless, does not store personal data on your device, does not collect personally identifiable IP addresses, does not track users across websites and does not use device fingerprinting.
Legal basis: Article 6 (1)(f) GDPR (legitimate interest in understanding aggregate website usage). Because no personal data is processed in a way that affects your privacy and no information is stored on your device, neither GDPR consent nor consent under § 25 (1) TTDSG / Article 5 (3) ePrivacy Directive is required.
Retention: Aggregate, non-personal statistics only.

3.3 Waitlist, newsletter and contact forms

When you fill in one of our forms, we process the data you provide for the specific purpose described on each form:

• Waitlist: first name, last name, e-mail address, city, country, planned stay length. Used to register your interest, keep you informed about programme availability and contact you when a relevant slot opens. You receive a double opt-in confirmation e-mail; we only process your data after you have confirmed.
  Legal basis: Article 6 (1)(a) GDPR (your consent).
  Retention: Until you withdraw consent or after 24 months of inactivity, whichever is earlier.
• Newsletter: e-mail address. Used to send you our newsletter. You receive a double opt-in confirmation e-mail; we only send the newsletter after you have confirmed. Each newsletter contains a one-click unsubscribe link (RFC 8058 compliant).
  Legal basis: Article 6 (1)(a) GDPR (your consent).
  Retention: Until you unsubscribe.
• Contact / inquiry: name, e-mail address, chosen recipient and message content. Used to respond to your enquiry and to follow up where appropriate.
  Legal basis: Article 6 (1)(b) GDPR (steps prior to a possible contract) and Article 6 (1)(f) GDPR (legitimate interest in handling enquiries).
  Retention: 24 months after last contact, longer if a contractual or legal retention obligation arises.

Referral and campaign data. When you submit a form, we also record the marketing source that brought you to the Website: the campaign parameters (UTM) of the link you arrived on, the referring website, and the page you first landed on. This is stored with your contact record. It is first-party data captured as part of your submission, sets no additional cookies, and is not shared with third parties.
Legal basis: Article 6 (1)(f) GDPR (legitimate interest in understanding which channels our contacts come from).

All forms include a hidden honeypot field for bot protection. Submissions identified as automated are discarded without storing personal data.

3.4 Error tracking (Sentry)

We use Sentry (Sentry GmbH, EU hosting at de.sentry.io) to detect and diagnose errors. Sentry receives technical error information, limited request metadata and stack traces. Sensitive request data and any health-related data are scrubbed before transmission via configured PII redaction.
Legal basis: Article 6 (1)(f) GDPR (legitimate interest in operating a stable, secure service).
Retention: 90 days (Sentry default retention).

3.5 Cookie consent management (Klaro, self-hosted)

When you interact with our cookie banner, your decision is stored in a first-party cookie called klaro-consent. This is required to remember your choice and demonstrate compliance.
Legal basis: Article 6 (1)(c) GDPR (legal obligation to evidence consent decisions) and § 25 (2) TTDSG (strictly necessary storage to provide the service you expressly requested by using the consent banner).
Retention: 365 days.

3.6 Outbound link to WhatsApp

On our community page we link to a WhatsApp group. The link is a plain hyperlink with rel="noopener noreferrer"; we do notembed any Meta scripts, pixels or widgets on our Website. When you click the link you are redirected to WhatsApp, operated by Meta Platforms Ireland Ltd., and that company's privacy policy applies to the resulting interaction. Clicking is voluntary; we do not require WhatsApp to use any other part of our service.

4. Service providers and processors

We work with the following service providers. Where they process personal data on our behalf, they do so under a Data Processing Agreement (DPA) pursuant to Article 28 GDPR.

4.1 Hosting and infrastructure

• OVHcloud (OVH SAS, Roubaix, France) hosts our primary infrastructure including database, application servers and self-hosted tools. The environment used for health-relevant data is HDS-certified (Hébergeur de Données de Santé).

4.2 Communication and customer relationship

• Mailjet (Mailjet SAS, Paris, France; Sinch group) sends transactional and marketing e-mails on our behalf and stores delivery and open / click metadata where applicable.
• Attio (Attio Ltd., London, United Kingdom) is our CRM. It stores contact, lead and relationship data (name, e-mail, company, lead status, deal-related metadata). It does not receive any health data.

4.3 Operations and observability

• Sentry (Sentry GmbH, EU hosting at de.sentry.io) for error tracking. Health data scrubbing is configured.
• Plausible Analytics— self-hosted on OVHcloud, France; no third-party processor involved.
• n8n, Evolution API, ntfy, Keycloak, LiveKit, Ollama / Meditron, Grafana / Prometheus / Loki, Uptime Kuma are all self-hosted on our OVHcloud infrastructure. They are not third-party processors.

4.4 Application analytics (product only, not on this Website)

Our future product application uses PostHog (PostHog Inc., EU Cloud at eu.i.posthog.com) for product analytics, with autocapture and session recording disabled and a strict health-key filter. PostHog does not run on this Website. It is mentioned here for transparency about our broader stack.

4.5 Payments (planned)

Mollie (Mollie B.V., Amsterdam, Netherlands) is planned as our payment processor once the product launches. No payment processing takes place on this Website today.

4.6 Internal tooling

• Google Workspace (Google Ireland Ltd.) for internal team e-mail. Customer correspondence may pass through this system; no other customer data is stored there.
• GitHub (GitHub Inc., USA) for source code hosting. No personal data of website visitors is stored in repositories.

5. International data transfers

Most processing takes place inside the EU/EEA. Where personal data is transferred outside the EU/EEA, we rely on the following mechanisms under Chapter V GDPR:

You can request a copy of the safeguards in place for any transfer by writing to privacy (at) atlascove (dot) health.

6. Cookies and similar technologies

For details on which cookies and storage technologies we use and how you can control them, please see our separate Cookie Policy.

7. Health data (special categories)

The Atlas Cove Website does not collect health data. Health data within the meaning of Article 9 GDPR is only processed by the future Atlas Cove product, which has not yet launched. When it does, the following principles will apply and will be detailed in a separate Consumer Health Data Privacy Policy:

• Health data is processed only on the basis of your explicit consent under Article 9 (2)(a) GDPR, captured in a separate, granular consent flow.
• Health data never leaves our own infrastructure at OVHcloud (France). It is not shared with our CRM, our e-mail provider, our website analytics or any other third-party tool.
• AI analysis of health data is performed locally on self-hosted models (Ollama / Meditron). No cloud AI provider receives your data.
• You can withdraw consent for health data processing at any time, with the effect that the corresponding data is deleted.

8. Health disclaimer

Editorial content on this Website (including community pages, programme descriptions, blog posts and member stories) is for general information only. It does not constitute medical, diagnostic or therapeutic advice and is not a substitute for consultation with a qualified healthcare professional. We do not offer or provide medical services through this Website. If you are dealing with a health condition or considering changes to your health, please seek individual advice from a qualified professional.

9. Your rights as a data subject

Under the GDPR you have the following rights regarding your personal data:

• Right of access(Article 15) — confirmation whether we process your data and a copy of that data.
• Right to rectification(Article 16) — correction of inaccurate or incomplete data.
• Right to erasure(Article 17) — deletion of your data, subject to lawful retention requirements.
• Right to restriction (Article 18) of processing under specific circumstances.
• Right to data portability (Article 20) for data you provided based on consent or contract.
• Right to object (Article 21) to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent (Article 7 (3)) at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to lodge a complaint (Article 77) with a supervisory authority. The competent authority for us is the Comissão Nacional de Proteção de Dados (CNPD) in Lisbon, Portugal.

To exercise any of these rights, please contact us at privacy (at) atlascove (dot) health. We will respond within one month, which may be extended by two further months for complex requests.

10. Security measures

We implement technical and organisational measures (TOMs) under Article 32 GDPR to protect your data, including: TLS encryption in transit (Let's Encrypt managed via Traefik), secure authentication via Keycloak with SSO, role- based access control, server hardening through OVHcloud's ISO 27001 / HDS-certified facilities, structured logging with PII redaction (Pino), error monitoring with health-data scrubbing (Sentry) and regular backup procedures. Field-level encryption for special-category health data is scheduled for implementation before the product launches.

11. Retention periods

We keep personal data only as long as necessary for the purposes described in this policy or as required by law. The specific retention periods for each processing activity are listed in section 3 above.

12. Automated decision-making

We do not use automated decision-making, including profiling, that produces legal effects concerning you or significantly affects you in a similar way (Article 22 GDPR).

13. Minors

Our Website and future product are intended for adults only. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has provided us with personal data, please contact us so we can delete it.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example when we add or remove tools, when our processing activities change, or when legal requirements change. The latest version is always available at this URL with the update date shown at the top.

15. Contact

For all questions about this Privacy Policy or our data handling, please contact us at privacy (at) atlascove (dot) health. Full operator details are available in the Imprint.