Atlas Cove

Privacy Policy

Last updated: 29 June 2026

At a glance

  • We host all primary infrastructure on Hetzner Online GmbH in Germany (ISO 27001 certified data centres in Falkenstein and Nuremberg).
  • We use a small number of EU-based processors (Mailjet, Sentry, PostHog) and one UK processor under an EU adequacy decision (Attio).
  • Health data never leaves our own infrastructure. It is never shared with our CRM, email tool or analytics tools.
  • On this marketing Website only, and only after you opt in via our consent banner, we use Google Analytics 4, Google Ads and the Meta Pixel / Conversions API to measure usage and advertising. No tracking tags load without your consent.
  • You have full data subject rights under GDPR, including access, deletion, portability and the right to lodge a complaint with the CNPD in Portugal.

1. Who is responsible for your data?

The controller within the meaning of Article 4 No. 7 GDPR is:

Atlas Cove, Lda.

NIPC / NIF (tax and registration number): 519459130

VAT identification number: PT519459130

Registered address: R. Hermano Neves 18, Piso 3, Escritório 7, V6077, 1600-477 Lisboa, Portugal

E-mail (privacy): privacy (at) atlascove (dot) health
E-mail (general): info (at) atlascove (dot) health

Atlas Cove, Lda. is a Portuguese private limited company (sociedade por quotas) operating the Atlas Cove brand. Managing directors (gerentes): Lisa Wuerden, Tom Wuerden.

Atlas Cove, Lda. is incorporated and registered in Portugal. We have not appointed a Data Protection Officer (DPO): under Article 37 GDPR a DPO is not mandatory at our current scale of processing, as our core activity does not consist of large-scale processing of special categories of data or large-scale, regular and systematic monitoring. We keep this assessment under review and will reassess it before launching the consumer health product, which will involve health data at scale.

2. Scope of this Privacy Policy

This Privacy Policy applies to the website atlascove.healthand its sub-pages (the “Website”). The Atlas Cove product (mobile and web application, residency programmes, coaching) is not yet available to the public. A separate Consumer Health Data Privacy Policy and product Terms of Service will apply to that product when it launches and will be linked from this page at that time.

3. What personal data we process and why

We process personal data only where we have a clear purpose and a valid legal basis under Article 6 (or, for special categories, Article 9) GDPR. The following sections describe each processing activity individually.

3.1 Server access logs

When you visit our Website, our servers automatically log the following technical data: shortened IP address, date and time of the request, the URL requested, HTTP status, referrer URL, user agent string. We use this data to operate, secure and troubleshoot our infrastructure.
Legal basis: Article 6 (1)(f) GDPR (legitimate interest in a secure, functioning service).
Retention: 30 days. IP addresses are redacted in our application logs by our logger (Pino).

3.2 Marketing-website analytics & advertising (consent-based)

On this marketing Website only, and only after you opt in via our consent banner, we use a small set of analytics and advertising tools to understand how the Website is used and to measure which of our advertisements lead to bookings:

  • Google Analytics 4(Google Ireland Ltd. / Google LLC) — to understand aggregate Website usage and support advertising measurement. Processes usage and device data, pseudonymous identifiers and your IP address.
  • Google Ads(Google Ireland Ltd. / Google LLC) — to measure which of our advertisements lead to bookings (conversion measurement) and to support remarketing. This includes enhanced and offline conversions, for which we transmit hashed (irreversibly transformed) identifiers such as your email address or phone number; we do not share these in plain text.
  • Meta Pixel and Conversions API(Meta Platforms Ireland Ltd.) — to measure the performance of our advertising on Facebook and Instagram (ad performance and conversion measurement). This likewise uses hashed identifiers (such as email or phone) for conversion matching.
  • Google Tag Manager (Google Ireland Ltd. / Google LLC), which we run self-hosted (web and server-side) on our Hetzner infrastructure, as the container that loads the consented tools above and acts as a final filtering point for sensitive parameters.

Marketing-website only — no health data. These advertising and analytics tools run exclusively on the marketing Website ( atlascove.health). They are never loaded in the Atlas Cove product / application, and no health data and no special-category data (Article 9 GDPR) is ever sent to Google or Meta. The retreat booking health questionnaire (PAR-Q) and the capacity-analysis pages are excluded from all marketing tags. All health and medical data stays on our own EU / self-hosted backend at Hetzner (Germany) and never reaches a US analytics or advertising provider.
Legal basis: Article 6 (1)(a) GDPR (your consent) and Article 5 (3) of the ePrivacy Directive 2002/58/EC, as transposed in Portugal by Lei n.º 41/2004 (consent for the storage of and access to information on your device). We operate Google Consent Mode v2, so these tags only fire after consent. You can withdraw consent at any time via Cookie Settings. You can also use the providers' own opt-outs, including Google's Analytics opt-out and the advertising controls in your Google Ad settings and Meta ad preferences.
Transfers: Where personal data is transferred to the United States, we rely on the EU–US Data Privacy Framework (Google LLC and Meta Platforms, Inc. are certified) and Standard Contractual Clauses as a fallback.
Roles of the parties. For Google Analytics 4, Google acts as our processor under a data processing amendment (Article 28 GDPR). For Google Ads conversion data, Google and Atlas Cove act as independent controllersunder Google's controller-to-controller data protection terms.
Joint controllership with Meta. For the data collected through the Meta Pixel and transmitted via the Conversions API, Meta Platforms Ireland Ltd. and Atlas Cove act as joint controllerswithin the meaning of Article 26 GDPR in respect of the collection and transmission of that event data. The essence of our joint arrangement follows Meta's Controller Addendum. Any further processing of that data by Meta for its own purposes takes place under Meta's sole responsibility. You may exercise your data subject rights against either party.
Retention: Google Analytics 4 user- and event-level data is configured for a 14-month retention period; advertising and conversion data is retained by Google and Meta in line with their own published retention policies. The campaign-attribution fields we store with your contact record (see section 3.3) follow the retention periods set out there.

3.3 Waitlist, newsletter and contact forms

When you fill in one of our forms, we process the data you provide for the specific purpose described on each form:

  • Waitlist: first name, last name, e-mail address, city, country, planned stay length. Used to register your interest, keep you informed about programme availability and contact you when a relevant slot opens. You receive a double opt-in confirmation e-mail; we only process your data after you have confirmed.
    Legal basis: Article 6 (1)(a) GDPR (your consent).
    Retention: Until you withdraw consent or after 24 months of inactivity, whichever is earlier.
  • Newsletter: e-mail address. Used to send you our newsletter. You receive a double opt-in confirmation e-mail; we only send the newsletter after you have confirmed. Each newsletter contains a one-click unsubscribe link (RFC 8058 compliant).
    Legal basis: Article 6 (1)(a) GDPR (your consent).
    Retention: Until you unsubscribe.
  • Contact / inquiry: name, e-mail address, chosen recipient and message content. Used to respond to your enquiry and to follow up where appropriate.
    Legal basis: Article 6 (1)(b) GDPR (steps prior to a possible contract) and Article 6 (1)(f) GDPR (legitimate interest in handling enquiries).
    Retention: 24 months after last contact, longer if a contractual or legal retention obligation arises.

Referral and campaign data. When you submit a form, we also record the marketing source that brought you to the Website: the campaign parameters (UTM) of the link you arrived on, the referring website, and the page you first landed on. This is stored with your contact record. It is first-party data captured as part of your submission, sets no additional cookies, and is not shared with third parties.
Legal basis: Article 6 (1)(f) GDPR (legitimate interest in understanding which channels our contacts come from).

All forms include a hidden honeypot field for bot protection. Submissions identified as automated are discarded without storing personal data.

3.4 Error tracking (Sentry)

We use Sentry (Sentry GmbH, EU hosting at de.sentry.io) to detect and diagnose errors. Sentry receives technical error information, limited request metadata and stack traces. Sensitive request data and any health-related data are scrubbed before transmission via configured PII redaction.
Legal basis: Article 6 (1)(f) GDPR (legitimate interest in operating a stable, secure service).
Retention: 90 days (Sentry default retention).

3.5 Cookie consent management (Klaro, self-hosted)

When you interact with our cookie banner, your decision is stored in a first-party cookie called klaro-consent. This is required to remember your choice and demonstrate compliance.
Legal basis: Article 6 (1)(c) GDPR (legal obligation to evidence consent decisions) and Article 5 (3) of the ePrivacy Directive 2002/58/EC, as transposed in Portugal by Lei n.º 41/2004 (storage strictly necessary to provide the consent service you expressly requested by using the banner).
Retention: 365 days.

3.6 Outbound link to WhatsApp

On our community page we link to a WhatsApp group. The link is a plain hyperlink with rel="noopener noreferrer"; we do notembed any Meta scripts, pixels or widgets on our Website. When you click the link you are redirected to WhatsApp, operated by Meta Platforms Ireland Ltd., and that company's privacy policy applies to the resulting interaction. Clicking is voluntary; we do not require WhatsApp to use any other part of our service.

4. Service providers and processors

We work with the following service providers. Where they process personal data on our behalf, they do so under a Data Processing Agreement (DPA) pursuant to Article 28 GDPR.

4.1 Hosting and infrastructure

  • Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) hosts our primary infrastructure including database, application servers and self-hosted tools, in ISO 27001 certified data centres in Falkenstein and Nuremberg, Germany.

4.2 Communication and customer relationship

  • Mailjet (Mailjet SAS, Paris, France; Sinch group) sends transactional and marketing e-mails on our behalf and stores delivery and open / click metadata where applicable.
  • Attio (Attio Ltd., London, United Kingdom) is our CRM. It stores contact, lead and relationship data (name, e-mail, company, lead status, deal-related metadata). It does not receive any health data.

4.3 Operations and observability

  • Sentry (Sentry GmbH, EU hosting at de.sentry.io) for error tracking. Health data scrubbing is configured.
  • Google (Analytics 4, Ads, Tag Manager) (Google Ireland Ltd., Dublin / Google LLC, USA) — consent-based analytics and advertising on this marketing Website only. Google Tag Manager is run self-hosted on our Hetzner infrastructure. These tools never run in the product and never receive health data. See section 3.2.
  • Meta (Pixel and Conversions API)(Meta Platforms Ireland Ltd.) — consent-based advertising conversion measurement on this marketing Website only; for the pixel/CAPI event data we and Meta act as joint controllers (Article 26 GDPR, see section 3.2). Never runs in the product and never receives health data.
  • n8n, Evolution API, ntfy, Keycloak, LiveKit, Ollama / Meditron, Grafana / Prometheus / Loki, Uptime Kuma are all self-hosted on our Hetzner infrastructure. They are not third-party processors.

4.4 Application analytics (product only, not on this Website)

Our future product application uses PostHog (PostHog Inc., EU Cloud at eu.i.posthog.com) for product analytics, with autocapture and session recording disabled and a strict health-key filter. PostHog does not run on this Website. It is mentioned here for transparency about our broader stack.

4.5 Payments (planned)

Mollie (Mollie B.V., Amsterdam, Netherlands) is planned as our payment processor once the product launches. No payment processing takes place on this Website today.

4.6 Internal tooling

  • Google Workspace (Google Ireland Ltd.) for internal team e-mail. Customer correspondence may pass through this system; no other customer data is stored there.
  • GitHub (GitHub Inc., USA) for source code hosting. No personal data of website visitors is stored in repositories.

5. International data transfers

Most processing takes place inside the EU/EEA. Where personal data is transferred outside the EU/EEA, we rely on the following mechanisms under Chapter V GDPR:

RecipientCountryTransfer mechanism
AttioUnited KingdomEU adequacy decision (renewed 18 December 2025, valid until 27 December 2031), Standard Contractual Clauses as fallback.
Meta Platforms Ireland Ltd. (only if you click the WhatsApp link)Ireland / USAYour active choice and Meta's Standard Contractual Clauses.
Google WorkspaceIreland / USAStandard Contractual Clauses.
Google Analytics 4 / Google Ads / Google Tag Manager (only if you consent, marketing Website only)Ireland / USAEU–US Data Privacy Framework (Google LLC certified) and Standard Contractual Clauses as fallback.
Meta Pixel / Conversions API (only if you consent, marketing Website only)Ireland / USAEU–US Data Privacy Framework (Meta Platforms, Inc. certified) and Standard Contractual Clauses as fallback.
GitHubUSAStandard Contractual Clauses. No personal data of Website visitors is stored.

You can request a copy of the safeguards in place for any transfer by writing to privacy (at) atlascove (dot) health.

6. Cookies and similar technologies

For details on which cookies and storage technologies we use and how you can control them, please see our separate Cookie Policy.

7. Health data (special categories)

The Website collects health-related data (a special category under Article 9 GDPR) in two limited places only: the retreat booking readiness screen (PAR-Q) and the capacity-analysis form used at our community events. Both are processed solely on the basis of your explicit consent under Article 9 (2)(a) GDPR, are kept on our own EU / self-hosted infrastructure, and are never shared with our CRM, e-mail tool, analytics or advertising providers. Full details are set out in our separate Consumer Health Data Privacy Notice. Beyond these two touchpoints, the Website does not collect health data. The future Atlas Cove product will process health data more extensively; when it launches, the following principles will apply and will be detailed in its own privacy notice:

  • Health data is processed only on the basis of your explicit consent under Article 9 (2)(a) GDPR, captured in a separate, granular consent flow.
  • Health data never leaves our own infrastructure at Hetzner (Germany). It is not shared with our CRM, our e-mail provider, our website analytics or any other third-party tool.
  • AI analysis of health data is performed locally on self-hosted models (Ollama / Meditron). No cloud AI provider receives your data.
  • You can withdraw consent for health data processing at any time, with the effect that the corresponding data is deleted.

8. Health disclaimer

Editorial content on this Website (including community pages, programme descriptions, blog posts and member stories) is for general information only. It does not constitute medical, diagnostic or therapeutic advice and is not a substitute for consultation with a qualified healthcare professional. We do not offer or provide medical services through this Website. If you are dealing with a health condition or considering changes to your health, please seek individual advice from a qualified professional.

9. Your rights as a data subject

Under the GDPR you have the following rights regarding your personal data:

  • Right of access(Article 15) — confirmation whether we process your data and a copy of that data.
  • Right to rectification(Article 16) — correction of inaccurate or incomplete data.
  • Right to erasure(Article 17) — deletion of your data, subject to lawful retention requirements.
  • Right to restriction (Article 18) of processing under specific circumstances.
  • Right to data portability (Article 20) for data you provided based on consent or contract.
  • Right to object (Article 21) to processing based on legitimate interests, including direct marketing.
  • Right to withdraw consent (Article 7 (3)) at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right to lodge a complaint (Article 77) with a supervisory authority. The competent authority for us is the Comissão Nacional de Proteção de Dados (CNPD) in Lisbon, Portugal.

To exercise any of these rights, please contact us at privacy (at) atlascove (dot) health. We will respond within one month, which may be extended by two further months for complex requests.

10. Security measures

We implement technical and organisational measures (TOMs) under Article 32 GDPR to protect your data, including: TLS encryption in transit (Let's Encrypt managed via Traefik), secure authentication via Keycloak with SSO, role- based access control, server hardening within Hetzner's ISO 27001 certified data centres (Falkenstein, Nuremberg), structured logging with PII redaction (Pino), error monitoring with health-data scrubbing (Sentry) and regular backup procedures. Field-level encryption for special-category health data is scheduled for implementation before the product launches.

11. Retention periods

We keep personal data only as long as necessary for the purposes described in this policy or as required by law. The specific retention periods for each processing activity are listed in section 3 above.

12. Automated decision-making

We do not use automated decision-making, including profiling, that produces legal effects concerning you or significantly affects you in a similar way (Article 22 GDPR).

13. Minors

Our Website and future product are intended for adults only. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has provided us with personal data, please contact us so we can delete it.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example when we add or remove tools, when our processing activities change, or when legal requirements change. The latest version is always available at this URL with the update date shown at the top.

15. Contact

For all questions about this Privacy Policy or our data handling, please contact us at privacy (at) atlascove (dot) health. Full operator details are available in the Imprint.