Privacy Policy

Questions about this policy, your data, or your rights? Reach our privacy team at privacy@atma.so or by mail at Atma Technologies, Inc., 225 Northern Ave, Boston, MA 02210, USA. We aim to respond within a reasonable time.

Under data protection law, the organization that has signed up for Atma (the "Customer") is usually the controller of the data in its Workspace (messages, files, and similar content). Atma acts as a processor for that data and as the controller of the other information we collect (e.g. account and usage data).

Atma Technologies, Inc.—or the Atma entity that has a contract with the Customer—is the controller for the Services we provide in the United States. Our principal place of business is 225 Northern Ave, Boston, MA 02210, USA.

This policy covers how Atma ("we," "us," or "our") collects, uses, and discloses information that identifies or can identify you ("Personal Data") and what choices you have. It applies to our workplace chat and productivity products, our sites (e.g. atma.so), our apps, and other touchpoints (support, events, etc.). If you don’t agree, please don’t use our Services or sites. This is our only privacy policy for Atma.

We don’t control third-party apps or services that plug into our platform; they have their own policies. Your use of our Services and how we handle content you send (e.g. messages, files—"Customer Data") is also governed by our Terms or Customer Agreement. The Customer controls its Workspace and the Customer Data in it. For Workspace-level settings or privacy questions, contact that Customer (e.g. your employer); you can find owner or admin details in your account or from your admin.

California: We collect the categories of information described under "What we collect" for the purposes described under "How we use it." For California-specific rights, see "California residents" below.

We get information from running our Services and sites and from how you interact with us. That includes (1) Customer Data and (2) other information we collect or generate ("Other Information").

Customer Data: The Customer and people it invites to a Workspace ("Authorized Users") send us messages, files, and other content when they use the Services.

Other Information includes: (a) Account and Workspace details—email, phone, password, domain, billing details for paid plans, etc. (b) Usage—how you use the product (Workspaces, channels, features, content, links, integrations), log data (IP, referrer, browser, time), and device info (type, OS, identifiers, crash data) where your settings allow. (c) Approximate location—e.g. from IP or business address—for localization or security. (d) Cookies and similar tech on our sites and Services; see our Cookie Policy or contact us for choices. (e) Data from third-party services you or the Customer connect (e.g. calendar, storage); we don’t receive or store their passwords. (f) Contact or calendar info you choose to import or link, with consent. (g) Anything you send us—support, surveys, feedback, job applications, etc.

You’re generally not required by law to give us this information, but we need some of it (e.g. account details) to provide the Services.

Customer Data: We process it according to the Customer’s instructions, our contract with the Customer, how the Customer uses the Services, and the law. The Customer is the controller; we’re the processor.

Other Information: We use it to run and improve our Services, sites, and business. Our bases for processing: (1) Contract—to perform our agreement with you or the Customer (e.g. provide the Services and support). (2) Legitimate interests—where our interests aren’t overridden by yours: running and securing the Services, building features, analyzing use, preventing fraud and abuse, replying to you, sending service and admin messages (no opt-out), and marketing where allowed (you can opt out). (3) Legal obligation—when the law requires it. (4) Consent—where the law requires consent (e.g. certain cookies or marketing); you can withdraw where applicable.

We may share or disclose information as follows. How Customers or third parties use information is up to them; we don’t control that.

At the Customer’s direction and under our agreement and the law; so that your content is visible to other Authorized Users in your or connected Workspaces, per the Customer’s settings; so that Workspace owners, admins, or other Customer reps can access, change, or export Workspace data per their plan. We use service providers and partners (hosting, analytics, payments, verification, etc.) and require them to protect data and use it only as we specify. If you or the Customer turns on third-party integrations, we may share data with those providers as the integration and their policies allow—check their notices. We may share with professional advisers (e.g. lawyers, accountants) when needed; in connection with a merger, acquisition, or similar deal, subject to confidentiality; and we may use or disclose aggregated or de-identified data. We disclose when we reasonably believe the law or legal process requires it, or to protect rights, property, or safety (including to prevent fraud or harm). We may also share when we have consent or as otherwise set out in this policy.

Customer Data: We keep it as long as the Customer’s instructions, our agreement, and the law require. Customers can often set retention in their Workspace; deleting Customer Data may lead to deletion or de-identification of related Other Information—check with your Customer.

Other Information: We keep it as long as needed to provide the Services, support your account, comply with the law, resolve disputes, and enforce our agreements. Some of it may remain after you deactivate your account for those reasons.

We use administrative, technical, and physical measures to protect your information from loss, misuse, and unauthorized access, disclosure, or change, given the sensitivity of the data and current technology. We may adopt or maintain security certifications or practices from time to time. No internet or electronic storage method is fully secure; we can’t guarantee absolute security. Third-party sites or services we link to have their own security; we don’t control them.

Our Services and sites aren’t meant for anyone under 16. We don’t knowingly collect Personal Data from under-16s. If you learn we’ve collected such data, please contact us and we’ll take steps to delete it.

We may change this policy from time to time—for example when the law changes, or our practices or Services do. We’ll post the new version here and update the effective date. If a change materially affects your privacy rights, we’ll give you extra notice (e.g. by email or in the product). Using the Services after changes means you accept the updated policy. If you don’t agree, stop using the Services and contact your Customer about your account.

We’re based in the United States. If you’re outside the US, your information may be transferred to, stored, or processed in the US or elsewhere where we or our providers operate. By using the Services you consent to that. We take steps so transfers meet applicable law; where needed we use standard contractual clauses or other approved tools. Questions? Contact us.

Depending on where you live, you may have rights over your Personal Data—for example to access, correct, delete, or port it, or to object to or restrict certain processing. Many of these you can use in your account or our tools. If not, contact the Customer that runs your Workspace. For data we control (Other Information), contact us as in "Get in touch." We’ll respond within a reasonable time and as the law requires. You may also be able to complain to a data protection authority where you live.

If you’re a California resident, the CCPA (as amended by the CPRA) may give you extra rights.

We collect the categories of personal information described in "What we collect" for the business and commercial purposes in "How we use it"—including identifiers and contact info; commercial info; internet or network activity; financial info; geolocation; professional or employment-related info; audio, visual, or similar info; and inferences. We don’t "sell" personal information as the CCPA defines it. We may "share" it for cross-context behavioral advertising where that applies; you can opt out through us or by contacting us.

Subject to limits in the law, you may have the right to know what we collect, use, and disclose; to delete or correct it; to limit use of sensitive personal information; to opt out of "sale" or "sharing"; and to not be discriminated against for using these rights. To exercise them, contact us at the email or address in "Get in touch." We’ll verify you using your account info; we may ask for government ID. You can use an authorized agent; we may ask for proof of authorization. For more on California privacy rights, see the California Attorney General’s site or contact us.