Privacy Policy

Introduction

Advisor Media Group LLC and its affiliate Advisor Media Group (Bangladesh) (collectively, "Atmos," "we," "us," or "our") operate the Atmos AI marketing platform available at atmosagi.com. We respect your privacy and are committed to handling your personal data transparently and responsibly.

This Privacy Policy explains what data we collect, why we collect it, who we share it with, and how you can control it. It covers all integrations Atmos supports, including Meta, Google, TikTok, Pinterest, Twitter/X, YouTube, Reddit, LinkedIn, Snapchat, Gmail, Mailchimp, Twilio, WhatsApp Business, Stripe, AWS, and Cloudflare.

This policy is written to comply with the General Data Protection Regulation (GDPR) for EU/EEA residents, the California Consumer Privacy Act (CCPA/CPRA) for California residents, and the data use requirements of all third-party platform APIs we use.

Information We Collect

1. Information You Provide Directly

• Account Information: Name, email address, password (hashed), company name, job title, and billing information when you create an account.
• Profile Information: Profile photo, preferences, team roles, and platform settings you configure.
• Brand Assets: Logos, brand colors, fonts, images, videos, ad copy, and other creative materials you upload to the platform.
• Campaign Data: Ad copy, targeting parameters, budgets, bid strategies, and campaign configurations you create or import.
• Communications: Support requests, feedback, and messages you send to us.

2. Data from Connected Third-Party Platforms

When you connect advertising or social accounts to Atmos, we receive data from those platforms via their official APIs using OAuth 2.0 authorization. We only request the minimum scopes necessary to provide each feature. A full list of platforms, the data we receive, and the scopes we request is in the Third-Party Platform Integrations section below.

3. Automatically Collected Information

• Device & Browser: Device type, operating system, browser type and version, screen resolution, and language settings.
• Usage Data: Pages visited, features used, actions taken, session duration, and in-app interaction patterns.
• Log Data: IP address, access timestamps, referring URLs, HTTP method and status codes, and error logs.
• Cookies & Tracking Technologies: Session cookies, persistent cookies, local storage, and analytics beacons (see the Cookies section below).

4. Advertising & Conversion Data

• Pixel Events: If you install the Meta Pixel, TikTok Pixel, Pinterest Tag, or similar tracking tags on your website via Atmos, those pixels collect standard browser events (page views, purchases, leads) from your website visitors and send them to the respective ad platforms. Atmos itself does not receive raw visitor PII from pixel events.
• Conversions API (CAPI) Events: If you use our Meta Conversions API (CAPI) proxy (capi.atmosagi.com), server-side conversion events (hashed email, hashed phone, purchase value, event type) are routed through our infrastructure to Meta. Hashed data is transmitted but not stored beyond the transmission session.
• Campaign Performance Metrics: Impressions, clicks, spend, conversions, ROAS, and other aggregated performance data synced from connected ad platforms.

Third-Party Platform Integrations

Below is a complete list of every external platform Atmos integrates with, what data is exchanged, the OAuth scopes we request, and links to each platform's own privacy policy. You can disconnect any platform at any time from your Atmos account settings, which revokes our access token.

How We Use Your Information

We process personal data for the following purposes, each with an identified legal basis under GDPR:

Service Delivery (Contract)

• Create and manage your Atmos account and team workspace
• Authenticate your identity and manage OAuth tokens for connected platforms
• Provide AI-powered ad creative generation and campaign optimization
• Sync campaigns, creatives, and performance data with connected advertising platforms
• Generate analytics dashboards, reports, and performance insights
• Process payments and manage subscriptions via Stripe
• Send essential service communications (account events, billing, security alerts)

Platform Improvement (Legitimate Interests)

• Analyze aggregate usage patterns (e.g., which features are used, error rates) to improve platform features and UX
• Detect and prevent fraud, abuse, and security threats
• Debug errors and diagnose performance issues

We do NOT use any data from connected third-party platform APIs (Google Ads, Google Analytics 4, Google Search Console, Google Tag Manager, Google Business Profile, YouTube, Meta, TikTok, Pinterest, Twitter/X, Reddit, LinkedIn, Snapchat, Mailchimp, Twilio, WhatsApp, etc.) to train, fine-tune, evaluate, or otherwise develop any machine-learning or artificial-intelligence model — ours or any third party's.See the "AI/ML Training Commitment" section below for full details.

Marketing Communications (Consent)

• Send newsletters, product updates, and promotional offers — only if you opt in
• You can unsubscribe at any time via the link in any email or from your account settings

Legal Compliance

• Comply with applicable laws, regulations, and court orders
• Maintain financial records as required by tax and accounting laws
• Respond to lawful requests from public authorities

AI / ML Training Commitment

Atmos is an AI-powered platform, and we are explicit about how we do — and do not — use your data in relation to AI and machine-learning models. This section explains our hard limits and is required by, and consistent with, the Google Ads API Terms of Service, the Google API Services User Data Policy (Limited Use), the Meta Platform Terms, the TikTok Marketing API Terms, and the developer policies of every other platform we integrate with.

1. We do NOT train AI/ML on third-party platform API data

We do not use any data we obtain from connected third-party platform APIs to train, fine-tune, validate, evaluate, benchmark, distill, embed for general-purpose retrieval, or otherwise develop any machine-learning or artificial-intelligence model — whether owned by Atmos or by any third party. This includes, without limitation, data from:

• Google: Google Ads API, Google Analytics 4 (GA4), Google Search Console, Google Tag Manager, Google Business Profile, YouTube Data API, YouTube Analytics API, Gmail API
• Meta: Marketing API, Conversions API (CAPI), Graph API for Facebook Pages and Instagram, WhatsApp Business Cloud API, Threads API
• TikTok: Marketing API, Business API, Pixel events
• Other ad platforms: Pinterest, Twitter/X, Reddit, LinkedIn, Snapchat (and any platform we add in the future)
• Other connected services: Mailchimp, Twilio, Stripe billing data, and any other third-party integration

This restriction applies to raw API responses, normalized data, derived signals, aggregated rollups, anonymized extracts, and synthetic data generated from any of the above. None of it is used to train AI/ML, in any form.

2. Third-party AI providers we call do NOT train on your data

When you use AI features inside Atmos (chat, creative generation, agentic workflows, etc.), we send the necessary inputs to third-party large-language-model providers — Anthropic (Claude), OpenAI, Google (Gemini API), and where applicable other commercial inference providers — strictly for real-time inference. We call these providers through their commercial API endpoints, whose terms of service expressly prohibit them from using customer inputs or outputs to train their generally available models. Specifically:

• Anthropic API: "Anthropic will not train its models on any Customer Content received from Customer or generated and returned to Customer through its use of the Services." (Commercial Terms)
• OpenAI API: Data submitted via the OpenAI API is not used to train OpenAI models. (Enterprise Privacy)
• Google Gemini API (paid tier): Inputs and outputs from paid-tier API calls are not used to improve Google's products or train models. (Gemini API Additional Terms)
• Self-hosted models: Where we run open-weights models on our own infrastructure (e.g., for cost or latency reasons), inference happens inside our infrastructure and is not exposed to any third party for training.

We do not enroll in any data-sharing program with these providers, do not opt-in to feedback-collection programs that grant training rights, and do not use consumer-facing endpoints (such as ChatGPT.com or Gemini.google.com) to process your data.

3. We do NOT sell, share, or transfer your data to AI vendors for training

We have not entered into any agreement — and will not enter into any agreement — that allows any third party to use your data, your platform API data, your campaign content, your brand assets, your creative materials, your audience information, or your performance metrics as training material for AI or ML systems. We do not sell data. We do not license data for training. We do not participate in "data co-ops" for AI training.

4. We do NOT pool customer data across accounts

Data belonging to one customer is never combined with data from another customer for the purpose of training, evaluation, or any other AI/ML purpose. Each customer's data is logically isolated by workspace and protected by access controls. The AI features available to you operate on inputs you (or your team) explicitly provide in the moment of use.

5. Narrow, fully-disclosed exception — per-customer first-party intent scoring

For customers who deploy the Atmos website analytics / visitor-intent feature on their ownwebsite, we may train a small, classical machine-learning model (e.g., gradient-boosted decision trees) exclusively on that customer's own first-party website-visitor session data — for example, pages viewed, time on site, scroll depth, and whether a visit converted. The resulting model:

• Is trained only on that customer's own first-party data, never on third-party platform API data
• Is private to that customer — stored separately per workspace, never shared with other customers, and never pooled into any cross-customer or generally-available model
• Is used only for that customer's benefit — to score visitor purchase-intent on that same customer's website
• Is deleted when the customer deletes their account or disables the feature
• Is not based on, and does not use, any data we obtain from Google Ads, Meta, TikTok, or any other platform API

You can disable this feature at any time from your workspace settings, and you can request deletion of any model trained on your data by emailing privacy@atmosagi.com.

6. What this means in plain English

Your Google Ads account data, your Meta campaign data, your TikTok performance numbers, your audience lists, your conversion events, your ad creatives, your brand assets, and every other piece of data we touch on your behalf are used for one purpose only: to run the features you asked us to run, for you, in the moment you asked for them. They are not training data. They will not become training data. They will not be silently repurposed.

Data Sharing and Disclosure

We share your data only in the circumstances described below. We do not sell your personal information to third parties.

• Sub-processors: We share data with the infrastructure providers listed above (Hetzner, AWS, Cloudflare, Stripe, Twilio) who process data on our behalf under written Data Processing Agreements.
• Connected Advertising Platforms: When you use Atmos to manage campaigns, your campaign data and creative assets are sent to the connected platforms (Meta, Google, TikTok, etc.) as directed by you.
• Business Transfers: In the event of a merger, acquisition, or sale of all or substantially all assets, your data may be transferred. We will notify you via email and/or prominent notice and give you an opportunity to opt out where required by law.
• Legal Requirements: We may disclose data when required by applicable law, court order, or government request, or when necessary to protect the rights and safety of Atmos, its users, or the public.
• With Your Consent: We will share data with other third parties only when you have given us explicit consent to do so.

Cookies and Tracking Technologies

Atmos uses the following types of cookies and similar technologies:

• Strictly Necessary Cookies: Session management, CSRF tokens, and authentication state. These are required for the platform to function and cannot be disabled.
• Preference Cookies: Storing your UI preferences (theme, language, dashboard layout) to persist between sessions.
• Analytics Cookies: We use internal analytics to understand aggregate usage patterns. We do not use Google Analytics on the Atmos dashboard for logged-in users.
• Security Cookies: Rate limiting, bot detection, and fraud prevention (Cloudflare).

We do not place third-party advertising cookies (e.g., Meta Pixel, Google Ads remarketing tags) on the Atmos platform itself without your knowledge. If we add such tracking in the future, we will update this policy and obtain consent where required.

You can control cookies through your browser settings. Disabling strictly necessary cookies will prevent the platform from working correctly.

Data Security

We implement industry-standard technical and organizational measures to protect your data:

• Encryption in Transit: All data transmitted between your browser and Atmos is encrypted using TLS 1.2 or higher. HTTPS is enforced via Cloudflare with HSTS preloading.
• Encryption at Rest: Database contents and file storage (S3) are encrypted at rest using AES-256.
• OAuth Token Security: Third-party platform tokens are encrypted using AES-256-GCM before storage. Tokens are never exposed in logs or client-side JavaScript.
• Access Controls: Role-based access control limits which team members can view or modify campaigns and connected accounts. Production database access is restricted to application services.
• Payment Security: Card data is handled exclusively by Stripe (PCI-DSS Level 1). Atmos never stores raw card numbers.
• Security Monitoring: Infrastructure-level monitoring for unauthorized access attempts, anomalous API usage, and DDoS attacks via Cloudflare and server-level alerting.

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it responsibly to privacy@atmosagi.com.

Data Retention

We retain personal data for only as long as necessary to provide the Services and fulfill the purposes outlined in this policy:

• Account Data (name, email, settings): Retained while your account is active. After account deletion, retained for 30 days as a grace period for recovery, then permanently deleted.
• Campaign & Creative Data: Retained for 3 years from creation to support historical reporting and analytics. You can request earlier deletion.
• Third-Party Platform Tokens: Deleted immediately when you disconnect a platform integration. Refreshed automatically during active use.
• CAPI Event Data: Hashed conversion event data is transmitted to Meta in real-time and not stored beyond the immediate transmission session.
• Server Log Data: Retained for 90 days for security monitoring and debugging, then automatically purged.
• Billing Records: Retained for 7 years as required by financial regulations.
• Support Communications: Retained for 2 years from the date of last contact.

Your Rights and Choices

Rights for All Users

• Disconnect Platforms: Revoke Atmos's access to any connected advertising platform at any time from your account settings. This immediately deletes our stored access token.
• Update Profile: Edit your name, email, and preferences at any time from your account settings.
• Delete Account: Close your account and request deletion of your data by contacting us.
• Marketing Opt-Out: Unsubscribe from promotional emails at any time using the link in any email.

GDPR Rights (EU / EEA Residents)

If you are located in the European Union or EEA, you have the following additional rights under the GDPR:

• Right of Access (Art. 15): Request a copy of all personal data we hold about you.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure / "Right to be Forgotten" (Art. 17): Request deletion of your personal data, subject to legal retention requirements.
• Right to Restriction of Processing (Art. 18): Request that we limit how we process your data in certain circumstances.
• Right to Data Portability (Art. 20): Receive a machine-readable copy of the personal data you provided to us.
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent (Art. 7): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: File a complaint with your local EU data protection authority (supervisory authority).

CCPA / CPRA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, business purposes, and third parties with whom we share it.
• Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. If this changes, we will provide a prominent "Do Not Sell or Share My Personal Information" link.
• Right to Limit Use of Sensitive Personal Information: You may limit the use of sensitive personal information (e.g., financial data) to purposes necessary to perform the Services.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To exercise any of these rights, please email privacy@atmosagi.com with the subject line "Privacy Rights Request" and a description of your request. We will respond within 30 days (GDPR) or 45 days (CCPA) of verifying your identity.

International Data Transfers

Atmos is operated by Advisor Media Group LLC (US) with servers hosted on Hetzner Cloud in the United States. If you are accessing the Services from the EU, EEA, or other regions with data protection laws, your data will be transferred to and processed in the United States.

We ensure appropriate safeguards for international transfers:

• Standard Contractual Clauses (SCCs) approved by the European Commission with all EU-facing sub-processors
• Data Processing Agreements (DPAs) with all major sub-processors (Hetzner, AWS, Stripe, Twilio)
• EU-US Data Privacy Framework compliance where applicable

Children's Privacy

Atmos is a business-to-business platform intended solely for users aged 18 and above. We do not knowingly collect personal data from children under 18. If we learn that we have inadvertently collected data from a child under 18, we will delete it immediately. If you believe we have collected data from a minor, contact us at privacy@atmosagi.com.

Changes to This Policy

We may update this Privacy Policy when we add new platform integrations, change how we process data, or when required by law. For material changes, we will notify you by email at least 7 days before the change takes effect, and we will update the "Last updated" date at the top of this page. Continued use of the Services after the effective date constitutes acceptance of the revised policy.

Contact Us

For privacy questions, data rights requests, or to report a security concern, please contact our privacy team:

For EU residents, you may also lodge a complaint with your local data protection supervisory authority. A list of EU DPAs is available at edpb.europa.eu.