Privacy Policy

Last updated: 10 May 2026

This policy describes how Atlas Investor handles your personal data, in line with the EU General Data Protection Regulation (Regulation (EU) 2016/679 — "GDPR"). If you have any question, write to us — see "Contact" at the end.

1. Who we are

Atlas Investor (the "Service") is operated by Atlas by Cortese, the data controller for the personal data processed through this website and its dashboard. We are based in Portugal and the Service is provided to a worldwide audience, with a primary focus on the Portuguese real-estate market.

2. What we collect, and why

We collect the minimum data needed to operate the Service, secure your account and improve the product. We do not sell personal data and never will.

Category	Data	Legal basis	Retention
Account	Email, optional display name, language preference, plan	Contract performance (Art. 6(1)(b) GDPR)	Until account deletion, or 24 months of inactivity
Authentication	Magic-link tokens (hashed), session cookies, login events (timestamp, IP, user-agent)	Contract performance + legitimate interest (Art. 6(1)(b)(f))	Tokens: 15 minutes. Sessions: up to 30 days. Login events: 12 months rolling
Usage	Listings analyzed (URLs, results), endpoint calls, IP, user-agent	Contract performance + legitimate interest (fraud, rate limiting)	24 months rolling
Billing	Stripe customer ID. Payment data (card, billing address) is processed by Stripe — we never see it.	Contract performance + legal obligation	10 years (Portuguese fiscal-archive obligation)

3. Cookies

We use only strictly-necessary cookies. No analytics, advertising or tracking cookies of any kind.

atlas_session — your authenticated session. HttpOnly, SameSite=Lax, max-age 30 days.
atlas_oauth_state — short-lived (10 min) cookie used to protect against CSRF during Google sign-in.
atlas_admin_session — internal operator console only; not set on customer-facing pages.

4. Sub-processors

To deliver the Service we share strictly necessary data with the following providers, all of whom are GDPR-compliant and bound by data-processing agreements:

Anthropic (USA) — photos and listing URLs you choose to analyse are sent to Anthropic's Claude vision API for the AI condition assessment. No retention by Anthropic beyond the API call.
Resend (USA / EU) — sends magic-link sign-in emails. Receives only the recipient email and the email body.
Google (USA / EU) — only if you choose "Continue with Google" sign-in. Atlas receives your Google email, name and locale; nothing else.
Stripe (USA / EU) — handles all payment data on paid plans. Atlas only stores the Stripe customer ID.
Render (USA) — application hosting and database. All Atlas data resides on encrypted Render infrastructure.
Cloudflare (USA / EU) — CDN and DDoS protection in front of the application. Sees request IPs and metadata, no payload.

International transfers (USA) are covered by Standard Contractual Clauses (Art. 46(2)(c) GDPR) and the EU-US Data Privacy Framework, where the provider is certified.

5. Your rights

Under GDPR you have the following rights regarding your personal data:

Access (Art. 15) — get a copy of the data we hold about you.
Rectification (Art. 16) — correct inaccurate data.
Erasure (Art. 17, "right to be forgotten") — delete your account and associated data.
Portability (Art. 20) — receive your data in a machine-readable format.
Object (Art. 21) — to processing based on legitimate interest.
Withdraw consent at any time, where consent was the legal basis.
Lodge a complaint with the Portuguese data protection authority — Comissão Nacional de Proteção de Dados (CNPD), cnpd.pt.

To exercise any of these rights, write to privacy@atlasinvestor.io. We respond within 30 days.

6. Security

All traffic is encrypted in transit (TLS 1.3). Authentication cookies are HttpOnly and Secure. Magic-link tokens are stored as SHA-256 hashes only. Admin passwords use bcrypt with a cost factor of 12. Database backups are encrypted at rest. We follow least-privilege access and audit operator actions.

7. Children

The Service is intended for adults (18+). We do not knowingly collect data from minors. If you believe a child has created an account, write to privacy@atlasinvestor.io and we will delete it immediately.

8. Changes to this policy

If we change this policy in a way that materially affects your rights, we will notify you by email at least 30 days before the change takes effect. Non-material changes (typo fixes, clarifications) take effect immediately and are reflected in the "Last updated" date above.

9. Contact

Privacy questions, data requests or complaints: privacy@atlasinvestor.io. General support: support@atlasinvestor.io.