Privacy Policy — AtlasRisks

Plain-language summary. We collect your email so we can deliver the GGRI Daily and contact you about the service. We don't sell or share your data. We use Stripe to process payments — they store the credit card data, not us. We use Netlify Forms to relay contact-form messages and Resend to send transactional email. That's it.

1. Controller, contact, and data protection officer

Controller: Cortexis Group, LLC, a Florida limited liability company, operating as AtlasRisks ("AtlasRisks," "we," "us"). Mailing address available on request via the contact email below.

Privacy contact / Data Protection Officer queries: privacy@atlasrisks.com. We respond within 30 days.

EU/UK representative: not currently appointed. EU/UK customers requiring a designated representative under Article 27 GDPR can request our standard Data Processing Addendum (DPA) at legal@atlasrisks.com.

2. What we collect

Account information. Email address; optionally, name and company. Provided when you sign up for a free account or paid tier.
Authentication data. Password (stored as a scrypt hash with per-user random salt; never in plaintext). Session tokens (HMAC-signed; HttpOnly cookies). API keys (stored as SHA-256 hashes; only the last 4 characters and issue date are visible to admins).
Payment information. Handled exclusively by Stripe. We never see or store your full card number; we receive only a Stripe customer ID, the last 4 digits, and the card brand for display purposes.
Usage data. Standard server logs (IP address, user-agent, timestamps) retained 30 days for security and abuse prevention.
Watchlist and preferences. Country ISO codes you've added to your watchlist, alert opt-out preference.
Audit log entries. Records of administrative actions affecting your account (created, password-changed, subscription state changes), used for security audit. Retained 90 days per the audit retention policy.

3. Lawful basis for processing (GDPR Article 6)

Where the GDPR applies, our lawful bases for processing your personal data are:

Performance of a contract (Article 6(1)(b)) — to deliver the GGRI Daily and operate your subscription.
Legitimate interest (Article 6(1)(f)) — for service security, abuse prevention, fraud detection, and product analytics. Our balancing assessment is available on request via privacy@atlasrisks.com.
Legal obligation (Article 6(1)(c)) — to retain billing records for tax/audit compliance.
Consent (Article 6(1)(a)) — for optional marketing or feature-announcement emails. You can withdraw consent at any time via the unsubscribe link.

4. Subprocessors

We use the following third-party data processors. We are responsible for these processors' compliance with our DPA terms. A request for our subprocessor change-notification list can be sent to legal@atlasrisks.com.

Stripe, Inc. (United States) — payment processing, billing portal, invoice storage. Processes: name, email, payment method, billing address, transaction history. stripe.com/privacy · Stripe DPA.
Resend, Inc. (United States) — transactional email delivery (Daily Brief, welcome, security notifications, password reset). Processes: email address, email body content. resend.com privacy · Resend DPA.
Netlify, Inc. (United States) — site hosting, serverless functions, blob storage. Processes: all data we store. Netlify Blob storage runs in AWS regions, primarily us-east-1. netlify.com privacy · Netlify DPA.
Netlify Forms (operated by Netlify) — contact-form submission relay. Processes: name, email, message content from /contact submissions.
CARTO (Spain) and OpenStreetMap (United Kingdom) — map basemap tiles loaded by the Live Atlas. They receive only standard tile-request metadata (referrer, viewport, zoom level) — not your identity or account context.
Cloudflare CDN, Inc. (via CDNJS, United States) — hosts the Leaflet JavaScript library used by the Live Atlas map. Receives standard HTTP request metadata.
Google Fonts (United States) — webfont hosting. Receives standard HTTP request metadata.

We do not use any third-party analytics, advertising, tracking, behavioral profiling, or session-replay tools. We have no Google Analytics, Plausible, Mixpanel, Hotjar, FullStory, or equivalent on the site.

5. International data transfers

Most of our subprocessors are based in the United States and store data in US regions. Where we transfer personal data of EU/UK data subjects to the US, we rely on the European Commission's adequacy decision for the EU-US Data Privacy Framework where the subprocessor is certified, or on Standard Contractual Clauses (SCCs) where it is not. Our SCCs are available on request.

Data residency: primary blob storage is AWS us-east-1 (Northern Virginia). If your data-residency policy requires EU-only or other regional storage, contact legal@atlasrisks.com — for enterprise contracts we can arrange this on Netlify's regional pricing.

6. Who we share it with

Outside of the subprocessors listed above, we share personal data only when:

You request it — for example, when you initiate a billing-portal session that takes you to Stripe.
Law enforcement compels us under a legally valid request. We notify you if permitted by law and we will resist overbroad requests.
A successor entity requires it in the event of a merger, acquisition, or asset sale. We will give you advance notice and the opportunity to delete your account before the transfer.

We do not sell, rent, or share your personal information with advertisers, data brokers, or marketing platforms.

7. Cookies

We use exactly the cookies we need:

atlas_sub — subscriber session cookie. HttpOnly, Secure, SameSite=Strict, 7-day expiry. Set when you sign in; cleared when you sign out or delete your account.
atlas_admin / atlas_staff — staff/admin session cookies (only set if you authenticate to the admin console). HttpOnly, Secure, SameSite=Lax, 4-hour expiry.
Stripe Checkout and the Stripe Billing Portal set their own cookies on stripe.com when you visit those flows. We don't read them.

We do not use third-party advertising or tracking cookies. We do not use analytics tools that track individual users.

8. Your rights

Subject to applicable law (GDPR, UK GDPR, CCPA, and others), you have the right to:

Access — request a copy of the data we hold about you. (Self-serve at Settings → Download my data; also available via privacy@atlasrisks.com.)
Correction — request that inaccurate data be corrected.
Deletion ("right to be forgotten") — self-serve at Settings → Delete my account, or via privacy@atlasrisks.com. Soft-delete is immediate; hard delete (including subprocessor cleanup) completes within 30 days.
Portability — receive your data in a structured, machine-readable format (JSON).
Restriction or objection — restrict or object to processing where the lawful basis is legitimate interest.
Withdraw consent — for processing based on consent, at any time.
Lodge a complaint — with your supervisory authority (EU/UK) or the California Attorney General (CCPA).

If you're in California: your CCPA rights apply, including the right to know, the right to delete, and the right to opt-out of "sale." We do not sell personal information; the opt-out request is moot in our case but you retain the right.

We respond to verified requests within 30 days (45 days for complex cases, with notice).

9. Data retention

Account data: retained while your account is active, plus 30 days after deletion (during which hard-delete propagates to subprocessors).
Billing records: retained for 7 years to meet US tax/audit compliance.
Server logs: 30 days for security and abuse prevention.
Audit log entries: 90 days from creation, then automatically pruned. Hard cap of 10,000 entries.
Stripe-events-seen dedup records: 7 days.
Login rate-limit records: 24 hours.

10. Security

Specifics of our security posture are documented at /help/security.html. In summary:

HTTPS-only with HSTS (2-year max-age, includeSubDomains).
Content Security Policy, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy locking down camera/microphone/geolocation/payment.
Passwords hashed with scrypt (OWASP-recommended memory-hard KDF) with per-user salt.
Session tokens are HMAC-SHA256 signed and bound to a server-side secret.
HttpOnly+Secure+SameSite=Strict cookies for sessions.
Rate limiting on all authentication endpoints (login, password change, account deletion, billing portal).
Stripe webhook signature verification (HMAC-SHA256 over the raw payload).
Admin console gated by an edge-function HMAC-signed cookie + per-user staff sessions.
Audit log of all administrative actions, queryable + exportable as CSV.

We follow industry-standard security practices but make no warranty against all possible attacks. To report a security vulnerability, see /.well-known/security.txt or write to security@atlasrisks.com.

11. Children

AtlasRisks is intended for professional security and intelligence buyers. We do not knowingly collect personal data from anyone under 18 (or under the age of digital consent in your jurisdiction). If we learn we have collected such data, we will delete it.

12. Automated decision-making

The GGRI itself is an automated scoring system that produces country risk scores from public OSINT sources. It does NOT process personal data about you to make decisions about you. The scoring system processes only news/event data about countries and entities, not subscribers.

13. Changes to this policy

We'll post material changes here and notify active subscribers by email at least 14 days before they take effect.

14. Contact

Privacy: privacy@atlasrisks.com. Security: security@atlasrisks.com. Legal & DPA requests: legal@atlasrisks.com. General: hello@atlasrisks.com.

— AtlasRisks privacy policy v2.0 · revised 2026-05-16