AtriTap

Privacy Policy

How AtriTap handles your data

Last updated: 21 April 2026 · Draft v0.1 for preview

Preview notice:this Privacy Policy is a draft applied during AtriTap's free preview. It will be reviewed by a qualified UK solicitor before any paid customer is onboarded. Feedback welcome at hello@atritap.com.

Who we are

AtriTap ("we", "us", "our") is a UK-based service that helps small and medium businesses configure marketing tracking. We are the data controller for personal data collected through this site and the AtriTap application.

Contact: hello@atritap.com.

What data we collect

  • Account data: your email address, sign-in provider (email and password, or Google), and account creation timestamp.
  • Profile data: your plan tier (free during preview).
  • Configuration data: the answers you provide during onboarding, and the configuration output AtriTap generates from them. These are associated with your user account.
  • Technical data: server logs generated by Vercel when you access the site (IP address, request path, timestamp, user agent), retained for up to 30 days.

We do not collect payment card data during preview. When paid tiers launch, card data is handled directly by Stripe; we only store Stripe customer and subscription identifiers.

Lawful basis

  • Contract: delivering the AtriTap service you signed up for (processing your answers, generating your configuration, emailing transactional confirmations).
  • Legitimate interest: minimal server-side analytics needed to operate and secure the service. We do not run third-party advertising trackers on this site without consent.

Processors we use

We use the following processors, each of which has signed or will sign a Data Processing Agreement with us:

  • Supabase (Supabase Inc.): authentication, database, storage. Data hosted in the EU (eu-west-2 region).
  • Vercel (Vercel Inc.):hosting, edge compute, CDN. Data transits through Vercel's global network.
  • Resend (Resend Inc.): transactional email delivery (sign-up confirmations, password reset).
  • Google (Google LLC):OAuth sign-in when you choose "Continue with Google". Google receives the minimum scopes necessary to confirm your identity (email, profile, openid).
  • Stripe (Stripe, Inc.): payment processing, applies only when paid tiers launch.
  • Anthropic (Anthropic PBC): AI onboarding conversation, applies only in Phase 2 when that feature launches.

Where a processor is located outside the UK or EEA, transfers are covered by Standard Contractual Clauses (SCCs) or the UK International Data Transfer Addendum (IDTA).

Your rights

Under UK GDPR you have the right to:

  • Request a copy of the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and associated personal data.
  • Restrict or object to processing.
  • Lodge a complaint with the Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, email us at hello@atritap.com. We respond within one month as required by UK GDPR.

Retention

  • Active account data: retained while your account is open.
  • Inactive free-tier accounts: deleted after 12 months of inactivity, with a 30-day email warning before deletion.
  • Server logs: retained for up to 30 days.
  • Backups: retained per Supabase's backup schedule (up to 7 days on the current tier).

Cookies and tracking

AtriTap uses only the cookies necessary to keep you signed in and operate the service (set by Supabase Auth). We do not run third-party advertising or analytics trackers on this site without consent. When we add optional analytics, we will surface a consent banner that defaults to decline.

Security

All data is transmitted over TLS. Database rows are protected by Row Level Security policies that restrict access to the owning user. Service-role credentials are never exposed to the browser.

Changes to this policy

We will notify you of material changes by email and update the "Last updated" date at the top of this page.