Privacy Policy
Last updated: 2026-04-25 · Scope: V0 personal-use deployment
1. What personal data we collect
- Authentication identity — your Clerk user ID, email address, first and last name.
- Financial transactions you enter manually or that are synced from a connected bank — amount, currency, date, merchant or description, and category.
- Financial accounts — name, institution, balance snapshots.
- Budgets, savings goals, assets, and liabilities you create — labels, target amounts, notes.
- Bank connection tokens issued by the aggregator, encrypted at rest with Fernet before storage.
- Error and performance traces when the application misbehaves — stack traces, request paths, your user ID, browser, and operating system. Sent to Sentry.
- Aggregate usage events — page views, referrer, approximate country. Sent to Plausible. No cookies, no IP retention.
Atlas does not collect bank login credentials, payment-card numbers or CVVs, or identifiers of anyone other than the account holder.
2. Sub-processors
Each of the following services may process your personal data on the operator's behalf:
| Service | Purpose | Region |
|---|---|---|
| Railway | Application hosting, Postgres, Redis | EU |
| S3 / Cloudflare R2 | Encrypted database backups | Configurable per deployment |
| Clerk | Authentication; stores email + name + auth logs | US |
| finAPI | Bank aggregation; refresh tokens + transaction payloads | EU |
| Sentry | Error tracking; stack traces and request context for errors only | US |
| Plausible | Cookieless analytics; aggregate page views only | EU |
3. Encryption
Every external network edge uses TLS 1.2 or higher. Postgres volumes are encrypted at rest by Railway. Bank refresh tokens are additionally wrapped with Fernet symmetric encryption before being stored, so a database leak alone does not expose bank access. Backups are encrypted by the S3 provider.
4. Retention
- Active account data is kept for as long as the account is active.
- Soft-deleted records are retained indefinitely so historical financial data remains auditable. They can be promoted to hard deletes on request.
- Backups: daily snapshots 30 days, weekly snapshots 6 months.
- Sentry error traces: 30 days.
- Plausible analytics: aggregate event counts indefinitely, no user-level identifiers retained.
5. Right to deletion
- Export your data from the in-app Data Export tab.
- Delete your Clerk user from the Clerk dashboard.
- Request hard deletion of your records from the operator using the contact below.
- The bank-token encryption key can be rotated, which cryptographically shreds every stored bank refresh token in one operation.
6. Access controls
Application access is gated by a Clerk user allowlist enforced server-side; non-listed Clerk users receive HTTP 403. Infrastructure access (Railway, Sentry, Plausible, finAPI dashboards, registrar) is protected by personal accounts with two-factor authentication enabled. The deploy workflow is the only automated path to production.
7. Contact
The data controller for this deployment is the operator. Reach them at woo.sung@vendingmachine.design.
The full version of this policy, including the breach response playbook, lives in the project repository at docs/policies/data-privacy.md.