Privacy Policy

Who We Are

ATOM Interstate ("ATOM", "we", "us", or "our") is a software application designed for the touring music industry. We provide tools for tour management, accounting, logistics, and operations. Our registered contact email is philiphaneytm@gmail.com.

This Privacy Policy explains how we collect, use, and protect your personal information when you use ATOM at atominterstate.app.

Data We Collect

We collect only what is necessary to operate the service:

• Account information: email address, name, and a hashed password (we never store your password in plain text)
• Tour and financial data: show details, guarantees, expenses, settlements, crew information, and other data you enter into ATOM
• Sensitive financial fields (encrypted): wire transfer info, EIN, and uploaded W-9 PDFs are encrypted on your device with AES-256-GCM before transmission. Our servers store only ciphertext — even our database administrators cannot read these fields.
• Device and session data: a device token used to maintain your session across logins
• IP addresses: logged temporarily for rate-limiting and security purposes (e.g. detecting brute-force login attempts)
• License keys: used to authenticate your account and validate your subscription
• Product usage events: we record which features you use within ATOM (e.g. which tabs you open, which import flows you run, when you send messages to the AI assistant). This data is tied to your account, used solely to improve the product, and never shared with third parties or used for advertising. You can request deletion at any time.
• Gmail OAuth tokens (if you connect Gmail): stored encrypted at rest with AES-256-GCM. Read-only scope — we cannot send, delete, or modify any email. Email content is processed in-flight and never persisted.

We do not collect payment card data directly. We do not use advertising trackers, third-party analytics, or cookies that follow you around the web. We do not sell your data to any third party.

How We Use Your Data

• To provide and operate the ATOM service
• To authenticate your account and maintain your session
• To sync your data across devices via cloud storage
• To send transactional emails (e.g. invite links, password reset codes)
• To power the ATOM AI chat assistant with your tour context (see AI section below)
• To understand which features are valuable so we can improve the product (first-party usage analytics — never shared with third parties)
• To protect the service against abuse and unauthorized access

AI Chat Assistant

ATOM includes an AI chat assistant powered by Anthropic's Claude API. When you use this feature, a snapshot of your current tour data (shows, expenses, crew) is sent to Anthropic's API to generate a response. This data is used solely to answer your question and is not used to train Anthropic's models under our API agreement.

Do not share sensitive personal data (e.g. social security numbers, banking credentials) in the chat interface.

Google API Services User Data

If you choose to connect your Gmail account to ATOM (via the Email Scan feature in the Nucleus tab), the following terms apply specifically to your Google data. ATOM's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

What we request and why

We request a single Google API scope:

• https://www.googleapis.com/auth/gmail.readonly — read-only access to your Gmail messages and attachments

We use this scope only to scan your inbox for receipts, settlement statements, hotel folios, airline confirmations, and credit card statements that ATOM can automatically parse into structured expense entries. This saves Tour Managers from manually entering each receipt by hand. We never use Gmail data for any other purpose.

What we do with your Gmail data

• Scan only when you initiate it. ATOM does not run scans in the background or on a schedule. A scan only happens when you click the Scan button in the Email Scan card and specify a date range.
• Search is targeted. We search by sender domain (e.g. uber.com, marriott.com, americanexpress.com) and the last four digits of your tour credit card — not your entire inbox. Personal correspondence is never read.
• Process in flight, do not persist. When a matching message is found, the body is fetched, sent to our AI parser to extract structured fields (vendor, date, amount, category), and immediately discarded. The original email body is never stored on our servers.
• Store only the structured result. What we keep is the parsed expense row: vendor name, date, amount, currency, category, and a reference back to the source message ID so you can re-fetch the original from Gmail if needed.
• No transfer to other apps. Gmail data we read is not shared with, sold to, or transferred to any third party except as required to provide the Email Scan feature itself (the AI parser, see below).
• No advertising. Gmail data is never used for advertising, marketing, or to build any kind of user profile.
• No human review except for support. No employee reads your Gmail messages. The only exception is if you explicitly grant us permission as part of a support investigation, or if we are required to do so by law.
• No machine-learning training. Gmail content is not used to train, improve, or develop any AI or machine learning model.

How your Google data is stored

• OAuth tokens. The access and refresh tokens Google issues to ATOM are encrypted with AES-256-GCM at rest in our database, using a key held only in our serverless function environment. The tokens themselves never appear in plaintext outside the running function process.
• Email body content. Never stored. Discarded immediately after parsing.
• Parsed results. Stored as expense rows in your account, just like any expense you would enter manually.

How to revoke access

You can disconnect ATOM from your Gmail account at any time:

• From inside ATOM: Nucleus tab → Email Scan card → Disconnect Gmail. This deletes our stored OAuth tokens immediately.
• From your Google Account: visit myaccount.google.com/permissions, find ATOM Interstate, and click Remove access. Google will invalidate the tokens on their side and ATOM will be unable to make further API calls on your behalf.

Revoking access does not delete the parsed expense rows that were already imported — those are your data and remain in your ATOM account. To delete those as well, edit them individually or delete your ATOM account using the controls in Settings → Privacy & Your Data.

Data sub-processors for Gmail data

When you run a scan, the message body is sent to our AI parser at Anthropic for one-shot processing. Anthropic does not retain API request bodies for training and deletes inputs after their standard 30-day abuse-monitoring window. No other third party receives Gmail content.

Third-Party Processors

We use the following sub-processors to operate ATOM. Each processes your data only as necessary to provide their service:

• Supabase (supabase.com) — cloud database and file storage. Data stored in US-based servers.
• Netlify (netlify.com) — hosting and serverless functions. US-based.
• Resend (resend.com) — transactional email delivery (invites, verification codes).
• Anthropic (anthropic.com) — AI API provider powering the ATOM chat assistant.

Data Retention

Your data is retained for as long as your account is active. If you request account deletion, we will remove your personal data and tour data within 30 days. IP logs used for rate-limiting are retained for no more than 90 days.

Your Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and applicable local law:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: request correction of inaccurate data
• Right to erasure: request deletion of your data ("right to be forgotten")
• Right to restriction: request that we limit how we process your data
• Right to data portability: request your data in a machine-readable format
• Right to object: object to processing based on legitimate interests
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at philiphaneytm@gmail.com. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, or your national DPA in the EU).

The legal basis for processing your data is: contract performance (operating the service you signed up for), and legitimate interests (security and fraud prevention).

Cookies and Local Storage

ATOM uses browser localStorage (not traditional cookies) to store your session token and tour data locally on your device. This is strictly functional — no tracking, advertising, or analytics cookies are set. See our Cookie Policy for full details.

Security

All data is transmitted over HTTPS (SSL/TLS), provisioned automatically by Netlify via Let's Encrypt. Passwords are hashed using PBKDF2 before storage and are never transmitted or stored in plain text. Access to your data requires a valid session token.

Children's Privacy

ATOM is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16.

Changes to This Policy

We may update this policy as the product evolves. When we do, we'll update the effective date at the top. For significant changes, we'll notify active users by email.

Contact

Questions about this policy or your data? Email us at philiphaneytm@gmail.com.