Privacy Notice · Atlas Labs

1. In brief

This is a summary of how Atlas Labs handles your personal data. The full notice below is the binding text; this section is for orientation.

We collect what is necessary to run an accounting product: identity (email, name), authentication credentials (password hash, two-factor secret, refresh tokens — all encrypted or hashed at rest), wallet and exchange identifiers you choose to connect, transaction history we ingest from public blockchains and from APIs you authorise, and tax identifiers you optionally provide for tax reporting.
We do not run third-party tracking inside the authenticated product. The marketing site uses Google Analytics 4 only after you accept the cookie banner; the ledger, docs, and admin apps do not load any external analytics at all.
We do not sell your personal data. We do not share it with advertising networks. We do not use it to train artificial- intelligence models — yours or anyone else's.
You have a right to access, correct, export, and delete your personal data, and to object to or restrict processing. You can exercise any of those rights by emailing privacy@hq-fs.com. We respond within 30 days, free of charge.

2. Who we are

Atlas Labs("we", "us", "our") is the operator of the websites and applications at hq-fs.com and its subdomains, including the marketing site, the Ledger application, the Docs platform, the authentication service, and the administration panel. Atlas Labs is the controller of personal data processed through these services in the sense of Article 4(7) GDPR and the equivalent definitions under UK GDPR, PDPA, and CCPA.

Atlas Labs operates from Singapore. Our legal entity, registered address, and corporate identifier are available on request to the contact address in section 17.

For privacy questions, complaints, or data-subject rights requests, the canonical contact is privacy@hq-fs.com. We do not currently maintain a designated EU representative under Article 27 GDPR; if our processing materially expands inside the EU we will appoint one and update this notice.

3. Data we collect

We collect personal data in three contexts: when you visit the marketing site, when you create and use an Atlas Labs account, and when you connect external services (wallets, exchanges, banks) to your account. The categories below are exhaustive — if a category is not listed, we do not collect it.

3.1 Marketing site visits

When you load any page on hq-fs.com we record server access logs (IP address, request timestamp, requested URL, HTTP status, user agent). These logs are retained for 14 days for security monitoring and operational debugging. After consent, we load Google Analytics 4 with IP anonymisation enabled; GA4 then records page views, scroll depth, click events, and the UTM parameters of the referring link, using a randomised visitor identifier rather than an account-linked one.

If you submit the waitlist form, we store the email address you submit, the source token of the form (which page it was on), and your first-touch UTM and referral attribution. The waitlist storage is in our outbound-email provider (currently Resend — see section 7).

3.2 Account registration and authentication

When you create an Atlas Labs account we store the email address you provide, the display name you provide (optional), an avatar image you upload (optional), a salted bcrypt hash of the password you choose (the plaintext is never stored), and metadata including account creation timestamp, role, and verification status.

If you enable two-factor authentication, we store the TOTP secret encrypted with AES-256-GCM under a per-user key derived via HKDF-SHA-256 — the plaintext seed never persists. If you sign in with an OAuth provider (Google, GitHub, Apple, Microsoft) we store only the provider name and the provider-issued account identifier; we do not retain the provider's access or refresh tokens after using them once to fetch your profile.

When you stay signed in, we store a hashed refresh-token record in our session table — the raw refresh token is held only in your browser's cookie, never on our server. The cookie isHttpOnly, Secure, SameSite=Lax, and limited to a 7-day lifetime.

If you set a 6-digit platform PIN to authorise high-sensitivity actions (such as revealing a stored tax identifier) we store a salted bcrypt hash of that PIN — never the plaintext.

3.3 Ledger product use

When you create a portfolio, the Ledger application records the portfolio name and type you choose. When you connect a blockchain wallet, we store the wallet address (a public on-chain identifier) and a one-time signature proving ownership; we do not, and cannot, see your private key. When you connect a centralised exchange we store the API credentials you provide encrypted with AES-256-GCM under a per-user HKDF-derived key; the plaintext key and secret never persist on disk in clear form. Bank tokens follow the same pattern.

The Ledger then reads your transaction history from the blockchain and from the exchange APIs you authorised. The transactions, lots, and reconciliations we derive are stored in our database. When you optionally enter a taxpayer identification number for any natural person on a portfolio, we store that number encrypted with AES-256-GCM under a separate per-user key; access to the plaintext is gated by a server-side PIN check, a CSRF token, and a fail-closed audit log.

3.4 Inferred and derived data

We compute account state — VIP level, achievement progress, feature-flag eligibility, role-based access — from the data you provide and the actions you take. We do not perform automated decision making with legal or similarly significant effects in the sense of Article 22 GDPR.

4. How we use it

We process the data described in section 3 for the purposes listed below. Each purpose maps to a specific legal basis under Article 6 GDPR (and the equivalent provisions of UK GDPR and PDPA); section 5 sets those out in full.

To provide the service. Run authentication, ingest transactions you connect, compute lots and reconcile balances, render the user interface, deliver tax exports.
To secure the service. Detect and respond to abuse, brute-force attempts, account takeover, scam-token exposure, and other threats to your data and to our systems.
To communicate with you. Deliver transactional emails (verification, password reset, magic-link sign-in, billing receipts, important security notices). Marketing emails only after your separate consent.
To measure marketing on the public site. After you accept the cookie banner, count visits, conversions, and first-touch attribution so we can decide where to invest acquisition effort.
To meet legal obligations. Retain billing records under tax-and-accounting law, respond to lawful requests from regulators or courts where we are required to, and keep a sensitive-field access audit log for taxpayer- identifier disclosures.

5. Legal bases (GDPR / UK GDPR)

Where GDPR or UK GDPR applies, we rely on the following legal bases:

Article 6(1)(b) — performance of a contract. Account creation, authentication, ingest of transactions, tax exports, and billing all flow from the contract for service you enter when you register.
Article 6(1)(c) — legal obligation. Retention of billing and accounting records; responses to lawful requests; the audit log of sensitive-field disclosures (taxpayer identifiers).
Article 6(1)(f) — legitimate interests. Security monitoring, fraud and abuse detection, server access logs. We have assessed our interest against your rights and believe the processing is proportionate; you may object under section 12.
Article 6(1)(a) — consent.Marketing email subscriptions, the cookie banner's analytics tier, and anything we may add later that does not fit the bases above. You can withdraw consent at any time through the same surfaces you granted it; withdrawal does not affect the lawfulness of processing before withdrawal.

For special-category data (Article 9 GDPR) we generally do not process any. Taxpayer identifiers are not categorised as Article 9 data under GDPR but are treated by us with the same encryption and access discipline as if they were.

6. Cookies and similar technologies

We use a small number of cookies. Each is listed below with its name, lifetime, purpose, and whether the cookie loads before or after consent.

Cookie	Lifetime	Purpose	Category
`access_token`	15 minutes	Carries your short-lived authenticated session.	Strictly necessary
`refresh_token`	7 days	Allows the access token to be silently refreshed without re-asking for credentials.	Strictly necessary
`oauth_state`	10 minutes	CSRF protection for OAuth login flows.	Strictly necessary
`csrf_token`	Session	Double-submit token protecting state-changing requests.	Strictly necessary
`atlas_consent_v2`	365 days	Records your granular cookie preferences (functional / analytics / personalization) as JSON. Replaces the prior `atlas_consent` string cookie.	Strictly necessary
`atlas_consent` (legacy)	180 days	Pre-v1.1 cookie. Read once and deleted on next visit; replaced by `atlas_consent_v2`.	Strictly necessary
`atlas_utm`	30 days	First-touch marketing attribution. Captured from inbound URLs only; never sold or shared.	Functional
`atlas_ref`	30 days	First-touch referral attribution. Records the user who referred you, if any.	Functional
`atlas_v`	1 year	Anonymous visitor identifier used for stable A/B testing of marketing copy.	Functional
`atlas_geo_hint`	24 hours	Caches the ISO country code resolved from your IP so we don't re-look-up your location on every onboarding step. Country code only — never the raw IP.	Functional
`_ga`, `_ga_*`, `_gid`	2 years / 24 hours	Google Analytics 4 measurement, IP anonymised. Loaded only after you accept the banner.	Analytics — consent-gated
`atlas_onboarding_signals`	180 days	Records tiles you click on marketing pages and articles you read, so the onboarding wizard can offer personalised suggestions. Loads only with explicit Personalization consent.	Personalization — consent-gated

Cookies in the Strictly necessary category load on every request because the service cannot function without them — they hold your session and protect against forged requests. Cookies in the Functional category load on the marketing site even before you choose; they carry no third-party identifiers and are not shared with anyone outside Atlas Labs. Cookies in the Analytics — consent-gated category load only after you click Accept all in the banner, and never load if you click Reject all.

You can clear any of these cookies at any time through your browser settings. The strictly-necessary cookies will be reissued on your next interaction; the analytics cookies will not return unless you accept the banner again.

7. Third parties and sub-processors

We use a small number of third-party services to deliver specific functions. Each service receives only the personal data necessary for the function it performs. We sign data processing agreements where required by GDPR Article 28 and equivalent rules.

Resend (United States, EU sub-processors) — transactional and waitlist email delivery. Receives the email address and the body of any email we send to you.
Cloudflare (United States, global edge) — Turnstile bot challenge on registration, content delivery for the marketing site. Receives IP address and request metadata inherent to any HTTP request.
Google (United States) — Google Analytics 4 with IP anonymisation, Google Tag Manager, and Google OAuth if you choose to sign in with Google. GA4 loads only after cookie consent.
Anthropic (United States) — Claude API used to suggest portfolio onboarding tiles in the create-portfolio wizard. Receives only your structured tile selections (asset category keys, motivation keys, country code) — never your name, email, IP, address, tax ID, or any free-text content. Active only when both the Personalization cookie category is enabled and you have opted in to theportfolio-onboarding-aibeta flag in your account settings. Anthropic's commercial DPA covers this processing.
MaxMind GeoLite2 — IP-to-country geographic database. Atlas Labs ships the database file with the application (no network call to MaxMind from production traffic); we license the data under the GeoLite2 free terms. Listed here for transparency — MaxMind does not receive any data about you.
GitHub, Apple, Microsoft — OAuth identity providers, used only if you choose to sign in with them. Receive what their OAuth flow inherently exposes (your redirect from us to them and back).
Stripe(United States, when applicable) — billing and payment processing for paid plans. Receives payment-card details directly through Stripe's hosted surfaces; we never see or store card numbers.
Etherscan, Routescan, Alchemy, Chainstack, CoinGecko — read-only blockchain indexers and price feeds. We send the wallet address you connected and receive the public on-chain transaction history; we do not transmit your account identity to these providers.

We will publish a sub-processor list and a notification channel for sub-processor changes once we onboard our first business tenants. Until then, the list above is the complete set.

9. International transfers

Atlas Labs is incorporated in Singapore. Our primary infrastructure is located in [region to be confirmed at public launch]. Some of our sub-processors (notably Resend, Stripe, Cloudflare, and Google) operate in the United States and other jurisdictions outside the EEA, the UK, and Singapore.

Where personal data of European, UK, or Singapore data subjects is transferred to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914), the UK's International Data Transfer Addendum, or the PDPA Transfer Limitation Obligation as implemented through equivalent contractual safeguards. Copies of those instruments are available on request.

10. Retention

We retain personal data only as long as necessary for the purposes set out in section 4. The table below lists the categories where we have a fixed retention period.

Account record. While the account exists, plus 30 days after deletion to allow reversal in case of accidental deletion. Permanently erased after the 30-day window unless a legal hold applies.
Refresh sessions. 7 days from the last use, or immediately on logout / password change.
Server access logs. 14 days.
Sensitive-field access audit log (taxpayer identifiers). 7 years to satisfy tax-record retention obligations in most relevant jurisdictions.
Billing records. 7 years to satisfy accounting and tax retention obligations under Singapore Companies Act, EU member-state tax laws, and equivalent.
Transaction history within the ledger. While the account exists, plus 30 days after deletion. You can also request immediate deletion of a specific portfolio at any time.
Waitlist subscriptions. Until you unsubscribe. Every email we send carries a one-click unsubscribe link.

11. Security

We apply the security measures appropriate to a financial-data processor under Article 32 GDPR and PDPA section 24. The measures below are operative today; the canonical security policy lives at /security-policy.

Encryption in transit. Strict-Transport- Security on every domain; HTTPS only; modern TLS suites.
Encryption at rest, sensitive fields. AES-256-GCM with per-user keys derived via HKDF-SHA-256 for: TOTP secrets, exchange API credentials, bank tokens, and taxpayer identifiers. Each key class uses a separate master so a compromise of one master does not unlock the others.
Authentication. Bcrypt cost-12 password hashes, RS256 JWT access tokens with 15-minute lifetimes, hashed refresh sessions, optional TOTP, per-email exponential backoff lockout, optional Cloudflare Turnstile bot challenge.
Access control. Role-based access, principle of least privilege within Atlas Labs staff, and per-row scope checks on every authenticated query.
Audit logging. Every taxpayer-identifier disclosure is logged with user, time, request IP, and reason — fail-closed (the disclosure is refused if the log write fails).
Coordinated vulnerability disclosure. We publish a /.well-known/security.txt on every domain pointing at security@hq-fs.com, with a 90-day disclosure window and recognition for valid reports.

No security measure is perfect. We will notify affected users and the relevant supervisory authority of any personal-data breach without undue delay and within 72 hours where feasible, consistent with Article 33 GDPR and equivalent rules.

12. Your rights

You have the following rights with respect to the personal data we hold about you. Most are uniform across jurisdictions; where a right is jurisdiction-specific we say so.

Access. Request a copy of the personal data we hold about you, plus information on how it is processed.
Rectification. Correct inaccurate or incomplete data. Most fields you can edit yourself in your account settings; for fields you cannot, email us.
Erasure. Request deletion of your account and the personal data tied to it, subject to retention obligations we cannot lawfully waive (billing records, tax- related audit trails).
Restriction. Request that we stop processing specific categories of your data while a dispute is resolved.
Portability.Receive your data in a machine-readable format you can transmit to another controller. The Ledger application's export tools cover most of this case directly; for the remainder, ask us.
Objection. Object to processing based on legitimate interests or for direct marketing. Direct-marketing objections are honoured immediately and without exception.
Withdraw consent. Where processing is based on consent (cookie banner analytics tier, marketing emails), withdraw at any time. Withdrawal does not affect the lawfulness of past processing.
Lodge a complaint. Section 17 lists the supervisory authorities for the largest jurisdictions in our user base. You can complain to your local authority directly, with no obligation to come to us first.

We respond to rights requests within 30 days at no cost. We may extend by a further two months for complex requests, with notice and reasons; we may refuse manifestly unfounded or excessive requests, also with notice and reasons. Email privacy@hq-fs.com from the address on your Atlas Labs account, or use a separate channel and we will verify your identity before responding.

13. California (CCPA / CPRA) supplementary notice

If you are a California resident, the rights in section 12 apply to you, plus the additional CCPA / CPRA rights below. The Atlas Labs categories of personal information in the CCPA sense are listed in section 3; we have not sold or shared (CCPA-defined) any category in the preceding twelve months and do not currently intend to. Section 8 records this commitment.

Right to know. The categories of personal information we have collected about you, the categories of sources, the business or commercial purpose, the categories of third parties with whom we share, and the specific pieces of information we hold. Sections 3 and 7 of this notice are the static answer; for the data-specific answer, exercise your right to access under section 12.
Right to delete. Request deletion of personal information we have collected from you, subject to the same retention exceptions in section 10.
Right to correct. Request correction of inaccurate personal information.
Right to limit use of sensitive personal information. Where we hold sensitive personal information (financial account numbers and credentials, contents of mail or messages, account log-in credentials, taxpayer identifiers) you can require us to use those categories only for the limited purposes Cal. Civ. Code § 1798.121 permits without your consent. We already operate within those limits — we do not process sensitive personal information for inferring characteristics or for advertising.
Right to opt out of sale or sharing. We do not sell or share. The opt-out is therefore moot for us, but we honour any Global Privacy Control (GPC) signal we receive as a request to opt out.
Right to non-discrimination. We do not discriminate against you for exercising any of the rights above.

We do not offer financial incentives in exchange for personal information.

14. Singapore (PDPA) supplementary notice

Atlas Labs is established in Singapore and the PDPA applies to our processing globally. The PDPA obligations and your corresponding rights are reflected in sections 4, 5, and 12 of this notice. The PDPA framework specifically requires us to honour:

Consent obligation — section 5 above identifies consent as a legal basis where it applies.
Notification obligation — this notice is the discharge of that obligation.
Purpose limitation obligation — sections 3 and 4 specify the categories and purposes; we do not process data beyond them.
Access and correction obligations — exercise under section 12.
Accuracy obligation — we make reasonable effort to keep stored data accurate and up to date.
Protection obligation — section 11.
Retention limitation obligation — section 10.
Transfer limitation obligation — section 9.

You may complain to the Personal Data Protection Commission (PDPC) of Singapore at pdpc.gov.sg after first attempting to resolve the matter directly with us.

15. Children

Atlas Labs services are not directed at children under 16. We do not knowingly collect personal data from children under 16. If we learn that we have collected such data without verified parental consent, we will delete it. Parents and guardians who believe their child has provided personal data to Atlas Labs may contact us at privacy@hq-fs.com.

16. Changes to this notice

We may amend this notice over time. The Last updated date and version number at the top of the page mark the latest version. For changes that materially expand the categories of data we process or the purposes for which we process it, we will notify account holders by email or in-product banner at least 30 days before the change takes effect, and where required by law we will obtain fresh consent. The unchanged older versions of this notice are available on request.

17. Contact and complaints

For privacy questions, data-subject rights requests, or to raise a concern, email privacy@hq-fs.com. You can also write to Atlas Labs, Privacy Office, at the postal address available on request.

You have the right to lodge a complaint with a supervisory authority. The principal authorities for our user base are:

European Union— your member state's supervisory authority. The list is at edpb.europa.eu.
United Kingdom— Information Commissioner's Office (ICO), ico.org.uk.
Singapore — Personal Data Protection Commission (PDPC), pdpc.gov.sg.
California — California Privacy Protection Agency, cppa.ca.gov; or California Attorney General, oag.ca.gov/privacy.
Australia — Office of the Australian Information Commissioner (OAIC), oaic.gov.au.
Canada — Office of the Privacy Commissioner of Canada, priv.gc.ca.
Brazil — Autoridade Nacional de Proteção de Dados (ANPD), gov.br/anpd.