Privacy Policy

The data controller is Atrium (entity registration pending; the Atrium project team operates as an unincorporated team until entity formation is complete; see /team for individuals).

Limitation: no formal entity is registered as of this writing. This policy will be updated with the registered entity name and jurisdiction once incorporation completes.

• Legitimate interest: analytics (SimpleAnalytics, aggregated, no personal IDs). You may opt out via the cookie consent banner.
• Contract: service delivery (rendering your portfolio, executing transactions you initiate).
• Consent: Sentry error replay, marketing communications (if any). Revocable at any time.
• Vital interest / legal obligation: fraud prevention, AML record-keeping where KYC is triggered.

• Wallet addresses (pseudonymous, on-chain)
• IP addresses (Codex API logs, retained 24h)
• User-agent strings (Codex API logs)
• Device fingerprints (Sentry, only with consent)
• Error context: stack traces, breadcrumbs (Sentry, scrubbed of wallet addresses)
• KYC documents: government ID, selfie, biometric (Sumsub, only if user opts into tier upgrade)

Full details at /legal/sub-processors. Summary:

• Vercel: hosting
• Cloudflare: DNS, DDoS protection
• Sentry: error monitoring (consent-gated)
• SimpleAnalytics: analytics (EU-based, GDPR-friendly)
• Sumsub: KYC (only if user opts in)
• Doppler: secrets management (no user PII)
• DigitalOcean: daemon hosting (no user PII)
• The Graph: subgraph indexer (public chain data only)
• Web3.storage: IPFS pinning (public Merkle roots only)

• Access: request a copy of data we hold about you.
• Rectification: correct inaccurate data.
• Erasure: request deletion. Note: on-chain data is immutable; we erase off-chain mirrors only.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interest.
• Restriction: request we limit processing.
• Right to lodge complaint: with your supervisory authority (e.g. ICO, CNIL, BfDI).
• California-specific: do not sell my personal information. We do not sell personal information.

Email privacy@useatrium.me with your wallet address and request. We respond within 30 calendar days.

A self-service data request form is planned at /legal/data-request.

Vercel and DigitalOcean process data in the United States. For EU→US transfers, we rely on Standard Contractual Clauses (SCCs) as published by each processor.

Limitation: we have not independently verified each processor's SCC implementation. This will be confirmed during lawyer review.

When you request a tier upgrade for restricted venues, KYC is processed by Sumsub. See /legal/kyc for full details on what is collected, retention, and appeal mechanisms.

We use the following:

Manage your preferences via the cookie consent banner or reset your consent preferences.

Atrium is not intended for persons under 18 years of age. We do not knowingly collect data from minors. If we become aware that a user is under 18, we will terminate access and delete associated off-chain data.

Material changes are announced with 30 days' notice via /changelog and emailed to users who have provided an email address. Continued use after the notice period constitutes acceptance.