Atlast Request a demo

Privacy Policy

Last updated: May 2026 · Effective date: May 2026

1. Who We Are

Atlast is operated by Atlast Global Technologies, S.L. (“AGT,” “we,” “us,” or “our”), a company incorporated under Spanish law.

Data Controller:

  • Corporate Name: Atlast Global Technologies, S.L.
  • Address: Avenida Eduard Maristany, 7, floor 5, door B, 08019 Barcelona, Spain
  • Tax ID (CIF/NIF): B-24.844.326
  • Registration Details: Registered in the Mercantile Registry of Barcelona, Volume/IRUS Number 1000461508346, Folio 1, Sheet B-645123, Entry 1
  • Email: info [at] this domain
  • Contact Phone: +34 691 848 420

We are committed to protecting your privacy and handling your personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), Organic Law 3/2018 of December 5 on Protection of Personal Data and Guarantee of Digital Rights, and other applicable Spanish and European data protection regulations.

2. Scope of This Privacy Policy

This Privacy Policy explains how we collect, use, store, and protect your personal data when you:

  • Visit our website at www.atlasthq.com (the “Website”)
  • Contact us via email or other channels
  • Use our services
  • Interact with our platform

This Privacy Policy should be read in conjunction with our Terms & Conditions and Cookie Policy.

3. What Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Information You Provide Directly

When you contact us or use our services, you may provide:

  • Contact Information: Name, email address, phone number
  • Professional Information: Company name, job title, industry/sector, company size, company location
  • Account Information: Username, password (encrypted), profile information (when you create an account)
  • Communications: Any information you provide when you contact us or provide feedback

3.2 Information We Collect Automatically

When you visit our Website, we automatically collect:

  • Technical Data: IP address, browser type and version, operating system, device type
  • Usage Data: Pages visited, time spent on pages, referring/exit pages, clickstream data
  • Analytics Data: Information collected via cookies and similar technologies (see our Cookie Policy)

3.3 Information from Third Parties

We may receive information about you from:

  • Analytics providers (e.g., Google Analytics)
  • Third-party service providers supporting our operations
  • Business partners or affiliates

3.4 Data Accessed via Google API Integrations

If you connect a Google account, we access only the data required to deliver the scheduling features you have enabled, through the OAuth scopes listed in Section 11. This consists of: (i) free/busy availability information from calendars you own or are invited to; (ii) calendar event details for events Atlast schedules or that are relevant to scheduling; (iii) Google Meet conference spaces that Atlast creates; and (iv) basic profile information (name, email address, profile photo) of the Google account you connect. We do not access your Gmail messages, Google Drive files, Google Contacts, or any other Google data.

4. How and Why We Use Your Personal Data

We process your personal data for the following purposes and on the following legal bases:

Purpose Legal Basis Data Used
Providing and managing our services, including account creation and platform access Performance of contract (GDPR Art. 6(1)(b)) Contact information, account information, professional information
Responding to your inquiries and providing customer support Legitimate interest in maintaining customer relationships (GDPR Art. 6(1)(f)) Contact information, communications
Improving our products and services based on user feedback and usage patterns Legitimate interest in business development and product improvement (GDPR Art. 6(1)(f)) Professional information, usage data
Analyzing website usage and improving user experience Consent (for cookies) and legitimate interest in improving our services (GDPR Art. 6(1)(f)) Technical data, usage data, analytics data
Sending you service-related communications and updates Performance of contract (GDPR Art. 6(1)(b)) Contact information
Sending you marketing communications about our products and services (if you have opted in) Consent (GDPR Art. 6(1)(a)) Contact information
Complying with legal obligations and responding to lawful requests from authorities Legal obligation (GDPR Art. 6(1)(c)) Any relevant personal data
Establishing, exercising, or defending legal claims Legitimate interest in protecting our legal rights (GDPR Art. 6(1)(f)) Any relevant personal data
Operate Google Calendar and Google Meet integrations to schedule, reschedule, cancel, and host candidate interviews Performance of contract (GDPR Art. 6(1)(b)); your consent granted via Google’s OAuth flow (GDPR Art. 6(1)(a)) Data accessed via Google APIs (see §3.4 and §11)

You have the right to withdraw your consent at any time by contacting us at info [at] this domain or using the unsubscribe link in our emails. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

5. How We Share Your Personal Data

We do not sell, rent, or trade your personal data to third parties for their marketing purposes. We may share your personal data with:

5.1 Service Providers

We use trusted third-party service providers who process data on our behalf for purposes such as:

  • Website hosting and cloud storage
  • Email delivery and marketing platforms
  • Analytics and website optimization
  • Customer relationship management (CRM)
  • Payment processing (if applicable)

Where you have enabled Google integrations, data accessed via Google APIs may be processed by the following sub-processors strictly to deliver the features you invoke:

  • Cloud infrastructure: Amazon Web Services (AWS), for hosting and storage.
  • AI processing: AGT performs AI inference for AI-assisted scheduling features (such as proposing optimal interview times and preparing scheduling-related candidate communications) through two independent routing paths. The specific models invoked may change as AGT adds or removes features; in all cases, AGT only uses providers that contractually prohibit training on customer data.
    • Amazon Bedrock (Amazon Web Services, Inc.) — inference is performed within AWS infrastructure. Data processed via Bedrock is not shared with the underlying model providers.
    • OpenRouter (OpenRouter, Inc.) — routes inference requests to upstream model providers, currently including Anthropic, PBC; OpenAI, L.L.C.; and Google LLC. AGT configures OpenRouter to route only to providers that contractually prohibit training on customer data.

Each sub-processor is bound by a written agreement requiring confidentiality and security controls consistent with this Privacy Policy and the Google API Services User Data Policy.

All service providers are bound by data processing agreements and are required to implement appropriate security measures.

5.2 Legal Requirements

We may disclose your personal data if required by law, regulation, legal process, or governmental request, or if necessary to:

  • Comply with legal obligations
  • Protect our rights, property, or safety, or that of our users or the public
  • Prevent fraud or security threats
  • Enforce our Terms & Conditions

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the relevant third party, subject to the same privacy protections outlined in this Privacy Policy.

5.4 With Your Consent

We may share your data with third parties when you have given us explicit consent to do so.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including countries that may not provide the same level of data protection as Spain or the EU. When we transfer your data internationally, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions by the European Commission
  • Other legally compliant transfer mechanisms

You have the right to request information about the safeguards we have in place for international transfers by contacting us at info [at] this domain .

7. How We Protect Your Personal Data

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:

  • Encryption of data in transit and at rest
  • Secure cloud storage with industry-standard providers
  • Access controls and authentication mechanisms
  • Regular security assessments and updates
  • Employee training on data protection and confidentiality

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security.

8. How Long We Keep Your Personal Data

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

Retention Periods:

  • Account Data: For the duration of your account plus 12 months after account closure
  • Marketing Communications: Until you unsubscribe or withdraw consent
  • Customer Support Communications: Up to 3 years after the last communication
  • Contract and Transaction Data: 6–10 years as required by Spanish tax and commercial law
  • Legal or Compliance Data: As required by applicable law
  • Website Analytics Data: Typically 26 months (in accordance with Google Analytics default settings)
  • Google API tokens and data accessed via Google APIs: For as long as the integration is connected; deleted or anonymised within 30 days of disconnection or account closure, except where retention is required by law

After the applicable retention period, we will securely delete or anonymize your personal data.

9. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

9.1 Right of Access (Art. 15 GDPR)

You have the right to request confirmation of whether we process your personal data and to obtain a copy of your data.

9.2 Right to Rectification (Art. 16 GDPR)

You have the right to request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure / “Right to be Forgotten” (Art. 17 GDPR)

You have the right to request deletion of your personal data in certain circumstances, such as when:

  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

9.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data.

9.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.

9.6 Right to Object (Art. 21 GDPR)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

9.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time.

9.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. In Spain, the supervisory authority is:

  • Agencia Española de Protección de Datos (AEPD)
  • Website: www.aepd.es
  • Address: Calle Jorge Juan, 6, 28001 Madrid, Spain

How to Exercise Your Rights:

To exercise any of these rights, please contact us at:

We will respond to your request within one month of receipt. In complex cases, we may extend this period by an additional two months, and we will inform you of such extension.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our Website, analyze usage, and support our marketing efforts.

What are cookies? Cookies are small text files stored on your device when you visit a website. They help the website remember your preferences and improve functionality.

Types of cookies we use:

  • Essential Cookies: Necessary for the Website to function properly
  • Analytics Cookies: Help us understand how visitors interact with our Website (e.g., Google Analytics)
  • Marketing Cookies: Used to track visitors across websites to display relevant advertisements

Your Cookie Choices: You can control and manage cookies through your browser settings. However, disabling certain cookies may affect the functionality of our Website. For more detailed information, please see our Cookie Policy.

11. Google API Integrations

This section describes how AGT accesses, uses, stores, and protects information obtained from Google APIs when you connect a Google account to Atlast.

11.1 Scopes Requested

We request only the minimum Google API scopes required to deliver the features you have enabled. The current scopes and their purposes are:

Scope Data Accessed How We Use It
https://www.googleapis.com/auth/calendar.freebusy Free/busy availability windows on calendars you own or are invited to (no event titles, descriptions, attendees, or other event details) Determine when you and other interview participants are available so Atlast can propose conflict-free interview times
https://www.googleapis.com/auth/calendar.events Read and write events on calendars you own or are invited to Create, update, reschedule, and cancel candidate interview events on your behalf, and display existing events relevant to scheduling inside Atlast
https://www.googleapis.com/auth/meetings.space.created Create, configure, and manage Google Meet conference spaces that Atlast creates Generate a Google Meet link for each interview Atlast schedules and manage that meeting space (e.g. updating settings or removing it if the interview is cancelled)

11.2 Limited Use Disclosure

Atlast’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, AGT:

  • will only use Google user data to provide or improve user-facing features that are prominent in the Atlast user experience;
  • will not transfer Google user data to third parties except (i) as necessary to provide or improve user-facing features that are prominent in the Atlast user interface, (ii) to comply with applicable law, or (iii) as part of a merger, acquisition, or sale of assets with notice to affected users;
  • will not use Google user data to serve advertisements, including personalised, retargeted, or interest-based advertising;
  • will not sell, rent, or trade Google user data; and
  • will not allow humans to read Google user data, except (a) with the relevant user’s affirmative agreement for specific messages, (b) where necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised and is used for internal operations.

11.3 Use of Google Data with AI / Machine-Learning Features

Atlast uses AI/ML models to deliver scheduling-related features such as proposing optimal interview times, coordinating across time zones, and preparing scheduling communications. When these features process Google user data:

  • Processing occurs only at the time the user invokes the feature.
  • AGT does not use Google user data to develop, improve, or train generalised AI/ML models, including AGT’s own models or those of any third-party provider.
  • AGT has contractual commitments from its AI sub-processors prohibiting them from using Google user data to train, fine-tune, or otherwise improve their models.
  • No AGT employee reads Google user data except (i) with the user’s explicit consent, (ii) for security or abuse investigations, (iii) to comply with applicable law, or (iv) on data that has been aggregated and anonymised for internal operations.

11.4 Storage and Security of Google Data

Google OAuth access and refresh tokens are encrypted at rest in AGT’s secret-management infrastructure. Google user data is stored within AGT’s AWS infrastructure. All data transmitted between AGT, Google APIs, and the AI sub-processors listed in Section 5.1 is encrypted in transit using TLS 1.2 or higher. When you invoke an AI-assisted feature, the data required to perform that feature is transmitted to the relevant AI sub-processor strictly for the duration of the request and only to deliver the action you invoked. Access to AGT’s production systems is restricted to authorised personnel via single sign-on, multi-factor authentication, and audit logging.

11.5 Retention and Deletion of Google Data

AGT retains Google user data only for as long as the integration is connected and as necessary to provide the features you have enabled. When you disconnect your Google account or close your Atlast account, AGT will delete or anonymise Google user data within 30 days, except where retention is required to comply with a legal obligation.

11.6 Your Controls

You may at any time:

  • view and disconnect Google integrations from inside Atlast (Settings → Integrations);
  • revoke AGT’s access directly via https://myaccount.google.com/permissions;
  • request deletion of your Atlast data, including data derived from Google APIs, by contacting info [at] this domain . AGT will respond within one month in accordance with Section 9.

12. Third-Party Links

Our Website may contain links to third-party websites, services, or applications that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

13. Children’s Privacy

Our Website and services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children under 18. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at info [at] this domain , and we will delete such information.

14. Automated Decision-Making and Profiling

We do not currently engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you. If this changes in the future, we will update this Privacy Policy and inform you accordingly.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make changes, we will:

  • Update the “Last Updated” date at the top of this Privacy Policy
  • Notify you via email if the changes are material (where we have your email address)
  • Obtain your consent where required by law

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

  • Data Controller: Atlast Global Technologies, S.L.
  • Email: info [at] this domain
  • Postal Address: Avenida Eduard Maristany, 7, floor 5, door B, 08019 Barcelona, Spain
  • Phone: +34 691 848 420

We are committed to resolving any privacy concerns you may have and will respond to your inquiry as soon as possible.

By using our Website or services, you acknowledge that you have read and understood this Privacy Policy.