Privacy Policy

Data Controller: Atom Foundry (atomfoundry.dev) is the data controller responsible for the processing of your personal data as described in this policy.

Contact: support@atomfoundry.dev

Scope: This policy applies to all personal data collected through atomfoundry.dev, its subdomains, APIs, and associated services. It does not apply to third-party websites linked from our platform.

Two Types of Data: We handle two fundamentally different types of data: (1) personal data of our users and website visitors, and (2) publicly available commercial data about ecommerce stores. These are treated differently and described separately in this policy.

Data You Provide Directly:

• Store URL — submitted for analysis via our free scan tool
• Email address — if provided for report delivery or contact purposes
• Payment information — processed by our payment provider; we do not store card details
• Communications — emails or messages you send to us

Data Collected Automatically:

• IP address — for security, fraud prevention, and geographic analytics
• Browser type and version — for technical compatibility
• Operating system — for technical compatibility
• Referring URL — to understand traffic sources
• Pages visited and time spent — for service improvement
• Cookies and similar tracking technologies — described in Section 10

We do not collect: Government ID numbers, financial account information, health data, biometric data, precise geolocation, or any special categories of personal data as defined under GDPR Article 9.

Nature of Store Data. As part of our core service, we collect and process publicly available information about ecommerce stores. This data is gathered through automated crawling of publicly accessible web pages and constitutes commercial, non-personal data about businesses — not personal data about individuals.

What We Collect About Stores:

• Publicly visible store content (product descriptions, pricing, policies)
• Technical signals (schema markup, meta tags, performance metrics)
• Domain name and business identity information displayed publicly
• AI readiness signals derived from publicly accessible content

Legal Basis. Collection of publicly available business data is based on our legitimate interests (GDPR Article 6(1)(f)) in providing AI readiness analysis services. This data relates to business entities, not private individuals, and is already publicly accessible.

Store Owner Rights. If you are a business owner and wish to request removal of your store from our public index, or if you believe we hold personal data about you in connection with your store that you wish to correct or delete, please contact support@atomfoundry.dev.

We use personal data collected from users for the following purposes:

• Service delivery — to generate and deliver your AI Commerce Score and reports
• Communication — to respond to inquiries and send requested reports
• Payment processing — to fulfill paid service transactions
• Security & fraud prevention — to protect the integrity of our platform
• Service improvement — to analyze usage patterns and improve our AI models
• Legal compliance — to comply with applicable laws and regulations
• Research & analytics — aggregated, anonymized data for industry research

We do not: sell your personal data to third parties, use your data for advertising profiling, share your data with data brokers, or use your data in ways incompatible with the purposes stated above.

For users in the European Union and EEA, we process personal data on the following legal bases under GDPR Article 6:

• Contract performance (Art. 6(1)(b)) — processing necessary to provide the Service you requested
• Legitimate interests (Art. 6(1)(f)) — security, fraud prevention, service improvement, and business analytics where our interests do not override your rights
• Legal obligation (Art. 6(1)(c)) — where processing is required by applicable law
• Consent (Art. 6(1)(a)) — for optional communications such as newsletters, where you have explicitly opted in

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

We share data only as necessary to provide our services:

• Railway.app — cloud infrastructure and database hosting (EU and US regions)
• OpenAI — AI analysis processing (store content sent for analysis; subject to OpenAI's data processing terms)
• Payment processors — Stripe or equivalent for payment handling
• Email delivery providers — for transactional emails
• Analytics providers — aggregated, anonymized usage data only

We do not share your personal data with: advertisers, data brokers, marketing networks, social media platforms for advertising purposes, or any party for commercial use beyond what is necessary to provide our services.

Legal Disclosure. We may disclose personal data if required by law, court order, or government authority, or where necessary to protect the rights, property, or safety of Atom Foundry, our users, or the public. We will notify you of such disclosures where legally permitted to do so.

Business Transfer. In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

We retain personal data only as long as necessary for the purposes described in this policy:

• Scan results and store data — retained indefinitely as part of our research database in aggregated, anonymized form; individual scan data may be retained for historical analysis
• Email addresses — retained until you request deletion or unsubscribe
• Payment records — retained for 7 years as required by applicable tax and accounting law
• Server logs including IP addresses — retained for 90 days for security purposes
• Support communications — retained for 3 years

When data is no longer needed, we delete or anonymize it securely. You may request earlier deletion of your personal data subject to our legal obligations to retain certain records.

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encrypted data transmission using TLS/HTTPS
• Database access controls and authentication
• Regular security reviews of our infrastructure
• Limited employee access to personal data on a need-to-know basis

No system is 100% secure. While we take data security seriously, we cannot guarantee absolute security of data transmitted over the internet. In the event of a data breach that affects your personal data, we will notify you and relevant authorities as required by applicable law (within 72 hours under GDPR where feasible).

Under GDPR, you have the following rights:

• Right of access — to obtain a copy of your personal data we hold
• Right to rectification — to correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten") — to request deletion of your data
• Right to restriction — to limit how we process your data
• Right to data portability — to receive your data in a structured, machine-readable format
• Right to object — to object to processing based on legitimate interests
• Rights related to automated decision-making — to not be subject to solely automated decisions with significant effects

Under CCPA (California residents), you additionally have:

• Right to know what personal information is collected, used, shared, or sold
• Right to opt out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at support@atomfoundry.dev with subject line "Privacy Rights Request". We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

We use cookies and similar technologies to operate and improve our service. Types of cookies we may use:

• Strictly necessary cookies — required for the Service to function; cannot be disabled
• Analytics cookies — to understand how visitors use our platform (anonymized where possible)
• Preference cookies — to remember your settings

We do not use: advertising cookies, tracking pixels for ad retargeting, or third-party social media tracking cookies.

You can control cookies through your browser settings. Disabling cookies may affect the functionality of the Service. Where required by law, we will obtain your consent before placing non-essential cookies.

Our infrastructure may process data in multiple countries including EU member states and the United States. Where we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers to countries with an adequacy decision from the European Commission
• Other transfer mechanisms permitted under GDPR Chapter V

OpenAI, as our AI processing partner, operates under its own data processing agreement and applicable transfer mechanisms.

The Service is not directed to individuals under the age of 16 (or 13 in the United States). We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete such information promptly. If you believe a child has submitted personal data to us, contact support@atomfoundry.dev immediately.

Automated Decision-Making. Our platform uses automated AI systems to generate scores and analyses. These automated outputs may affect how your store is presented in our public database and research reports.

Human Review. Our AI-generated scores and analyses are produced automatically. While our founder reviews methodologies and spot-checks outputs, individual scan results are not reviewed by a human before publication. You have the right to request human review of any automated decision that significantly affects you.

AI Training. We may use anonymized, aggregated scan data to improve our AI models and scoring methodology. We do not use personally identifiable information to train AI models without explicit consent.

Third-Party AI Processing. Store content submitted to our platform is processed by third-party AI providers (including OpenAI) under their respective data processing agreements. We transmit only publicly available store content to these services, not your personal data.

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will update the "Last updated" date at the top of this page.

For material changes affecting how we process your personal data, we will provide prominent notice on our website and, where we hold your email address, notify you directly at least 30 days before the changes take effect.

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

For any privacy-related questions, requests, or concerns, contact us at:

Atom Foundry — Privacy Team
Email: support@atomfoundry.dev
Subject line: "Privacy Request" or "GDPR Request"
Website: atomfoundry.dev

We will acknowledge your request within 5 business days and respond within 30 days. For complex requests, we may extend this period by an additional 60 days and will inform you accordingly.

You also have the right to lodge a complaint with your local supervisory authority. In the Czech Republic, this is the Office for Personal Data Protection (UOOU) at uoou.cz. EU residents may also contact their national data protection authority.