Atlas AI
Get API Key
Menu
Pricing Security Documentation
Get API Key
Legal

Privacy Policy

Last updated: April 27, 2026

1. About Us

DataFit Solutions OÜ
Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551, Estonia
Email: info@datafit-solutions.com

2. Scope & Our Role

This Privacy Policy applies to the Atlas AI API and the atlas-ai.health website.

Atlas AI is a data processor. When you integrate the Atlas AI API into your product, you (the API customer) are the data controller responsible for any personal data contained in the audio recordings or text you submit to the API. DataFit Solutions OÜ processes that data solely on your behalf and according to your instructions, as set out in the Data Processing Agreement (DPA) concluded with each customer.

We are the data controller only for the limited personal data we collect directly, such as contact and account data of API customers (see section 3.3).

3. What Data We Collect

3.1 Audio Recordings

When you submit audio files through the Atlas AI API, these recordings are transmitted to our servers, transcribed, and used to generate structured text documents. Atlas AI does not interpret, analyse, or act upon the content of the audio in any clinical or diagnostic capacity — it produces text output only. Audio data is processed transiently and deleted after the request is fulfilled, unless a longer retention period is agreed in writing.

3.2 API Usage Data

When you use the Atlas AI API we collect:

  • API key identifier (used for authentication and rate limiting)
  • Request metadata (timestamps, audio duration, job status)
  • Error and diagnostic logs for service quality purposes

3.3 Account & Contact Data

If you contact us to request an API key or for support, we collect your name, email address, and any information you voluntarily provide. This data is used solely to respond to your enquiry and to provide access to the service.

4. How We Use Your Data

  • Transcription of audio recordings and generation of structured text documents
  • Authentication and authorisation via API keys
  • Usage accounting and enforcement of rate limits
  • Detection and prevention of abuse and security incidents
  • Responding to support requests and enquiries

5. Legal Basis for Processing (GDPR)

For the data we control directly (contact and account data, website logs):

  • Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the API service you have contracted for.
  • Legitimate interests (Art. 6(1)(f) GDPR): Security monitoring, fraud prevention, and service improvement.
  • Legal obligation (Art. 6(1)(c) GDPR): Where required by applicable law.

For any personal data contained in audio or text submitted via the API, the legal basis is determined solely by the data controller (the API customer). DataFit Solutions OÜ processes such data strictly as a processor under a Data Processing Agreement and does not determine the purpose or means of processing.

6. Sub-processors

We do not sell your data or share it with third parties for marketing purposes. To deliver the service we use the following sub-processors, all located within the EU:

  • Amazon Web Services (AWS)
  • Google Cloud Platform
  • Speechmatics
  • Auth0 by Okta

All sub-processors are bound by data processing agreements and comply with GDPR.

7. Data Retention

  • Audio files: Deleted after processing is complete, unless a longer retention period is agreed in writing.
  • Generated documents / transcripts: Retained for the duration specified in your service agreement (default: 30 days), then deleted.
  • API usage logs: Retained for up to 12 months for security and audit purposes.
  • Contact / account data: Retained as long as necessary for the business relationship, then deleted or anonymised.

8. Data Security

  • All data encrypted in transit via TLS 1.2+
  • Data at rest encrypted with AES-256
  • Infrastructure hosted on AWS (C5-certified) within the EU
  • Access controls and least-privilege principles
  • Regular security reviews
  • ISO 27001-aligned information security management

For a full overview see our Security page.

9. International Data Transfers

All data is processed and stored exclusively within the European Economic Area (EEA). No transfers outside the EEA take place.

10. Data Subject Rights under GDPR

If you are an end user whose personal data may have been included in audio or text processed via the Atlas AI API, your data controller is the company or application that integrated Atlas AI. Please contact them directly to exercise your rights under GDPR (access, rectification, erasure, portability, restriction, objection).

If you are an API customer and wish to exercise rights over your own contact or account data that we hold directly, contact us at info@datafit-solutions.com. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. The competent authority for DataFit Solutions OÜ is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), www.aki.ee.

11. Cookies

The atlas-ai.health website does not use tracking cookies or third-party analytics. No cookie consent is required beyond standard server-side session handling.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The "last updated" date at the top of this page reflects the latest revision. For material changes, API customers will be notified by email.

13. Contact

DataFit Solutions OÜ
Email: info@datafit-solutions.com