Skip to main content
ATHOMIC

Privacy Policy

Last updated: 6 April 2025

1. Data controller

ATHOM AS (org. 831 754 702), Kongens gate 51C, 7012 Trondheim, Norway is the data controller for personal data processed through ATHOMIC.

Questions regarding this policy may be directed to privacy@athomic.no.

2. What data we collect

We collect the following categories of personal data:

  • Account data: name, email address, and password hash (via Supabase Auth).
  • Store data: Shopify store domain, product data, pricing data, and configuration settings you provide.
  • Usage data: log data, error reports, and feature usage metrics collected through Sentry and server logs.
  • Billing data: handled directly by our payment processor and not stored on our servers.

3. Legal basis for processing

We process your personal data on the following legal bases under GDPR:

  • Contract performance (Art. 6(1)(b)): processing necessary to provide the ATHOMIC service you have subscribed to.
  • Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, and service improvement.
  • Legal obligation (Art. 6(1)(c)): retention of financial records as required by Norwegian accounting law.

4. How we use your data

  • Providing and operating the ATHOMIC repricing service.
  • Sending transactional emails (account events, pricing alerts).
  • Monitoring service health and diagnosing errors.
  • Complying with legal obligations.

We do not sell your personal data to third parties.

5. Sub-processors and data sharing

We use the following third-party services that may process your data:

  • Supabase — database and authentication (EU region).
  • Vercel — application hosting (EU region where available).
  • Resend — transactional email delivery.
  • Sentry — error monitoring (EU region).
  • Shopify — store integration platform.
  • Meta Platforms, Inc. — Facebook and Instagram publishing and product tagging (Graph API).
  • OpenAI — AI image generation when used (US region; only prompts and reference image URLs are transmitted).

Each sub-processor is bound by data processing agreements ensuring GDPR compliance.

6. Meta Platform integration

ATHOMIC integrates with Meta Platforms (Facebook and Instagram) to let you publish marketing content directly to your business accounts. ATHOMIC is not affiliated with, endorsed by, or sponsored by Meta.

What we access (only with your explicit authorization via Meta OAuth):

  • Facebook Pages you manage (pages_show_list, pages_read_engagement) — to let you choose which Page to post to.
  • Facebook Page posting permission (pages_manage_posts) — to publish posts you compose in ATHOMIC.
  • Instagram Business account linked to your Page (instagram_basic, instagram_content_publish) — to publish Instagram posts you compose.
  • Meta Commerce Catalog (catalog_management, business_management) — to sync your products and tag them in Instagram posts as shoppable links.

What we store:

  • Page ID, Page access token, Instagram user ID, and (where granted) a user access token, stored encrypted in our database under the store record.
  • Catalog ID and a short-term cache of your catalog product list, used only to resolve product tags at post time.
  • The content you compose (image URLs, captions, product tag coordinates) and a status record of each publish attempt.

What we do with this data: publish content you have explicitly composed and confirmed, and only at the time you publish (or at the scheduled campaign start time). We do not read your personal Facebook profile, friends, messages, or any data outside the scopes listed above. We do not post anything without your explicit action.

Revoking access: you can disconnect ATHOMIC at any time from Facebook Business Tools settings or from your ATHOMIC store settings page. Upon disconnection we delete the stored Meta tokens within 24 hours and stop all future publishing on your behalf.

Use of Meta integration features is also subject to Meta’s Platform Terms and Meta’s Privacy Policy.

7. Data retention

We retain your account and store data for as long as your account is active. Upon account deletion, all personal data is deleted within 30 days, except where retention is required by law (e.g. financial records for 5 years under Norwegian bookkeeping law).

8. Your rights

Under GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request erasure of your data (right to be forgotten).
  • Restrict or object to processing.
  • Receive your data in a portable format.
  • Lodge a complaint with Datatilsynet (the Norwegian Data Protection Authority) at datatilsynet.no.

To exercise any of these rights, contact us at privacy@athomic.no.

9. Cookies

ATHOMIC uses session cookies required for authentication. We do not use third-party tracking or advertising cookies.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notice. Continued use of ATHOMIC after such notice constitutes acceptance of the updated policy.

11. Contact

ATHOM AS
Kongens gate 51C, 7012 Trondheim, Norway
Org. 831 754 702
privacy@athomic.no