Privacy Policy
Effective March 23, 2026 · Last updated March 25, 2026
1. Introduction
XAtlas is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the XAtlas mobile application and website. This policy complies with the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and other applicable privacy laws.
2. Information We Collect
We collect account email and password, API keys under BYOK architecture, subscription info via Apple, and support communications. We do not collect trading activity, investment decisions, precise geolocation, or financial account numbers. We do not sell your personal information under any circumstances.
3. How We Store Your API Keys
API keys are encrypted at rest using AES-256 encryption, stored exclusively in your device Keychain, never transmitted in plain text, and used only to make authorized requests on your behalf. XAtlas employees cannot access your decrypted API keys. Delete them anytime from Settings.
4. How We Use Your Information
To provide and maintain the Service, process subscriptions, send transactional communications, respond to support, analyze usage to improve features, detect fraud, and comply with legal obligations.
5. Legal Basis for Processing (GDPR)
For EEA users, we process data under: Contract Performance (to provide the Service), Legitimate Interests (improving Service, preventing fraud), Legal Obligation (compliance), and Consent (where applicable, withdrawable at any time).
6. How We Share Your Information
We do not sell, rent, or trade your data. We share only with service providers bound by confidentiality, Apple for payments, designated third-party data providers, and authorities when legally required.
7. California Privacy Rights (CCPA)
California residents have the right to know what personal information we collect, the right to delete it, the right to opt out of sale (we do not sell data), and the right to non-discrimination for exercising these rights. Submit requests to privacy@xatlas.io with subject "CCPA Request." We respond within 45 days.
8. European Privacy Rights (GDPR)
EEA, UK, and Switzerland users have the right to access, rectify, erase, restrict processing, port data, object to processing, and rights related to automated decision-making. Contact privacy@xatlas.io. We respond within 30 days. You may also lodge a complaint with your local supervisory authority.
9. Data Retention
We retain your information while your account is active. Upon deletion we remove or anonymize your data within 30 days, except where legally required to retain it longer.
10. Data Breach Notification
In the event of a data breach we will notify relevant supervisory authorities within 72 hours (GDPR) and affected users without undue delay if the breach poses high risk to your rights. Notification will be via email and/or prominent in-app notice.
11. International Data Transfers
XAtlas is based in the United States. EEA/UK/Switzerland transfers are made pursuant to Standard Contractual Clauses approved by the European Commission.
12. Children's Privacy
XAtlas is rated 17+ and intended for users 17 and older. We do not knowingly collect data from children under 13. Contact privacy@xatlas.io immediately if you believe this has occurred.
13. Security
We implement AES-256 encryption at rest, TLS 1.3 in transit, iOS Keychain for API keys, regular security assessments, and strict access controls. No transmission method is 100% secure.
14. Third-Party Services
We integrate with Polygon.io, Anthropic, Apple, and FRED. Review their privacy policies at their respective websites.
15. Changes to This Policy
We will notify you of material changes via email and/or in-app notice. Continued use after the effective date constitutes acceptance.
16. Contact Us
Email: privacy@xatlas.io · Support: xatlas.io/support · Response time: 30 days (45 days for CCPA)