Who we are
Atla is operated by Daryna Kolobova. Website: askatla.com. Contact: privacy@askatla.com
What data we collect and why
Account data
Name, email, company name, country, business type. Used to manage your account and communicate about requests and matches.
Expert profile data
Professional profile via LinkedIn OAuth including work history, credentials and current role. Used to verify background and match with client requests.
Payment data
Processed entirely by Stripe. We do not store card numbers. We retain transaction records for accounting.
Financial data processing
If you choose to connect a bank account or accounting tool, Atla processes your financial data so the platform can generate insights, surface flags and (only when you explicitly share it) brief a matched expert. This section explains exactly what happens.
What we collect
- Transactions — date, amount, currency, description, merchant name, direction (in/out) and account balance from each connected source.
- Accounting documents (if you connect Xero, QuickBooks or FreeAgent) — invoices, bills, contacts and summary reports.
- Derived analysis — categorisation, recurring-subscription detection, cash position, revenue and expense aggregates calculated from the above.
Read-only. Atla cannot move money or initiate payments. We never see your online-banking password — connection is handled by a regulated open-banking provider.
How long we keep it
Transaction history and derived analysis are kept for the lifetime of your account. When you delete your account, this financial data is removed immediately and permanently as a direct consequence of the deletion (database cascade) — there is no grace period and no recovery window. Encrypted backups are held by our infrastructure provider (Supabase) and are purged on their standard rotation schedule; we do not retain a separate copy.
You can disconnect a bank or accounting source at any time from Settings. Disconnecting removes Atla’s access and stops further sync, and it deletes the transactions Atla imported from that source— they are not kept in your financial snapshot. To fully invalidate the token on the provider’s side as well, revoke Atla in your bank or accounting provider’s own app.
Who can see it
- You. Owner of the account.
- Experts you have explicitly shared a snapshot with. Read-only, only the sections you enable, time-limited (default 48 hours).
- Authorised Atla personnel. A small number of named operators may access your data to provide support, investigate a fault, prevent fraud, or improve the service. Administrative actions taken on your account are recorded in an internal audit trail.
No other party has access. We do not sell, rent or share your financial data with advertisers.
How bank tokens are stored
Open-banking access tokens are encrypted at rest using Supabase Vault (pgsodium-backed). Tokens are never written to plain-text columns, application logs, or client-side storage. Refresh happens server-side inside Supabase Edge Functions.
Data processors we use
- TrueLayer — bank connection and live transaction feed for UK/EU accounts. Regulated under PSD2 by the FCA.
- Monobank — personal-API token integration for Ukrainian Monobank accounts.
- PrivatBank — business-API integration for Ukrainian Privat24 accounts.
- Xero, QuickBooks, FreeAgent — accounting-platform integrations. Each is engaged only if you connect it.
- Anthropic (Claude) — used to categorise transactions and produce written summaries. Receives only the normalised description and amount; never bank account numbers, your name, your email, or any other personally-identifying field. No training on your data.
- OpenAI — used by some auxiliary features (expert brief generation). Same scope: anonymised description and amount only.
- Stripe — subscription billing. Never sees your transaction data.
- Supabase — the underlying database and server infrastructure (hosted in the EU, eu-west-2) where your account and financial data are stored and processed. Bank tokens are held encrypted in Supabase Vault.
- Vercel — frontend hosting and content delivery (EU, London region) that serves the Atla application to your browser.
Your rights specific to financial data
- Disconnect any source from Settings → Connected accounts — revokes the token immediately.
- Delete only financial data while keeping your account — email privacy@askatla.comwith subject “Delete financial data”.
- Delete everything from Profile → Security → Delete account — purges all data immediately and permanently.
- Export your data yourself, on demand, from Profile → Security → Export my data — delivered immediately as a downloadable JSON file (limited to one export per day).
Legal basis
Contract performance, legitimate interests, consent (for financial data and expert sharing), legal obligation.
International data transfers
Atla is based in the United Kingdom, and your data is primarily stored and processed in the UK and the European Economic Area (EEA). Some of the processors listed above operate outside the UK and EEA:
- United States — Anthropic, OpenAI and Stripe.
- Ukraine — Monobank and PrivatBank, and only if you choose to connect a Ukrainian bank account.
We only transfer personal data outside the UK or EEA where a lawful transfer mechanism is in place — such as the UK International Data Transfer Agreement (IDTA) or Addendum, the EU Standard Contractual Clauses (SCCs), or an applicable adequacy decision — together with any additional safeguards required for the destination country. To ask which mechanism applies to a specific transfer, email privacy@askatla.com.
Retention
Your rights
Access, correction, deletion, restriction, portability, withdraw consent. Email privacy@askatla.com — we respond within 30 days.
To delete your account and all associated data: Profile → Security → Delete account. Removes all profile, snapshot and transaction data immediately.
Security
TLS encryption in transit, encrypted token storage (Supabase Vault), row-level security enforced on all database tables.
Data breaches
We maintain procedures to detect, investigate and contain personal-data breaches. If a breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (the ICO in the UK) without undue delay and, where feasible, within 72 hours of becoming aware of it, in line with Articles 33 and 34 of the UK GDPR. Where a breach is likely to result in a high risk to you, we will also notify you directly without undue delay.
Complaints
UK: Information Commissioner’s Office at ico.org.uk
EU: Your local data protection authority.
Changes to this policy
We may update this Privacy Policy from time to time. For material changes we’ll notify you by email and/or an in-app notice before they take effect, and we’ll update the version and effective date shown at the top of this page. Your continued use of Atla after a change takes effect constitutes acceptance of the updated policy.
Version history
| Version | Effective | Changes |
|---|---|---|
| 1.2 | 13 July 2026 | Corrected three statements that did not match the code: disconnecting a source DELETES the transactions imported from it (they were previously described as retained); administrative ACTIONS are audit-logged (reads are not, so "every access is logged" was withdrawn); backup purging is described as the infrastructure provider's standard rotation rather than a schedule we control. |
| 1.1 | 8 July 2026 | Added international data-transfer and data-breach notification sections; listed Supabase and Vercel as infrastructure processors; corrected the data-export description to reflect self-serve export. |
| 1.0 | 1 June 2026 | Initial published version. |