Client Data Handling
Last updated: April 28, 2026 | Version 1.0
This is a plain-English summary of how Atlas Integro handles your business data. For the full legal terms, see our Privacy Policy.
1. What We Collect
We collect only what we need to deliver the service and measure results.
Identity data
- Contact names, email addresses, phone numbers, and mailing addresses — from your GoHighLevel CRM records and any forms we set up on your behalf.
- Business owner or staff contact info provided during onboarding.
Business data
- Lead records, appointment data, and contact activity — synced from GoHighLevel into our analytics layer so we can measure engagement and performance.
- Monthly revenue, expenses, and net profit — pulled from your QuickBooks Online account (read-only) to calculate the performance baseline and fee each month.
- Audit scores and performance history from our onboarding assessment.
Communication data
- Inbound call recordings and transcripts when you use our AI receptionist (VAPI). These are used to generate summaries, extract action items, and measure call quality. Recording URLs are stored; audio files live on VAPI's infrastructure.
- Outbound message logs (SMS, email) showing delivery status and timestamps. We store a short preview of the message body, not the full text in all cases.
Financial data
- QuickBooks Online OAuth tokens — used to pull monthly P&L data. Tokens are stored with encryption (see Security section below).
- Invoice records we generate: billing amounts, payment dates, fee calculations.
AI conversation data
- If you use the Atlas AI assistant (portal chat), your messages and the assistant's responses are stored so conversations can continue across sessions. We also log token usage and cost per conversation for our own billing audit.
System and audit data
- Workflow execution logs: which automations ran, when, whether they succeeded, and which contact they touched.
- Portal access logs: which pages you viewed, timestamps, and IP address — used for security auditing.
- API usage logs for internal cost tracking (token counts and timestamps only — no message content).
2. Where It's Stored
| System | What lives there | Location |
|---|---|---|
| Supabase (primary database) | All structured data — contacts, billing, performance, AI conversations, audit logs | AWS us-west-2 (Oregon), managed by Supabase Inc. |
| GoHighLevel (GHL) | Your CRM contacts, conversations, pipelines, and message history | GHL's US-based infrastructure — see GHL's privacy policy |
| n8n (workflow engine) | Workflow execution logs during processing — not permanently stored there | DigitalOcean droplet, NYC datacenter |
| DigitalOcean Spaces | Encrypted database backup files | NYC datacenter |
| VAPI | Call recordings and raw audio files | VAPI's infrastructure — see VAPI's privacy policy |
Backups: We run a daily automated backup of the database at 02:00 UTC. Backups are stored in DigitalOcean Spaces and automatically deleted after 30 days.
3. How Long We Keep It
During active engagement: Everything we collect is retained and actively used while you are a client.
After engagement ends:
- CRM data in GoHighLevel: follows GHL's own retention policies. We recommend exporting your contacts from GHL before your subscription ends.
- Supabase records (performance data, billing history, AI conversations): retained for 12 months after the engagement ends, then deleted on request or as part of standard offboarding.
- Financial records (invoices, fee calculations, QBO audit records): retained for 7 years to meet IRS recordkeeping requirements. We cannot delete these on request during that window.
- Backup files: deleted automatically after 30 days on a rolling basis.
- Call recordings: retained while you are an active client. Deletion follows the process in Section 9 below.
4. Who Can Access It
- Atlas Integro principal (Hunter Schultz): Full access for operational purposes — running the service, investigating issues, managing your account.
- Automated systems: Our workflow engine, AI agents, and monitoring tools access your data to deliver the service — sending follow-ups, calculating billing, generating reports.
- GoHighLevel platform staff: GHL may access your CRM data in accordance with their terms of service and privacy policy. We do not control GHL's internal access policies.
- No other third parties: We do not sell, rent, or share your data with advertisers, data brokers, or any party not listed as a subprocessor in Section 7.
5. Security Measures
In transit: All connections use TLS (HTTPS). Supabase enforces TLS on all database connections. Our workflow server (n8n) runs behind nginx with a Let's Encrypt certificate.
At rest:
- Supabase provides AES-256 encryption at rest on all database storage, managed by AWS.
- QuickBooks OAuth tokens are stored with application-level encryption (AES-256-GCM) in addition to database-level encryption. Note: older unencrypted token columns still exist in our schema and are scheduled for removal in a future update. The encrypted path is now the active path used by all workflows.
- Backup files are compressed before upload to DigitalOcean Spaces, which provides server-side encryption at rest.
- Our workflow server (n8n) disk is not encrypted at the volume level — it relies on DigitalOcean's physical security and network isolation.
Access controls: Production credentials are not shared outside Atlas Integro. API keys follow a quarterly rotation target. We are in the process of deploying 1Password Business for centralized credential management — this is currently in progress, not yet fully deployed.
Multi-factor authentication is enabled on Supabase, DigitalOcean, and GoHighLevel admin accounts.
6. Your Rights
You have the right to:
- Access your data — request a summary of what we hold about your business.
- Correct your data — request corrections to inaccurate records.
- Delete your data — request deletion after your engagement ends (see financial record exception in Section 9).
- Export your data — we can provide a CSV or JSON export of your performance records and billing history on request.
To exercise any of these rights, email privacy@atlasintegro.ai with the subject line "Data Request — [Your Business Name]". We will respond within 30 days.
Note: If you don't receive an acknowledgment within 48 hours, use the contact form as a backup.
7. Subprocessors
These are the third-party services that process your data on our behalf.
| Subprocessor | What they process | Privacy reference |
|---|---|---|
| Supabase Inc. | Primary database — all structured client data | supabase.com/privacy |
| GoHighLevel | CRM contacts, conversations, pipelines, messaging | gohighlevel.com/privacy-policy |
| DigitalOcean | VPS hosting (workflow engine, web server), database backups | digitalocean.com/legal/privacy-policy |
| VAPI | Voice AI infrastructure, call recordings, transcripts | vapi.ai/privacy |
| Anthropic | AI language model processing (Claude — used in our AI agents and voice assistant) | anthropic.com/privacy |
| Twilio | SMS and voice delivery (via GoHighLevel's infrastructure) | twilio.com/legal/privacy |
| Intuit (QuickBooks Online) | Read-only access to your P&L data via OAuth | intuit.com/privacy |
We do not use Google Analytics, Meta Pixel, or any ad-tracking technologies.
8. Data Location
Your data is stored in the United States:
- Primary database: AWS us-west-2 (Oregon)
- Workflow engine and backups: DigitalOcean NYC datacenter
We do not offer EU data residency. If you are based in the EU or have EU-resident customers whose data flows through our systems, contact us before signing — this may have implications for your GDPR compliance posture that we cannot currently accommodate.
9. Deletion Request Process
To request deletion of your data after your engagement ends:
- Email privacy@atlasintegro.ai with subject: "Deletion Request — [Your Business Name]"
- We will confirm receipt within 48 hours and complete deletion within 30 days.
- We will send you a written confirmation when deletion is complete.
What gets deleted: CRM sync records, performance history, AI conversation logs, workflow logs, portal access logs, and billing records — subject to the exception below.
What we retain: Financial records — invoices, fee calculations, payment records, and billing history — are retained for 7 years per IRS recordkeeping requirements. These cannot be deleted on request during that window. They are isolated from operational systems after your engagement ends.
10. Changes to This Policy
If we make material changes to how we handle your data, we will:
- Update the "Last updated" date at the top of this page.
- Notify active clients by email at least 14 days before the change takes effect.
For minor clarifications that do not change the substance of our practices, we will update the document without prior notice.
Current version: 1.0 (April 28, 2026)
Atlas Integro · privacy@atlasintegro.ai · 516-833-3748