Privacy Policy
How Atlas Minds collects, uses, and protects personal data in Harmonia CRM.
Last updated: June 27, 2026
This Privacy Policy explains how Atlas Minds Co. ("Atlas Minds", "we",
"us", or "our") collects, uses, discloses, and protects personal data in
connection with the Harmonia CRM platform, the websites at harmoniacrm.com
and app.harmoniacrm.com, our APIs, and related services (together, the
"Service").
1. Two roles: controller and processor
Harmonia is a business-to-business platform, and our relationship to personal data depends on the context:
- As a processor. Most of the data inside Harmonia is data our customers upload or generate about their contacts and business, for example, contact records, conversations, call logs, and pipeline data ("Customer Data"). For that data, our customer is the controller and Atlas Minds is the processor: we handle it on the customer's behalf and on their instructions, as set out in our Terms of Service. If you are an individual whose data appears in a customer's Harmonia workspace and you want to exercise your rights, please contact that business (the controller) directly. We will support our customer in responding.
- As a controller. For data we collect about our own account holders and website visitors (for example, the people who sign up for and administer a Harmonia account), Atlas Minds is the controller. The rest of this Policy describes that processing.
2. Information we collect
Account and profile data. When you create or are added to an account, we collect your name, email address, organization, role, and authentication details. If you sign in with Google, we receive basic profile information from Google as authorized by you.
Customer Data. Data you submit to or generate in the Service, such as contacts, companies, conversations, messages, call records, calendar events, documents, and pipeline data. We process Customer Data as a processor on your behalf (see Section 1).
Billing data. If you purchase a paid plan, our payment processor (Stripe) collects and processes your payment details. We receive limited billing information such as plan, status, and the last four digits of a card. We do not store full card numbers.
Usage and device data. When you use the Service, we automatically collect technical information such as IP address, browser and device type, pages viewed, actions taken, timestamps, and diagnostic and log data. We use this to operate, secure, and improve the Service.
Communications data. When the Service sends email, SMS/MMS, or voice communications on your behalf through our integrations, metadata about those communications (and, where applicable, content and recordings) is processed to deliver the feature.
Support and correspondence. If you contact us or submit a form, we collect the information you provide.
3. Cookies and similar technologies
We use strictly necessary cookies to keep you signed in and to secure the Service, and a limited set of cookies for preferences and basic analytics. You can control cookies through your browser settings; disabling strictly necessary cookies may break sign-in and core functionality.
4. How we use information
We use personal data for which we are the controller to:
- provide, operate, maintain, and secure the Service;
- authenticate users and manage accounts and access;
- process payments and manage subscriptions;
- respond to support requests and communicate with you about the Service, including service, security, and transactional notices;
- monitor, troubleshoot, and improve the Service, and develop new features;
- detect, prevent, and respond to fraud, abuse, and security incidents; and
- comply with legal obligations and enforce our Terms of Service.
We do not sell personal data, and we do not use Customer Data to train general-purpose AI models.
5. Legal bases (EEA/UK)
Where the GDPR or UK GDPR applies and we act as a controller, we rely on the following legal bases: performance of a contract (to provide the Service you sign up for), legitimate interests (to secure, maintain, and improve the Service and prevent abuse), consent (where required, for example certain cookies or marketing), and legal obligation (to comply with applicable law).
6. How we share information
We share personal data only as described here:
- Service providers / sub-processors that help us run the Service, under contracts that require them to protect the data (see Section 7).
- At your direction, with third-party integrations you enable.
- For legal reasons, when required to comply with law, legal process, or a lawful government request, or to protect the rights, property, or safety of Atlas Minds, our customers, or the public.
- Business transfers, in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.
We do not sell or rent personal data, and we do not share it for cross-context behavioral advertising.
7. Sub-processors
We use the following categories of sub-processors to operate the Service. The specific providers we currently use include:
| Provider | Purpose | Data processed |
|---|---|---|
| Supabase | Database, authentication, storage | Account data, Customer Data |
| Vercel | Application hosting and delivery | Usage and log data |
| Stripe | Payment processing | Billing and payment data |
| Twilio / Telnyx | SMS, MMS, and voice delivery | Communications data |
| Resend | Transactional email delivery | Email metadata and content |
| OAuth sign-in and Workspace email integration | Profile and email data, as authorized | |
| Anthropic (Claude) | AI-assisted features | Prompt content submitted to AI features |
| OpenAI | Embeddings for search and retrieval | Text submitted for indexing |
| Deepgram | Call transcription | Audio and transcript data |
We may update our sub-processors as the Service evolves; this table reflects the providers in use as of the date above. The exact set of sub-processors active for a given account depends on the features and integrations that account uses.
8. International data transfers
We are based in the United States and may process data in the United States and other countries where we or our sub-processors operate. Where personal data is transferred from the EEA, the UK, or other regions with transfer restrictions, we rely on appropriate safeguards such as Standard Contractual Clauses where required.
9. Data retention
We retain personal data for as long as needed to provide the Service and for the purposes described in this Policy. We retain Customer Data for the life of your account; after your account is closed, we make it available for export for a limited period (typically 30 days) and then delete it in the ordinary course, subject to legal retention requirements and routine, time-limited backups. We retain account, billing, and log data as needed to meet legal, accounting, and security obligations.
10. Security
We take security seriously and apply technical and organizational measures to protect personal data, including:
- Tenant isolation. Harmonia is multi-tenant. Every record is scoped to an organization, and access is enforced at the database layer with row-level security policies.
- Encryption. Data is encrypted in transit (TLS) and at rest, and sensitive integration credentials are encrypted with authenticated encryption.
- Access controls. Role-based access, authentication, and the principle of least privilege for our personnel.
- Operational controls. Audit logging of sensitive operations, webhook signature verification, input validation, and rate limiting.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your credentials safe and for configuring access within your organization appropriately.
11. Your rights
Depending on where you live, you may have rights over your personal data, including the right to access, correct, delete, port, or restrict the processing of your data, and to object to certain processing or withdraw consent. Residents of the EEA/UK (GDPR) and California (CCPA/CPRA), among others, have specific rights, including the right not to be discriminated against for exercising them.
- If we are the controller of your data (for example, you are a Harmonia account holder), contact us at support@atlasmindsco.com to exercise your rights. We will verify your request and respond within the time required by law.
- If your data is Customer Data held by one of our customers, contact that business (the controller) directly; we will assist them as their processor.
You may also have the right to lodge a complaint with your local data protection authority.
12. Children's privacy
The Service is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.
13. Changes to this Policy
We may update this Policy from time to time. If we make material changes, we will provide notice (for example, by updating the date above and, where appropriate, by email or an in-app notice). Your continued use of the Service after the changes take effect constitutes acceptance of the updated Policy.
14. Contact
For privacy questions or to exercise your rights, contact us at support@atlasmindsco.com.
Atlas Minds Co., builder of Harmonia CRM.