We will post any changes to this Privacy Policy in a notice of the change at the bottom of our web page with a hyperlink thereto. We will also send you an email describing such changes. Please regularly review this Privacy Policy. Notwithstanding if you continue to use our services, you are bound by any changes that we make to this Privacy Policy.

Introduction

Atomicwork Inc. (“Atomicwork,” “we,” “us,” or “our”) respects the privacy of its Users (“User,” “your,” or “you”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Atomicwork Platform (the “Platform”) through Atomicwork’s website at www.atomicwork.com (the “Website”).

Atomicwork is committed to protecting the privacy of its Users whose information is collected and stored while using Atomicwork’s Platform through our Website or App. This Privacy Policy is applicable to our Website, Platform and all applications offered for sale to the public.

Our role: controller and processor. For the personal data that our enterprise customers upload to or generate within the Platform, our customer is the controller (or “Data Fiduciary” under India’s DPDP Act) and Atomicwork acts as the processor (or “Data Processor”) under the terms of the applicable Data Processing Agreement. For personal data collected directly by Atomicwork for our own purposes — including website visitors, prospects, marketing contacts, job applicants, employees and contractors — Atomicwork acts as the controller / Data Fiduciary.

If you have any questions regarding this Privacy Policy, please send us an email at support@atomicwork.com.

We do not sell your personal information and we do not share your personal information for cross-context behavioural advertising. We do not use customer personal data to train or fine-tune any large language models (LLMs), whether proprietary or third-party, except where expressly authorised by the customer in writing in the applicable Service Agreement or Data Processing Agreement. We do not give access to your personal information to third parties except to sub-processors that assist us in providing our services to you, under written agreements that include confidentiality and data protection obligations.

What Information Do We Collect?

When you register to use our Website or Platform, we collect personal information (also referred to as personally identifiable information or “PII”) which may include your name, online contact information such as your email address or username, phone number, and other personal information. The information collected will be stored on our servers. You are able to change your personal information by contacting us at support@atomicwork.com or through your profile or account settings on our Website or Platform.

• Geolocation and Equipment Information. We may collect information that does not personally identify you such as (i) your geolocation, and (ii) information about your internet connection, the equipment you use to access our Website, App, or Platform, and usage details.
• Financial Information. We currently do not collect or store any credit cards or bank information, as we are using a third-party payment processor. We will update this Privacy Policy if we start collecting or storing such information.
• Categories of personal information (CPRA categories). The categories of personal information we collect map to Cal. Civ. Code §1798.140(v) categories A (identifiers), B (customer records), D (commercial information), F (internet/network activity), G (geolocation, approximate), I (professional/employment), and K (inferences). We do not collect categories C (protected classifications), E (biometric information), H (sensory data), or J (education information) other than as inadvertently included in user content.
• Sensitive Personal Information (CPRA, GDPR special category, APP sensitive information). We do not solicit Sensitive Personal Information. To the extent users voluntarily include such information in support tickets or other user content, we treat it under the heightened safeguards described in this Policy and do not use it for any purpose other than to provide the requested service.

Legal Basis for Processing Information

Our legal basis for processing your information will depend on the personal information at issue, the specific context in which the personal information is collected and the purposes for which it is used.

Under the GDPR / UK GDPR we process your personal data on one or more of the following grounds:

• When we are pursuing legitimate interests.
• When we are providing a service pursuant to a contract.
• When we are complying with legal obligations.
• With your consent.

Under India’s DPDP Act, 2023, we process personal data on the basis of (i) your consent under Section 6, or (ii) “certain legitimate uses” under Section 7 (e.g., where you have voluntarily provided personal data for a specified purpose, for employment-related purposes, or for compliance with a judgment, decree or order). “Legitimate interests” is not a recognised lawful basis under the DPDP Act.

How Do We Collect Information?

We collect personal information from you in the following ways:

• At registration on our Website or Platform.
• In email, text, and other electronic messages between you and our Website or Platform.
• Through mobile and desktop applications you download from our Website or Platform.
• When you interact with our advertising and applications on third-party websites and services.
• From transactions you carry out on our Website or Platform.
• When you subscribe to a newsletter.
• From your responses to a survey.
• From forms filled out by you.
• From records or copies of correspondence (including email addresses) if you contact us.
• From search queries on our Website or Platform.
• When you post information to be published or displayed on our Website or Platform.

We collect information from you automatically in the following ways:

• Usage details.
• IP addresses.
• Information obtained through browser cookies.
• Web beacons on our Website.
• Web beacons on emails sent by us.

How Do We Use Your Information?

We use the information that you provide to:

• Personalize your experience in using our Platform.
• Provide you with information, products, or services requested from us.
• Present our Website and Platform and their contents to you.
• Provide you with notices about account and/or subscription, including expiration and renewal notices.
• Carry out obligations and enforce rights arising from contracts entered between you and us, including billing and collection.
• Notify you about changes to our Website and Platform and any products or services.
• Improve our customer service.
• Process transactions.
• Anonymize data and aggregate data for statistics.
• Contact you about our products and services that may be of interest.
• Send you periodic emails, in accordance with the CAN-SPAM Act of 2003.

Our Cookie Policy

Cookies are small pieces of text used to store information on web browsers. Cookies are used to store and receive identifiers and other information on computers, phones, and other devices. In this Privacy Policy, we refer to all of these technologies as “Cookies.”

We use Cookies on our Website and App to (a) understand and save your preferences for future visits, (b) keep track of advertisements, (c) compile aggregate data about site traffic and site interactions, and (d) allow trusted third-party services that track this information on our behalf. You can set your browser to refuse all or some browser Cookies, but it may affect your user experience.

We honor the Global Privacy Control (GPC) signal. When a GPC signal is detected from a browser or device, we treat it as a valid opt-out of the sale or sharing of personal information for cross-context behavioral advertising and, for users in jurisdictions where it applies, as an objection to targeted advertising. The W3C Do Not Track standard has been deprecated; we no longer rely on DNT as our primary opt-out mechanism.

How Do We Protect Information We Collect?

Our Website and Platform are reasonably scanned to meet or exceed PCI Compliance. Our Website and Platform receive regular security scans and penetration tests, and regular malware scans. Our Website and Platform use TLS for transport encryption. We require username and passwords for our employees who can access your personal information. We actively prevent third parties from getting access to your personal information that we store and/or process on our Platform and servers.

We maintain SOC 2 Type II and ISO/IEC 27001 certifications, and we are working toward ISO/IEC 27701 (privacy information management) and ISO/IEC 42001 (AI management system) certification. Current attestations are available at https://trust.atomicwork.com.

Data Security Measures

• Security Measures. We have implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure. All the information you provide for us is stored on our secure servers behind firewalls. The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Website or Platform, you are responsible for keeping this password confidential.
• Personal Data Breach Notification. In the event of a Personal Data Breach (as defined under applicable law), we will notify affected customers and individuals as required by applicable law. Where Atomicwork acts as a processor for our enterprise customers, we will notify the customer without undue delay and, in any event, within the timeframe set out in the applicable Data Processing Agreement (typically within 72 hours of becoming aware) so that the customer can meet its own notification obligations. Where Atomicwork acts as a controller, we will comply with the notification timelines applicable in the relevant jurisdiction, including under GDPR Articles 33–34, the UK GDPR, the Australian Notifiable Data Breaches (NDB) scheme, the DPDP Act Section 8(6) and the Draft DPDP Rules 2025, and applicable US state breach notification laws.
• Open-Source Software. We use open-source software in the provision of our Services. A current list is available on request through our Trust Center.

Disclosure of Personal Information

There are times when we may share Personal Information with our subsidiaries, affiliates, contractors, service providers, and third parties (“Partners”) to enable us to provide our Services. We will ensure that our Partners protect your Personal Information.

Disclosure of Personal Information

• We may disclose aggregated, de-personalized information about you that does not identify any individual to other parties without restriction.
• We may disclose personal information to our subsidiaries and affiliates.
• We may disclose personal information to contractors, service providers, and other third parties under contractual obligations to keep personal information confidential.
• We may disclose personal information in the event of a merger, sale of business, or similar transaction.
• We may disclose personal information to fulfill the purpose for which you have provided it.
• We may only disclose personal information as described in this Privacy Policy or with your consent.

Other Disclosure of Personal Information

• We will disclose personal information (i) to comply with any court order, law, or legal process, including to respond to any government or regulatory request, (ii) to enforce or apply our Terms of Service and other agreements, including for billing and collection purposes, (iii) if we believe it is necessary or appropriate to protect the rights, property, or safety of Atomicwork, our customers or others, and (iv) for fraud protection and credit risk reduction.

Choices Users Have About How Atomicwork Uses and Discloses Information

• Tracking Technologies and Advertising. You can set your browser to refuse some or all browser cookies, but if you disable or refuse cookies, some parts of our Website may not function properly.
• Disclosure of Users’ Information for Third-Party Advertising. Users can opt out by (i) checking the relevant form when we collect the data; (ii) adjusting their preferences in their account profile; or (iii) emailing us their opt-out request at privacy@atomicwork.com.
• Disclosure of User’s Information for Targeted Advertising. Users can opt out by (i) checking the relevant form when we collect the data; (ii) adjusting their preferences in their account profile; or (iii) emailing us their opt-out request at privacy@atomicwork.com.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, regulatory, accounting, or reporting requirements. Retention periods or criteria are applied by category of personal data, as set out in our Data Retention Schedule (available on request).

Indicative retention periods by category: (a) account profile data — for the lifetime of the account plus 90 days after termination; (b) authentication and audit logs — 12 to 24 months; (c) support tickets and conversation data — for the lifetime of the customer subscription plus 30 days, or as instructed by the customer in the applicable Data Processing Agreement; (d) telemetry and usage metrics — 13 months in identifiable form, longer in aggregated/anonymised form; (e) billing and transaction records — 7 years for tax and accounting compliance; (f) marketing contact data — until you unsubscribe or are inactive for 24 months; (g) job applicant data — 12 months after a hiring decision, unless you consent to a longer retention period. For enterprise customer data, retention follows the customer’s instructions in the applicable Service Agreement and Data Processing Agreement. Where deletion is not technically feasible (e.g., backup tapes, immutable logs), we will isolate the data from further processing until secure deletion is possible.

Google AdSense and Google Analytics

Google, as a third-party vendor, uses Cookies to serve advertisements to Users on our Website and Platform. We currently use Google Analytics to collect and process certain Website usage data. To learn more about Google Analytics and how to opt out, please visit https://policies.google.com/privacy/google-partners.

How We Use AI and Automated Decision-Making

Atomicwork is an agentic IT service management and enterprise service management platform. We use artificial intelligence (including large language models and retrieval-augmented generation systems) to deliver core product features. This section describes how AI processing interacts with personal data.

• Categories of AI processing. We use AI for classification, routing, prioritisation, summarisation, retrieval, drafting of suggested responses, anomaly detection, identity governance recommendations, change risk scoring, and similar service-management tasks.
• Inputs. Inputs to AI processing may include user identifiers, ticket content, message context, knowledge base content and IT asset metadata, in each case as configured by our enterprise customer.
• Training. We do not use customer personal data to train or fine-tune Atomicwork’s own models or any third-party large language models, except where the customer has expressly opted in for tenant-specific fine-tuning under a written agreement. Our LLM sub-processors operate under zero-retention and no-training contractual terms.
• AI sub-processors. Our current AI sub-processors include Microsoft Azure OpenAI Service, Anthropic and AWS Bedrock (as applicable to the customer’s region and configuration). A current list, with links to each sub-processor’s data-handling commitments, is available at https://trust.atomicwork.com.
• Human-in-the-loop for significant decisions. Decisions that have legal or similarly significant effects on individuals (for example, access provisioning approvals, account suspension or denial, employment-related recommendations) are designed to include human review before being acted upon. We do not rely on solely automated decision-making for such decisions within the meaning of GDPR Article 22, the DPDP Act, or the Privacy and Other Legislation Amendment Act 2024 (Australia).
• Your rights with respect to AI processing. You may request human review of a decision that affects you, request information about the categories of inputs and logic used, and object to automated processing. To exercise these rights, contact privacy@atomicwork.com.
• Safeguards. We maintain evaluations, red-teaming exercises, prompt-injection defences, output filtering, audit logging and model risk management practices. Our AI governance is aligned to ISO/IEC 42001 and the NIST AI Risk Management Framework.
• Children. AI features in the Platform are not directed at children and we do not use AI to profile children.
• EU AI Act transparency. Where the EU AI Act applies, we comply with the applicable transparency obligations under Article 50 (including disclosure where users are interacting with an AI system).

For Our European and UK Customers and Visitors

We are headquartered in the United States. Your Personal Information may be accessed by or transferred to us in the United States. If you are visiting our Website or registering for our Services from outside the United States, be aware that your Personal Information may be transferred to, stored, and processed in the United States.

If you are a resident of or a visitor to the European Economic Area (EEA), Switzerland or the United Kingdom, you have certain rights with respect to the processing of your Personal Data, as defined in the General Data Protection Regulation (“GDPR”) and the UK General Data Protection Regulation (“UK GDPR”). The UK GDPR is read together with the Data Protection Act 2018 as amended by the Data (Use and Access) Act 2025.

For transfers of Personal Data from the EEA, the United Kingdom and Switzerland to the United States or other countries, we rely on one or more of: (i) the European Commission’s 2021 Standard Contractual Clauses (Implementing Decision 2021/914); (ii) the UK International Data Transfer Addendum (IDTA) or Addendum to the EU SCCs issued by the ICO; and (iii) adequacy decisions where they apply. We carry out transfer impact assessments where required.

You are the Controller, as defined in the GDPR, of the Personal Data of your Authorized Users and we are a processor under the terms of our Data Processing Agreement. We will only transfer your Personal Data to a third country in accordance with documented instructions from you.

Rights of Data Subjects

To make any of the following requests, please contact us (i) via email at support@atomicwork.com, or (ii) by writing to us at Atomicwork Inc., 720 University Ave, Suite 204, Palo Alto, CA 94301.

• Access: You can request more information about the Personal Information we hold about you and request a copy.
• Rectification: If you believe any Personal Information we hold about you is incorrect or incomplete, you can request that we correct or supplement it.
• Automated Decision Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects.
• Objection: You can object to the collection or use of your Personal Information for certain purposes.
• GDPR and UK GDPR compliance. Atomicwork complies with the General Data Protection Regulation (GDPR) and the UK GDPR in respect of personal data of individuals in the European Economic Area, the United Kingdom and Switzerland. EU, UK and Swiss data subjects may exercise their rights, raise queries or submit complaints directly to our privacy team at privacy@atomicwork.com, and we will respond within the timeframes required by applicable law. Our transfer safeguards (including the European Commission’s 2021 Standard Contractual Clauses and the UK International Data Transfer Addendum) and supporting documentation are available on request through our Trust Center at https://trust.atomicwork.com.
• Erasure: You can request that we erase some or all of your Personal Information from our systems.
• Restriction of Processing: You can ask us to restrict further processing of your Personal Information.
• Portability: You have the right to ask for a copy of your Personal Information in a machine-readable format.
• Withdrawal of Consent: You have the right to withdraw consent at any time where we are processing on the basis of your consent.
• Right to File a Complaint: You may lodge a complaint with the supervisory authority of your country or EU Member State, or with the UK’s Information Commissioner (https://ico.org.uk/make-a-complaint or 0303 123 1113).
• We will respond to your inquiry within thirty (30) days of receipt.

For Our Indian Users — Digital Personal Data Protection Act, 2023

This Section supplements the information contained in our Privacy Policy above and applies to all visitors, users, employees, contractors and others who are located in India (each, a “Data Principal”). The Atomicwork group operates in India through two legal entities, each with a distinct role under the Digital Personal Data Protection Act, 2023 (“DPDP Act”): (i) Atomicwork Inc. (Delaware, USA) is the “Data Fiduciary” for personal data collected through the subscription relationship, the Website, marketing, prospect interactions and other purposes for which Atomicwork Inc. determines the means and purpose of processing; and (ii) Atomicwork Software India Private Limited (Bengaluru, India) is the “Data Processor” for personal data processed under the instructions of our enterprise customers, and is a Data Fiduciary in its own right for personal data of its India-based employees and contractors and for personal data collected under professional services or implementation contracts that it directly enters into with customers.

Notice and Lawful Basis

Where we process your personal data on the basis of consent, we will obtain consent that is free, specific, informed, unconditional and unambiguous, accompanied by a clear affirmative action. The notice describing our processing will be made available in English and, on request, in any of the 22 Eighth Schedule languages.

Rights of Indian Data Principals

• Right to information about personal data being processed by Atomicwork (Section 11).
• Right to correction, completion, updating and erasure of your personal data (Section 12).
• Right of grievance redressal — you may submit a complaint to our Grievance Officer (Section 13).
• Right to nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity (Section 14).
• Right to withdraw consent at any time, where processing is based on your consent.

Children and Persons with Disability

Our Platform is intended for use by enterprise users in a workplace context and is not directed at children. In line with Section 9 of the DPDP Act, where we knowingly process the personal data of a child (an individual under 18 years of age), we will obtain verifiable consent from the child’s parent or lawful guardian. We will not undertake tracking, behavioural monitoring or targeted advertising directed at children. The same protections apply to persons with disability who have a lawful guardian.

Cross-Border Transfers

Section 16 of the DPDP Act permits transfers of personal data to any country other than those that may be notified by the Central Government as restricted. We currently transfer personal data to the United States and may transfer to other countries where our sub-processors are located.

Grievance Officer / Data Protection Officer (India)

• Entity: Atomicwork Software India Private Limited
• Address: 1st Floor, Campus 3B, Ecospace, Outer Ring Road, Bellandur, Bengaluru, Karnataka — 560103, India
• Email: security@atomicwork.com

For Our Australian Users — Privacy Act 1988 and the Australian Privacy Principles

This Section supplements the information contained in our Privacy Policy above and applies to all visitors, users and others who are located in Australia. We comply with the Privacy Act 1988 (Cth) (“Privacy Act”), the 13 Australian Privacy Principles (“APPs”), the Notifiable Data Breaches scheme, and the Privacy and Other Legislation Amendment Act 2024.

Our Practices Mapped to the APPs

• APP 1 — Open and transparent management. This Privacy Policy is clearly expressed, up to date and available free of charge.
• APP 2 — Anonymity and pseudonymity. Where lawful and practicable, you may interact with us anonymously or under a pseudonym.
• APP 3 — Collection of solicited personal information. We collect only what is reasonably necessary for our functions and activities.
• APP 4 — Unsolicited personal information. Where we receive personal information we did not solicit, we will determine whether we could have lawfully collected it.
• APP 5 — Notification of collection. At or before the time of collection, we will take reasonable steps to notify you of the purposes of collection.
• APP 6 — Use or disclosure. We use or disclose personal information for the primary purpose for which it was collected, for a related secondary purpose you would reasonably expect, with your consent, or as required or authorised by law.
• APP 7 — Direct marketing. You can opt out of direct marketing communications at any time.
• APP 8 — Cross-border disclosure of personal information. Before disclosing your personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the APPs.
• APP 9 — Government-related identifiers. We do not adopt, use or disclose government-related identifiers as an identifier of an individual, except where permitted by law.
• APP 10 — Quality of personal information. We take reasonable steps to ensure personal information we collect, use or disclose is accurate, up to date and complete.
• APP 11 — Security of personal information. We protect personal information using technical and organisational measures including encryption in transit and at rest, role-based access control, audit logging, vulnerability management, regular penetration testing, and our SOC 2 Type II and ISO/IEC 27001 control environment.
• APP 12 — Access. You may request access to the personal information we hold about you.
• APP 13 — Correction. You may request correction of personal information we hold about you. We will respond within a reasonable period (target 30 days).

Complaints (Australia)

Please contact our privacy team in the first instance at privacy@atomicwork.com. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner at https://www.oaic.gov.au or by telephone at 1300 363 992.

For Our Canadian Users

This Section supplements the information contained in our Privacy Policy above and applies solely to users in Canada. We comply with the Personal Information Protection and Electronic Documents Act of 2000 (“PIPEDA”).

• Right to Access. You can request access to your personal information we hold about you.
• Right to Correction / Limited Right to Deletion. You can request that we correct or delete your information if you demonstrate that the personal information we hold is inaccurate.
• Data Breach Notification. We will notify you as soon as feasible of any breach that creates a “real risk of significant harm” to you.
• Canadian Privacy Officer. We have appointed a Canadian Privacy and Data Protection Officer (security@atomicwork.com).
• Two-Factor Authentication. You may enable two-factor authentication on your account.
• Contact. You may contact us at privacy@atomicwork.com or by writing to Privacy Officer, Atomicwork Inc., 720 University Ave, Suite 204, Palo Alto, CA 94301.

California Consumer Privacy Rights (CCPA, as amended by CPRA)

Atomicwork does not sell your “Personal Information” and does not share your Personal Information for cross-context behavioral advertising, in each case as defined under the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”) and the regulations issued by the California Privacy Protection Agency (“CPPA”).

• Right to Know. You may request information about the categories and specific pieces of Personal Information we have collected about you, the sources of collection, the purposes of collection, the categories of third parties with whom we have shared your Personal Information, and the categories of Personal Information we have disclosed for a business purpose, sold (we do not), or shared for cross-context behavioral advertising (we do not).
• Right to Delete. You may request that we delete your Personal Information, subject to legal exceptions.
• Right to Correct. You may request that we correct inaccurate Personal Information we maintain about you.
• Right to Limit Use and Disclosure of Sensitive Personal Information. To the extent we use or disclose Sensitive Personal Information beyond what is necessary to provide the services, you may request that we limit such use and disclosure. To exercise this right, contact privacy@atomicwork.com or use the preference link available at https://www.atomicwork.com/privacy.
• Right to Opt Out of Sale or Sharing. You have the right to opt out of the sale or sharing of your Personal Information. We do not sell or share, but we honor the Global Privacy Control (GPC) signal as a valid opt-out request.
• Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights.
• Right to Appeal. You may appeal a refusal to act on your request by replying to our response with the word “Appeal” and a brief explanation.
• Right to Designate an Authorized Agent. You may designate an authorized agent to submit requests on your behalf.

We will respond to verifiable consumer requests within 45 days, extendable by another 45 days with notice. To exercise your rights, contact us at privacy@atomicwork.com or write to Privacy Officer, Atomicwork Inc., 720 University Ave, Suite 204, Palo Alto, CA 94301.

U.S. State Privacy Rights (Other States)

If you are a resident of a U.S. state with a comprehensive consumer privacy law — including but not limited to Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa, Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), New Hampshire, New Jersey, Tennessee, Minnesota, Maryland (MODPA), Indiana, Kentucky, and Rhode Island — you have the rights granted to you under your state’s law. These rights generally include:

• The right to confirm whether we process your personal information and to access a portable copy.
• The right to correct inaccurate personal information.
• The right to delete personal information.
• The right to opt out of (i) the sale of personal information, (ii) targeted advertising / cross-context behavioral advertising, and (iii) profiling in furtherance of decisions producing legal or similarly significant effects.
• The right to limit the use and disclosure of sensitive personal information.
• The right to appeal a refusal to act on your request.

We honor universal opt-out mechanisms including the Global Privacy Control (GPC). To exercise these rights, please contact privacy@atomicwork.com. We will respond within the timeframe prescribed by the applicable state law (generally 45 days).

Children’s Data — Consolidated

The Atomicwork Website and Platform are not directed at children and are intended for use in a workplace context. We do not knowingly collect personal information from children.

• United States — COPPA. We comply with the Children’s Online Privacy Protection Act (“COPPA”). If we become aware that we have collected personal information from a child under 13 in the United States without verifiable parental consent, we will delete it.
• India — DPDP Act. Where we knowingly process the personal data of a child (under 18) we will obtain verifiable parental or lawful guardian consent and we will not undertake tracking, behavioral monitoring or targeted advertising directed at children.
• Australia — Children’s Online Privacy Code. We will comply with the OAIC’s Children’s Online Privacy Code once finalised under the Privacy and Other Legislation Amendment Act 2024.
• United Kingdom — Age-Appropriate Design Code. Where our services are likely to be accessed by children in the UK, we apply the standards of the ICO’s Age-Appropriate Design Code.
• European Union — GDPR Article 8. Where applicable, we apply the age of digital consent set by each EU Member State (generally 16, with national variation between 13 and 16).

CAN-SPAM Act of 2003

The CAN-SPAM Act establishes requirements for commercial messages, gives recipients the right to have businesses stop emailing them, and spells out penalties for violations. Per the CAN-SPAM Act, we will not use false or misleading subjects or email addresses; identify the email message as an advertisement; include our physical address; honor opt-out requests quickly; and provide an “opt-out” / “unsubscribe” option.

Modifications to Our Privacy Policy

We will post any changes to this Privacy Policy with a notice of the change. We will also send you an email describing material changes. Please regularly review this Privacy Policy.

A “Changes Log” summarising each material revision is maintained at the bottom of this Policy.

Sub-Processors and Third-Party Service Providers

Atomicwork uses third-party service providers for the provision of our Services. A current list, including AI / large language model providers and the data-handling commitments of each, is maintained at https://trust.atomicwork.com. Indicative categories include cloud infrastructure (e.g., Amazon Web Services, Microsoft Azure), observability (e.g., Grafana, New Relic), analytics, customer support, security, and AI processing (e.g., Microsoft Azure OpenAI Service, Anthropic, AWS Bedrock — as applicable to the customer’s region and configuration).

If you have any questions about our sub-processors, please email support@atomicwork.com.

Copyright Infringement / DMCA Notice

If you believe that any content on our Website or Platform violates your copyright, please send a written DMCA Takedown Notice to our Copyright Agent at privacy@atomicwork.com or by post to Atomicwork, Attn: DMCA Notice, Atomicwork Inc., 720 University Ave, Suite 204, Palo Alto, CA 94301. Your notice must include the elements required by 17 U.S.C. § 512(c)(3).

Third-Party Integrations

Use of Data Collected via Google APIs. Our application integrates with Google Drive and other Google Workspace services through Google APIs. We do not use any data obtained through Google APIs, including but not limited to Google Drive/Workspace data, to train or fine-tune any Large Language Models (LLMs), whether proprietary or third-party. All data accessed via Google APIs is handled in strict accordance with Google’s API Services User Data Policy, including the Limited Use requirements.

Contact Us

To ask questions or comment about this Privacy Policy and our privacy practices, contact us at:

• Privacy Officer (Global): privacy@atomicwork.com
• Grievance Officer / DPO (India): security@atomicwork.com — Atomicwork Software India Private Limited, 1st Floor, Campus 3B, Ecospace, Outer Ring Road, Bellandur, Bengaluru, Karnataka — 560103, India
• Privacy contact (Australia): privacy@atomicwork.com
• Privacy contact (EU/UK): privacy@atomicwork.com
• Postal: Atomicwork Inc., 720 University Ave, Suite 204, Palo Alto, CA 94301, United States

Changes Log

Material changes in this 2026 update vs. the May 5, 2025 version:

• Added: India DPDP Act section, including Data Principal rights, lawful basis, cross-border transfers, children under 18, and Grievance Officer / DPO contact.
• Added: Australia Privacy Act / APP section, including APP 1–13 statement, NDB scheme, automated decisions, Children’s Online Privacy Code, and OAIC complaint route.
• Added: How We Use AI and Automated Decision-Making section, including categories of processing, training disclosures, sub-processor disclosures and rights.
• Added: U.S. State Privacy Rights (Other States) section consolidating VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA, FDBR, DPDPA, NHCDPA, NJDPA, TIPA, MCDPA-MN, MODPA, INCDPA, KCDPA and RIDTPPA.
• Modified: California section upgraded from CCPA-only to CCPA-as-amended-by-CPRA, including Sensitive Personal Information, Right to Limit, Right to Correction, “do not sell or share” language, and CPPA references.
• Modified: EU/UK section updated to reference the European Commission’s 2021 Standard Contractual Clauses, the UK International Data Transfer Addendum (IDTA), and the UK Data (Use and Access) Act 2025.
• Modified: “We do not sell” line expanded to include “or share for cross-context behavioral advertising” and an explicit no-LLM-training commitment.
• Modified: Breach notification language re-written to distinguish controller and processor roles and to align with NDB, DPDP, GDPR and US state laws.
• Modified: Data Retention section now states retention periods/criteria by category.
• Modified: Cookies/DNT line replaced — “Do Not Track” removed and Global Privacy Control (GPC) recognised as the opt-out signal.
• Modified: Children’s section consolidated to cover COPPA, DPDP, Australian Children’s Online Privacy Code, UK Age-Appropriate Design Code and GDPR Article 8.
• Modified: Sub-processor list now references the Trust Center and explicitly discloses AI sub-processors.
• Removed: Anti-Bribery Compliance clause — relocated to Supplier Code of Conduct / Terms of Service.