Privacy Policy

Your scenario inputs (capital, country, horizon, etc.) are stored in your browser's session storage and deleted when you close the tab. We do not transmit your scenario inputs to our servers.

We also store the following values in your browser's localStorage for functional purposes — none contain personal data unless you have purchased access:

• ha_display_mode — your preferred view (simple/advanced)
• arv_saved_scenarios — any scenarios you have saved locally
• arv_agg_store — anonymised local counters of which analysis paths you viewed (feeds PostHog analytics, no personal data)
• arv_conversion_log — local event queue for PostHog (page views, feature interactions; sent anonymously, then cleared)
• arv_data_store — session payloads used for local analytics aggregation, cleared periodically

Session storage (deleted on tab close): scenario inputs (_ha_scenario), anonymous session ID (arv_session_id), share token (arv_share_token), referral source (arv_affiliate_ref).

If you use the free analysis tier, you provide an email address to receive your result. We store a one-way SHA-256 hash of your email in our key-value store (Upstash, EU) to enforce the one free scenario limit. The hash cannot be reversed to recover your email address. We do not send emails to free tier users.

If you purchase access, your email address is stored to generate a restore link and send you access confirmation via Resend (EU-based email delivery). This allows you to recover access on any device. We do not use your email for marketing without explicit consent.

After purchase or restore, we store the following values in localStorage to maintain your access state across sessions:

• ha_restore_expires — expiry timestamp of your access (no personal data)
• ha_restore_email — your email address, stored locally to pre-fill the restore form and display confirmation in the UI. Contains personal data. Cleared when access expires.
• atlas_paid — fallback access flag set if payment verification encounters an error; contains no personal data
• ha_scenario — your last scenario parameters, restored on any device via your email link

Payments are processed by Stripe, Inc. HoldAtlas never sees or stores your card details. Stripe processes payment data under their own privacy policy and is PCI-DSS compliant. Stripe may set cookies for fraud prevention. See stripe.com/privacy.

Our hosting provider Vercel automatically logs standard server data: IP address, user agent, request path and timestamp. These logs are retained for up to 30 days for security and debugging purposes. We do not use this data for analytics or advertising.

When you dismiss the cookie notice, we store two values in localStorage: ha_cookie_ok (notice dismissed) and ha_cookie_marketing (your marketing consent choice: "1" if you clicked OK, "0" if you clicked Essential only). These values contain no personal data and are used solely to respect your preference on future visits.

We use PostHog to collect anonymised usage data: page views, feature interactions, and conversion events (e.g. when a result is generated or a purchase is completed). No advertising data is collected. Data is stored on PostHog's EU servers. PostHog does not build advertising profiles. We do not use session recording. See posthog.com/privacy.

If you click "OK" on the cookie notice, we activate Meta Pixel (Facebook Pixel) operated by Meta Platforms Ireland Ltd. Meta Pixel collects data about your visit for marketing analytics and ad measurement purposes. Meta may set cookies and track your activity across sites. This is only activated after you give explicit consent. If you click "Essential only", Meta Pixel is not activated. See facebook.com/privacy/policy.

To withdraw consent: clear your browser's localStorage (key ha_cookie_marketing) and reload the page.