Privacy Policy

Last updated: May 18, 2026

Introduction

Hello Atmos ("we", "our", "us") is committed to protecting your privacy. This policy explains what personal data we collect, why we collect it, how we use it, and the rights you have under applicable privacy laws (including the EU General Data Protection Regulation).

Who We Are (Data Controller)

Hello Atmos is operated by TAM LABS Sp. z o.o., a Polish limited liability company, acting as the data controller for all personal data processed through the service.

  • Company: TAM LABS Sp. z o.o. (TAM LABS Spółka z ograniczoną odpowiedzialnością)
  • Registered office: ul. Twarda 18, 00-105 Warszawa, Polska
  • Registry court: Sąd Rejonowy dla m.st. Warszawy w Warszawie, XII Wydział Gospodarczy Krajowego Rejestru Sądowego
  • KRS: 0001070536
  • NIP: 5252981359
  • REGON: 527013380
  • Contact email: support@helloatmos.app

Information We Collect

Account data

When you create an account, we store:

  • Email address (via Supabase Auth — used for sign-in via magic link or Apple Sign-In)
  • Display name (optional, chosen by you)
  • Listening platforms and speaker brands you select during onboarding
  • Album and track ratings you submit
  • Account creation and update timestamps

Subscription data

If you subscribe to Hello Atmos PRO, we store:

  • Your Stripe customer ID and subscription ID (used to link your account to your subscription)
  • Subscription status (active, canceled, past_due, etc.) and renewal or expiry date

We never receive or store your payment card details. All payment information is collected and processed directly by Stripe, our payment processor. See Stripe's privacy policy for details.

Third-party music service data

  • Spotify: When you paste a Spotify playlist URL, we fetch the track list via Spotify's public API. We do not access your Spotify account and do not store Spotify credentials.
  • Apple Music: If you choose to create playlists, we request your Apple Music user token via MusicKit JS (in-browser). The token is used only to create playlists in your library and is not stored on our servers.

Technical data

  • IP-derived country code (used only to determine whether to show the GDPR cookie consent banner)
  • Session cookies for authentication (set by Supabase)
  • With your consent: Google Analytics data (pages visited, approximate location at city level, device/browser, referral source)

Browser local storage

Playlist analysis results and profile cache are stored in your browser's local storage for performance. This data never leaves your device.

How We Use Your Information

  • Provide the core service (library browsing, ratings, rankings, playlist analysis)
  • Authenticate you and maintain your session
  • Process subscriptions, payments, and manage your PRO tier via Stripe
  • Send transactional emails related to your account (e.g., magic link sign-in; Stripe may also send billing receipts)
  • Send occasional product-update emails to registered users (new features, notable Atmos releases, community highlights). Every such email includes an unsubscribe link, and you can opt out at any time without affecting your account
  • Prevent abuse, detect fraud, and keep the service secure
  • Understand usage patterns to improve the product (Google Analytics, with consent)

Legal Bases (GDPR)

Under the GDPR, we process your data on the following legal bases:

  • Contract (Art. 6(1)(b)): Providing the account, PRO subscription, and core service features you requested.
  • Legal obligation (Art. 6(1)(c)): Retaining billing records to meet tax and accounting requirements.
  • Legitimate interests (Art. 6(1)(f)): Security, fraud prevention, service integrity, and sending occasional product-update emails to registered users about features and content relevant to the service. You may object or unsubscribe at any time.
  • Consent (Art. 6(1)(a)): Non-essential cookies and analytics.

Service Providers & Subprocessors

We use the following third-party providers to run the service. Each processes personal data only on our behalf and subject to their own security and privacy commitments.

  • Supabase (USA) — database and authentication. Privacy policy.
  • Vercel (USA) — web hosting and serverless functions. Privacy policy.
  • Resend (USA) — email delivery for sign-in links and product-update emails. Privacy policy.
  • Stripe (Ireland / USA) — payment processing and subscription billing. Privacy policy.
  • Cloudflare (USA) — CDN, DNS, and DDoS protection. Privacy policy.
  • Google Analytics (USA) — anonymized usage analytics (only with your consent). Privacy policy.
  • Apple (USA) — Apple Sign-In and MusicKit JS. Privacy policy.
  • Spotify (Sweden) — playlist metadata via public API. Privacy policy.

International Data Transfers

Several of our service providers are based outside the European Economic Area. Transfers of personal data to these providers are protected by the European Commission's Standard Contractual Clauses and/or adequacy decisions where applicable.

Data Retention

  • Account data: Kept until you delete your account. On deletion, ratings and profile fields are removed.
  • Subscription and payment records: Retained for up to 6 years after the last transaction to meet applicable tax and accounting laws.
  • Analytics data: Retained per Google Analytics defaults (currently 14 months for user-level data).
  • Server logs: Retained for up to 30 days for security and debugging purposes.

Your Rights

Under the GDPR and similar laws, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate or incomplete data
  • Erase your data (subject to legal retention obligations)
  • Restrict or object to certain processing
  • Port your data to another service in a machine-readable format
  • Withdraw consent where processing is based on consent (e.g., analytics)
  • Lodge a complaint with the Polish supervisory authority: Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa — uodo.gov.pl

To exercise any of these rights, email us at support@helloatmos.app. We will respond within 30 days.

Cookies

We use essential cookies to keep you signed in and to remember your cookie preferences. If you are in a GDPR region, you will be asked to consent to analytics cookies before they are set. You can withdraw consent at any time by clearing your browser's cookies.

Security

We use industry-standard measures to protect your data: TLS encryption for all traffic, Supabase Row Level Security on the database, protection against common web attacks via Cloudflare, and secure authentication via Supabase Auth. No online system is 100% secure; if we ever detect a data breach affecting you, we will notify you as required by law.

Children's Privacy

Hello Atmos is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

Changes to This Policy

We may update this privacy policy from time to time. We will notify users of material changes by updating the "Last updated" date at the top of this policy and, where appropriate, via email or an in-app notification.

Contact

For any questions about this privacy policy or how we handle your data, email support@helloatmos.app.