Privacy Policy
Last updated: February 28, 2026
1. Controller
Atimon GmbH, Kurmainzer Str. 123a, 61440 Oberursel, Germany
Privacy contact: privacy@atmx.app
General contact: contact@atmx.app
2. Scope of This Policy
This Privacy Policy explains how personal data is processed when you visit this website, contact us, or interact with our app information pages.
3. Categories of Data We Process
- Technical and log data (IP address, browser, OS, request time, URL)
- Contact data you submit (email and message content)
- Waitlist data (email, app selection, consent flag, source)
- Anti-spam event data (IP, user agent, timing, honeypot and rate-limit signals)
- Consent records and cookie preferences
- Optional analytics data where you have provided consent
4. Purposes and Legal Bases
- Website security and delivery (Art. 6(1)(f) GDPR)
- Responding to your inquiries (Art. 6(1)(b) or 6(1)(f) GDPR)
- Managing consent choices (Art. 6(1)(c) and 6(1)(f) GDPR)
- Optional analytics and marketing tools (Art. 6(1)(a) GDPR)
5. Cookies and Similar Technologies
We use cookies required for secure website operation. Any non-essential cookies are used only after you opt in. You can change your choices at any time in Cookie Settings.
6. Recipients and Processors
The register below lists the current processor/subprocessor setup for this website.
Register last reviewed: March 1, 2026
| Area | Provider | Role | Purpose | Data Categories | Location | Transfers | Subprocessors | Status |
|---|---|---|---|---|---|---|---|---|
| Website hosting and runtime operation | Google Cloud Run / Cloud Build / Artifact Registry (Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland) | Processor | Deliver website and API endpoints, process technical request logs, enforce uptime and security controls. | IP address, request metadata, user agent, URL path, timestamp, error logs | Primary deployment region: Europe (Frankfurt, europe-west3) | SCCs or adequacy decision where required | Google Cloud subprocessors list: https://cloud.google.com/terms/subprocessors ; contracting entity reference: https://cloud.google.com/terms/google-entity | Active |
| Email communication (contact@atmx.app, privacy@atmx.app) | Google Workspace (Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland) | Processor | Receive and store support, business, and privacy inquiries. | Sender email address, message content, headers, timestamps | EMEA contracting entity with global infrastructure support, subject to Google Workspace terms | SCCs or adequacy decision where required | Google subprocessors list: https://cloud.google.com/terms/subprocessors ; contracting entity reference: https://cloud.google.com/terms/google-entity | Active |
| Waitlist and contact form handling | ATMX Apps first-party backend (no external form SaaS processor by default) | Controller internal processing | Validate waitlist submissions, apply anti-spam controls, and (optionally) enforce double opt-in confirmation before activation. | Email address, app selection, consent flag, source tag, IP address, user agent, timestamps, double-opt-in confirmation token hash/expiry | Same environment as website backend | N/A for first-party processing; infrastructure safeguards apply | None by default | Active |
| Waitlist webhook forwarding | Not enabled (WAITLIST_WEBHOOK_URL, WAITLIST_ABUSE_WEBHOOK_URL, and WAITLIST_NOTIFICATION_WEBHOOK_URL are not configured in production baseline) | N/A until enabled | Forward waitlist signups, abuse events, and internal notification alerts to external systems. | N/A until enabled | N/A until enabled | N/A until enabled | N/A until enabled | Not active |
| Analytics and marketing tools | ATMX Apps first-party analytics endpoint (no external analytics vendor by default) | Controller internal processing | Measure basic website and waitlist conversion events only after analytics consent is granted. | Event name, page path, optional app slug/source, technical metadata, IP address, user agent, timestamp | Same environment as website backend | N/A for first-party processing; infrastructure safeguards apply | None by default | Active |
This register reflects the currently active setup. If additional processors are enabled later (for example webhook destinations or analytics vendors), this table will be updated before those services are used in production.
7. International Data Transfers
If data is transferred outside the EEA, we apply suitable safeguards such as Standard Contractual Clauses or other mechanisms permitted by GDPR.
8. Retention
- Operational logs: retained only as long as required for security and troubleshooting.
- Waitlist submissions: retained until onboarding is complete or deletion is requested.
- Anti-spam records: retained for abuse prevention and auditability, then deleted or anonymized.
- Legal requests and rights handling records: retained as required by law.
9. Your Rights
- Right of access, rectification, erasure, and restriction
- Right to data portability
- Right to object to processing based on legitimate interests
- Right to withdraw consent at any time
- Right to lodge a complaint with a supervisory authority
A list of German supervisory authorities is available from the BfDI: Authorities overview.
10. Contact
For privacy questions or to exercise your rights, contact us at privacy@atmx.app.