Privacy Policy

Last updated: 2026-05-10

1. Who we are

The ATLAS Shorts Command Center (“ATLAS”, “we”) is a private, single-operator dashboard used to publish short-form videos to YouTube, Instagram, TikTok and X (Twitter). ATLAS runs on a private VPS under the operator's control and is not offered as a service to third parties. The data controller under the GDPR is the operator (see contact below).

2. What data we process

  • Authentication — TOTP-secrets only (no password). The secret is stored encrypted and is only visible to the operator.
  • Platform tokens — OAuth refresh tokens for YouTube Data API, Meta Graph API, TikTok Content Posting API, and X API v2. Encrypted at rest with AES-256-GCM; the key lives in environment variables only.
  • Engagement metrics — aggregate views, likes, and comment counts for our own posts. We do not retain profiles, names or identifying data of platform end-users.
  • Comments for moderation — comments on our own posts are fetched via the official APIs to detect spam/abuse. Full text is retained for at most 90 days, after which only aggregates remain.
  • Reddit posts via Apify — only publicly visible, anonymised posts from subreddits, used as raw inspiration. No DMs or account data.
  • Operational logs — agent runs, costs, errors. No personal data of third parties beyond what moderation requires.

3. Purpose and legal basis

We process the above data exclusively to: (a) authenticate the operator, (b) publish content from owned accounts via official platform APIs, (c) generate performance analytics for the operator, and (d) detect anomalies (cost spikes, account issues, pipeline failures).

The legal basis is the legitimate interest of the operator to run their own content pipeline (Art. 6(1)(f) GDPR). We do not process special categories of personal data and there is no automated decision-making that produces legal effects on third parties.

4. Retention

  • Account and platform tokens: until revoked by the operator.
  • Operational logs: 90 days, then deleted.
  • Engagement data: 1 year at post-level, then aggregated without re-identification.
  • Encrypted backups: 30 days rolling.

5. Sub-processors

We rely on a small set of external services. Only the strictly necessary data is shared with each:

  • Anthropic — LLM inference for scripting and moderation (transient, no training opt-in).
  • ElevenLabs — voice synthesis; text input only.
  • Pexels — stock footage/imagery (search queries only).
  • Apify — public Reddit scraping.
  • Replicate — image generation; prompts only.
  • Hetzner — VPS hosting (EU-based, GDPR-compliant).

Data is also transmitted to the respective platform APIs (YouTube/Meta/TikTok/X) solely to publish our own content.

6. Your rights under the GDPR

Since ATLAS has no external users, GDPR rights apply primarily to people whose comments or DMs on our owned accounts have been fetched for moderation. You have the right to:

  • Access the data we hold about you.
  • Rectify incorrect data.
  • Erasure (“right to be forgotten”) on request.
  • Object to processing based on legitimate interest.
  • File a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl).

Send requests to legal@goudarp.store. We respond within 30 days.

7. Cookies

ATLAS sets only first-party session cookies (HttpOnly, Secure, SameSite=Lax) for operator authentication. We use no tracking cookies, no third-party analytics cookies, and no advertising pixels.

8. Security

All traffic is HTTPS with HSTS. Inbound endpoints have rate-limiting, CSRF protection, and strict input validation via Zod. Secrets live only in environment variables and are masked in logs (Pino redaction). All changes are recorded in an audit log.

9. Changes

Material changes to this policy will be published here with an updated “last updated” date. Version: 2026-05-10.

10. Contact

Privacy questions or GDPR requests: legal@goudarp.store.

Nederlandse versie beschikbaar: /privacy

Privacybeleid · Privacy Policy · ATLAS