Privacy Policy
Effective date: 2025-01-01
1. Scope and Data Controller
This Privacy Policy describes how Atelier CMS / FJS Services, Inc. ("Atelier", "we", "us") collects, uses, and shares personal data in connection with the Atelier CMS platform ("Service").
This policy governs the relationship between Atelier and Tenants (businesses and individuals who use the Service to build websites). Atelier is the data controller for Tenant account data.
Atelier acts as a data processor with respect to personal data that Tenants collect from their own End Users (for example, contact form submissions). Tenants are independent data controllers for that data. See Section 11.
2. What We Collect
2.1 Account Data
When a Tenant account is created, we collect: name, email address, and hashed password. Billing contact details are collected by Stripe on our behalf.
2.2 Content and Site Data
We store all Tenant Content — pages, blog posts, media files, form definitions, themes, and configuration — as necessary to operate the Service.
2.3 Usage and Technical Data
We collect server-side logs (IP address, user agent, HTTP method, path, status code, timestamp) for security monitoring and debugging. We also collect session identifiers and CSRF tokens necessary to authenticate requests.
2.4 Billing Data
Payment card details are handled exclusively by Stripe. We receive and store subscription status, plan tier, billing interval, Stripe customer ID, and Stripe subscription ID.
2.5 Legal Compliance Data
We log acceptance of our Terms of Service, including the accepted version, acceptance timestamp, IP address, and user agent, to demonstrate that a valid agreement was formed.
2.6 Communications
We retain records of support communications (email, contact form) for as long as necessary to resolve the matter and comply with legal obligations.
3. How We Use Personal Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing and operating the Service | Contract performance (Art. 6(1)(b)) |
| Billing and subscription management | Contract performance |
| Security monitoring and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance and audit trails | Legal obligation (Art. 6(1)(c)) |
| Customer support | Legitimate interest / Contract |
| Product improvement and analytics | Legitimate interest (anonymised or aggregated) |
| Sending service notifications and updates | Contract performance / Legitimate interest |
| Marketing communications (if opted in) | Consent (Art. 6(1)(a)) |
4. Subprocessors and Data Sharing
We share personal data only with the following third-party subprocessors, all of which are bound by data processing agreements:
| Subprocessor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing and subscription billing | USA (SCCs) |
| Twilio / SendGrid | Transactional email delivery (account notifications, contact form routing) | USA (SCCs) |
| Anthropic, Inc. | AI content drafting (processes only content explicitly submitted for AI assistance) | USA (SCCs) |
| [Hosting Provider] | Infrastructure, compute, and storage | [Location] |
We do not sell, rent, or share personal data with third parties for advertising purposes. We may disclose data if required by law, court order, or to protect the rights and safety of Atelier, our Tenants, or the public.
5. Data Retention
| Data Category | Retention Period |
|---|---|
| Tenant account and content data | Duration of subscription + 30 days post-termination |
| Billing records | 7 years (tax / accounting obligations) |
| Server access logs | 90 days |
| Terms acceptance records (anonymised) | 6 years (contract limitation period) |
| Support communications | 3 years after resolution |
6. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate data.
- Erasure — request deletion of your personal data (subject to legal retention obligations).
- Restriction — request that we restrict processing of your data.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
To exercise any of these rights, contact us at privacy@ateliercms.com. We will respond within 30 days. We may need to verify your identity before fulfilling a request.
You also have the right to lodge a complaint with your local data protection supervisory authority.
7. International Data Transfers
Atelier is based in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States.
We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for these transfers, both for data we process directly and for transfers to our subprocessors.
8. Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These include: bcrypt-hashed passwords, server-side encrypted sessions, CSRF protection on all state-changing requests, HTTPS-only access, and PostgreSQL row-level tenant isolation.
In the event of a personal data breach affecting your data, we will notify you within 48 hours of becoming aware of the breach, allowing you sufficient time to meet any regulatory notification obligations.
9. Children's Data
The Service is intended for businesses and individuals aged 18 and over. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will delete it promptly.
10. California Residents (CCPA)
California residents have the following additional rights under the California Consumer Privacy Act (CCPA):
- The right to know what personal information we collect, use, disclose, and sell.
- The right to delete personal information we have collected (subject to exceptions).
- The right to opt out of the sale or sharing of personal information.
- The right to non-discrimination for exercising CCPA rights.
We do not sell or share personal information for cross-context behavioral advertising. To exercise your rights, contact privacy@ateliercms.com.
11. Tenant-Powered Sites
Websites built by Tenants using the Atelier platform are independently operated by those Tenants. When you visit a website powered by Atelier (for example, to submit a contact form), the Tenant operating that website is the data controller for any personal data you provide.
Atelier's role is limited to providing the technical infrastructure. This Privacy Policy does not govern the privacy practices of Tenant websites. Please consult the privacy policy displayed on the individual website you are visiting.
12. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes by email and by displaying a notice in the administrative dashboard at least 30 days before the change takes effect. The updated policy will be identified by a new effective date at the top of this page.
13. Contact
For privacy-related enquiries, to exercise your rights, or to contact our Data Protection Officer:
Email: privacy@ateliercms.com