Privacy Policy

This Privacy Policy explains how Atlas Studio ("we", "us", "our") collects, uses, stores, and protects your personal data when you use ARBK Atlas at arbk.atlas-studio.eu. ARBK Atlas is a business registry search and intelligence platform for Kosovo, operated by Atlas Studio. By using our platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the service.

The data controller responsible for your personal data is: Atlas Studio Kosovo Email: [email protected] Phone: +383 45 957 990 For any privacy-related questions or concerns, you can reach us using the contact details above.

We collect the following categories of data: Account Data: Your name and email address (provided directly or via Google OAuth sign-in), and a password hash if you register with email and password. Usage Data: Search queries, lead preferences, saved searches, watched businesses, smart list interactions, and data exports. Billing Data: Selected plan, billing status, and the metadata of any invoices we issue you (invoice number, amount, period, your business details where applicable). We do not store credit card numbers or bank account details. Technical Data: IP address, browser type and version, device type, operating system, and referring URLs. API Usage Data: For Enterprise subscribers, we log API request counts, endpoints accessed, and timestamps for rate limiting and abuse prevention.

We process your personal data on the following legal bases: • Contract performance — Processing necessary to provide you with the ARBK Atlas service, manage your account, and fulfill your subscription. • Consent — Analytics cookies (Google Analytics) are only set with your explicit opt-in consent via our cookie banner. • Legitimate interest — Processing necessary for platform security, fraud prevention, service improvement, and maintaining the integrity of our systems. • Legal obligation — Retention of payment and tax records as required by applicable law.

We use your data for the following purposes: • Service delivery — Providing search, analytics, lead generation, and all platform features. • Personalization — Tailoring your dashboard, lead recommendations, and search experience based on your preferences and activity. • Billing — Managing subscriptions, issuing invoices, and tracking payment status. • Communication — Sending service-related notifications such as account updates and billing confirmations. We do not send marketing emails. • Platform improvement — Analyzing usage patterns to improve features, performance, and user experience. • Security — Detecting and preventing unauthorized access, fraud, and abuse. • Legal compliance — Meeting our obligations under applicable laws and regulations.

We use the following cookies: Essential Cookies (always active, required for the platform to function): • next-auth.session-token — Maintains your authenticated session (session) • __Host-next-auth.csrf-token — Prevents cross-site request forgery attacks (session) • cookie-consent — Stores your cookie preference choice (1 year) • NEXT_LOCALE — Remembers your selected language, en/sq (1 year) • arbk-theme — Remembers your light/dark theme preference (1 year) Analytics Cookies (opt-in only, set only with your explicit consent): • _ga — Google Analytics identifier, used to distinguish users (up to 2 years) • _ga_* — Google Analytics session tracking (up to 2 years) Analytics cookies are only activated when you explicitly consent via our cookie banner. The Google Analytics tag is loaded only after you accept; if you decline, it is not loaded. You can withdraw consent at any time by clearing your cookies or using the cookie settings.

We use the following third-party services to operate the platform: • Hetzner Online GmbH (Germany, EU) — Application and database hosting in the EU. • Stripe Payments Europe, Ltd. (Ireland, EU) — Payment processing and subscription billing. Receives your name, email, billing address, NUI and payment metadata when you subscribe. • Microsoft (Microsoft Graph / Azure) — Transactional email delivery (e.g. contact form, account and security emails). • Resend, Inc. (USA) — Delivery of transactional and notification emails (e.g. password reset, watch and search alerts, billing receipts, weekly digests). • Google LLC (USA) — Google OAuth sign-in; Google receives your authentication token during sign-in. • Google Analytics 4 (USA) — Consent-gated usage statistics, loaded with analytics storage denied by default and only activated with your explicit consent. • MapLibre — Client-side interactive maps; no personal data transmitted to third-party servers. Payments and subscription billing are handled by Stripe. We do not store your full card number or bank account details. The complete, current list of subprocessors — including their role, data categories and location — is published at /subprocessors. We do not sell, rent or trade your personal data to any third party.

ARBK Atlas displays publicly available business registration data sourced from the Kosovo Agency for Business Registration (ARBK). This data is part of the public record maintained by the Kosovo government. We do not claim ownership of this public business data and provide it for informational purposes only. Business listings include names, registration numbers, status, municipality, owners, and sector codes as published by ARBK. If you believe any business data displayed on the platform contains an error or requires correction, you may contact us at [email protected] and we will review your request. Owner names and search functionality. Where the public ARBK record lists the owners or representatives of a registered business, those names appear on the corresponding business page. Owner names are also searchable so users can locate businesses they are connected to. Individual owner profile pages, where they exist, are not indexed by search engines (noindex), are not listed in our sitemap, and are accessible only to authenticated paid-plan users. Risk score for businesses. For registered legal entities (not individuals), we compute a portfolio risk score from public registry signals such as activity status, sector, age, and closure history. The score is presented only on business pages, applies to the legal entity and not to any individual, and is intended as an operational signal — it is not a credit assessment, regulatory finding, or judgment about any natural person. Legal basis. Republication of the public ARBK record relies on legitimate interest (transparency of the business registry); the business risk score relies on legitimate interest in providing operational due-diligence information about legal entities. Both are subject to balancing against the rights of any affected person. Removal and corrections. If you are named as an owner or representative and wish to be hidden from owner-name search and owner profile views, or if any displayed data is inaccurate, write to [email protected]. We will action verified requests within 30 days. This is in addition to the rights described in the Your Rights section.

We compute automated signals from public business-registry data and from your use of the platform. For registered businesses, these include a portfolio risk score, a shell-company likelihood score, address-concentration and owner-influence indicators, and ultimate-beneficial-owner chains. These are derived solely from public registry signals (status, sector, age, capital, closure history, shared addresses and ownership links) and are presented as operational due-diligence signals for the legal entity. They are not credit assessments, regulatory findings, or solely-automated decisions producing legal effects about any natural person within the meaning of Article 22 GDPR. Where these signals relate to an identifiable individual (for example an owner or representative), you may object to this profiling and request human review by contacting [email protected]. For your account, we use your activity to personalize your dashboard and lead recommendations; this never produces a decision with legal or similarly significant effects.

We share your data only in the following limited circumstances: • Subprocessors — The third-party services listed above and at /subprocessors, each only to the extent needed to operate the platform. • Google Analytics — Anonymized usage data, only with your consent. • Legal requirements — When required by law, court order, or government authority. • Business transfers — In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. Our application and database are hosted in the European Union (Germany). Some subprocessors — Google (OAuth and Analytics) and Resend (email) — process limited data in the United States. These transfers rely on the EU–US Data Privacy Framework and/or the European Commission's Standard Contractual Clauses (SCCs). We do not otherwise transfer your personal data outside the EEA without an appropriate safeguard.

We retain your data for the following periods: • Account data — For as long as your account is active, plus a 30-day grace period after a deletion request, after which it is permanently erased. • Usage logs — Up to 90 days (IP addresses minimised after 30 days), then deleted. • Security & login logs — Up to 12 months (IP addresses minimised after 30 days), for fraud prevention and account security. • Rate-limit logs — 7 days. • API request logs — Up to 90 days, then deleted. • Administrative access logs — 12 months. • Payment records — 7 years, as required by tax and accounting regulations. • Cookie consent preferences — 1 year from the date of consent. • Analytics data — 14 months, after which data is anonymized and aggregated. When data reaches its retention limit, it is permanently deleted or irreversibly anonymized.

We implement the following technical and organizational measures to protect your data: • TLS 1.2+ encryption for all data in transit, with HSTS enforced • Passwords hashed with bcrypt (never stored in plain text) • Database hosted on a private Hetzner network, not exposed to the public internet • Signed JWT tokens for session authentication, with token-version revocation on chargebacks and admin actions • Secure, randomly generated API keys with rotation tracking • Idempotent webhook processing with signature verification • Rate limiting on authentication and public endpoints • SSH key-only access to production systems (no password authentication) While we take reasonable measures to protect your data, no system is completely secure. We encourage you to use a strong, unique password for your account. See /security for our full Security Policy.

You have the following rights regarding your personal data: • Right of access — Request a copy of the personal data we hold about you. • Right to rectification — Request correction of inaccurate or incomplete data. • Right to erasure — Request deletion of your personal data and account. • Right to data portability — Receive your data in a structured, machine-readable format. • Right to restriction — Request that we limit how we process your data. • Right to object — Object to processing based on legitimate interest, including profiling. • Right to withdraw consent — Withdraw your consent for analytics cookies at any time. • Right to lodge a complaint — File a complaint with a supervisory authority. In Kosovo this is the Information and Privacy Agency (Agjencia për Informim dhe Privatësi — AIP), aip.rks-gov.net. EU/EEA residents may also complain to their local data protection authority. To exercise any of these rights, contact us at [email protected]. We aim to acknowledge requests within 72 hours and will respond within 30 days (extendable by up to two further months for complex requests, with notice).

ARBK Atlas is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected] and we will take steps to delete the information.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. The "Last updated" date at the top of this page indicates when the policy was last revised. For material changes that significantly affect how we process your data, we will notify registered users via email before the changes take effect. Continued use of the platform after changes constitutes acceptance of the updated policy.

For privacy-related inquiries or to exercise your data rights, contact us at: Atlas Studio Email: [email protected] Phone: +383 45 957 990 Location: Kosovo We aim to respond to all privacy-related requests within 30 days.