Privacy Policy

Last updated: May 29, 2026

This Privacy Policy explains how Atlanwave ("we", "us") collects, uses, shares, and protects information in connection with the Checkout Friction Detector service (the "Service"). It applies to (a) the data we receive about visitors to our customers' websites where the Checkout Friction Detector JavaScript library is installed, and (b) the data we hold about our paying customers and their account contacts.

1. Roles & Who This Applies To

For the JavaScript library running on a customer's website, the customer (the site operator) is the data controller and we are the data processor. Visitors to those sites should consult the site operator's privacy notice as their primary reference; this Policy describes our handling as a processor.

For information our customers provide to us directly — account email, billing details, support correspondence — we act as the data controller.

2. What the JavaScript Library Collects

The library is engineered to capture interaction patterns, not personal data. Specifically:

• Field focus and blur timing (how long a field was focused, how often)
• Mouse-click and tap patterns, including detection of rapid repeated clicks ("rage clicks") and clicks that produce no visible response ("dead clicks")
• Form-step navigation patterns (which step the visitor reached, where they exited)
• Page URL paths with query strings and fragments stripped
• Viewport dimensions, user-agent string, and device class
• Randomly generated session and event identifiers (UUIDs not tied to identity)
• Approximate event timestamps

3. What the Library Does NOT Collect

• Credit card numbers, CVVs, or expiration dates
• Passwords, security codes, or two-factor codes
• Government identifiers (SSN, passport, driver's license, etc.)
• Health, financial, or other special-category data
• Email addresses, phone numbers, or other field values typed by visitors (unless a site operator explicitly enables value capture for a specific non-sensitive field, which is off by default)
• Keystroke-by-keystroke input
• Cross-site tracking cookies or third-party advertising identifiers
• Audio, video, or precise geolocation

4. How We Use Customer Data

We process Customer Data to:

• Detect friction patterns (hesitation, rage clicks, validation errors, abandonment) and produce signals.
• Generate and deliver alerts and weekly reports to the channels the customer configures (email, Slack, webhooks, Segment).
• Operate, secure, monitor, and debug the Service.
• Comply with legal obligations.

We do not sell Customer Data, share it with advertisers, or use it to train general-purpose machine-learning models. Aggregated, de-identified statistics may be used internally for product improvement.

5. AI-Enhanced Recommendations

If your plan includes AI-enhanced summaries and recommendations, signal metadata (event type, severity, page paths, target selectors, field names — never personal values) may be sent to the AI provider configured by us at the time (currently Anthropic or OpenAI) for the limited purpose of generating recommendation text. These providers do not retain the data for model training under their standard API terms. You can disable AI enhancement at the platform level by contacting us.

6. Information We Collect About Customers

When you sign up for the Service, we collect: email address, optional portal password (stored hashed), gateway customer ID and billing metadata returned by Lemon Squeezy, payment history (amount, plan, date — never raw card numbers), the contents of support correspondence, and standard server logs (IP, user-agent, request paths).

7. Lawful Basis (EU/UK Customers)

Where the EU or UK GDPR applies, we rely on the following lawful bases: contract (to provide the Service you've signed up for), legitimate interests (to operate, secure, and improve the Service, and to communicate with you about your account), legal obligation (to comply with tax, accounting, and law-enforcement obligations), and consent (where required, for example for non-essential cookies).

8. Data Retention

• Raw ingested events: 90 days from receipt.
• Aggregated friction signals and weekly reports: for the duration of your subscription plus 30 days.
• Customer account records, payment history, and support correspondence: as long as required for legitimate business purposes and applicable law (typically 7 years for billing records).
• Server logs: 30 days.

Customers can request earlier deletion of their account and associated raw events by contacting info@atlanwave.com.

9. Sub-processors & Third Parties

We use the following sub-processors to operate the Service. The list may change; material changes will be reflected here.

• Lemon Squeezy — payment processing & merchant of record
• Postmark — transactional email delivery
• Anthropic — AI recommendation generation (optional, plan-gated)
• OpenAI — AI recommendation generation (optional, plan-gated)
• Slack, Segment, customer-configured webhooks — alert delivery to channels you configure
• Our hosting and infrastructure providers (servers, managed databases, object storage)

We do not sell or rent personal information.

10. International Transfers

Our infrastructure and several of the sub-processors above operate in jurisdictions that may differ from yours, including the United States and the European Union. Where personal data is transferred from the EU/UK to a country without an adequacy decision, we rely on Standard Contractual Clauses or equivalent safeguards.

11. Security

We use industry-standard safeguards including TLS in transit, encryption at rest for sensitive fields, hashed credentials (bcrypt for portal passwords, SHA-256 for magic-link tokens), HMAC-signed webhooks, scoped API keys per project, rate limiting on ingest and authentication endpoints, and access controls on our admin surfaces. No system is perfectly secure; if you become aware of a vulnerability, please report it to samuel@atlanwave.com.

12. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data ("right to be forgotten")
• Restrict or object to processing
• Receive a portable copy of your data
• Withdraw consent where processing is based on consent
• Lodge a complaint with your local data-protection authority

For California residents under the CCPA/CPRA, you also have the right to know what personal information is collected, to delete it, and to opt out of "sale" or "sharing" — note that we do not sell or share personal information for advertising purposes.

To exercise any of these rights, email info@atlanwave.com from the address associated with your account, or use the Account Access flow on our site to authenticate first. We respond within 30 days.

13. Cookies & Similar Technologies

Our customer portal and admin panel use a single first-party session cookie strictly to keep you signed in. We do not use cookies for advertising or cross-site tracking, and the Checkout Friction Detector JavaScript library does not set tracking cookies on visitor sites.

14. Children

The Service is not directed to individuals under the age of 16. If you become aware that a child has provided us with personal information, contact us at info@atlanwave.com and we will take steps to delete it.

15. Changes to This Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated by email to customer account contacts and posted prominently on this page.

16. Contact

Questions about this Policy, requests to exercise your rights, or general privacy concerns:
info@atlanwave.com

Security disclosures or escalations:
samuel@atlanwave.com