Last updated: May 20, 2026
Atlas is operated by Wuttipat Klinyam, Entrepreneur Individuel registered in France under the commercial name Wynex Labs (SIREN 100 844 000, SIRET 100 844 000 00016, APE 6201Z), with registered office at 59 Rue Georges Lardennois, 75019 Paris, France. For any question about how we process your personal data, contact us at hello@wynexlabs.studio. We respond within one calendar month per GDPR Art. 12(3). No Data Protection Officer is appointed: Art. 37(1) criteria are not met. No EU representative is required: the controller is established in the EU.
We collect only the data needed to deliver the Atlas learning experience:
Under the General Data Protection Regulation, you have the following rights:
We retain your data for as long as your account is active. Upon account deletion, all personal data and uploaded content are permanently removed within 30 days. Anonymised, aggregated analytics data may be retained for service improvement. Operational logs (LLM usage, audit logs) follow a 365-day retention policy; transactional notifications are purged after 90 days.
We implement appropriate technical and organisational measures (GDPR Article 32) to protect your data, including encryption in transit (TLS / HTTPS), encrypted storage on Neon Postgres (EU region), access controls scoped per role (student / professor / admin), short-lived authentication sessions, error monitoring with PII masking, and audit logging of access to personal data.
Atlas uses large language models (LLMs) to support several pedagogical tasks. We disclose this explicitly so you can make an informed decision:
Atlas's primary database is hosted in the European Union (Neon, eu-central-1). Our AI inference runs with EU-region providers; where any data transfers outside the EEA, we are transparent about the safeguards because GDPR Chapter V requires it:
All transfers outside the EEA rely on the European Commission's adequacy decisions, Standard Contractual Clauses, or the EU-US Data Privacy Framework, complemented by contractual zero-retention representations where offered and EU-region pinning of our primary database (Neon) and supported AI inference. See the full subprocessor register for the per-provider region and transfer mechanism.
Atlas uses a small, deliberately-minimised set of cookies and browser-storage items. We use no third-party advertising, marketing, or behavioural-profiling cookies — no Google Analytics, no Meta / Facebook pixel, no HubSpot, Mixpanel, or Hotjar. Because all our cookies are strictly necessary, exempt under Art. 82 LCEN, or governed by a documented legitimate interest with a right to object, we do not display a cookie consent banner. The table below replaces the information a banner would otherwise provide.
| Name | Type | Purpose | Lifetime | Party | Legal basis |
|---|---|---|---|---|---|
| next-auth.session-token / __Secure-next-auth.session-token | Cookie (HttpOnly) | Authenticated session | 30 days | First-party | Strictly necessary — LCEN Art. 82 exempt |
| __Host-next-auth.csrf-token | Cookie (HttpOnly, Secure) | CSRF protection | Session | First-party | Strictly necessary |
| NEXT_LOCALE | Cookie | UI language preference (en / fr) | 1 year | First-party | CNIL user-preference Recommendation §22 — exempt |
| Vercel Web Analytics | No cookie, no localStorage — server-side IP+UA hash, 24h retention then discarded | Aggregate traffic measurement | 24h hash | Third-party (Vercel) | Art. 6(1)(f) legitimate interest — LIA available on request |
| Sentry on-error replay | sessionStorage — on error only, text/media masked by default | Error diagnosis | Session | Third-party (Sentry) | Art. 6(1)(f) legitimate interest — service reliability + security |
How to control these: sign out to clear the NextAuth session cookie. Clear browser storage to clear the locale cookie. Object to the legitimate-interest processing (Vercel + Sentry) by emailing hello@wynexlabs.studio with the subject 'Opt-out of analytics'.
In the event of a personal data breach, we will notify the relevant supervisory authority (CNIL for France) within 72 hours per GDPR Article 33. If the breach is likely to result in a high risk to your rights, we will notify you directly per Article 34.
For any privacy-related inquiry, contact our Data Protection contact at hello@wynexlabs.studio. You also have the right to lodge a complaint with your local data-protection supervisory authority — in France, that authority is the CNIL (Commission Nationale de l'Informatique et des Libertés).