Gatlas

Privacy Policy

Last updated: June 29, 2026

1. Introduction

Gatlas ("we", "us", "our"), operated by Bifrost Partners LLC, a Delaware limited liability company, is a data integration and analytics platform that helps organizations consolidate data from multiple business systems into a data warehouse for reporting and analysis. This Privacy Policy explains how we collect, use, store, and protect information when you use our platform at gatlas.ai.

When you (the "merchant" or "customer") connect a business system to Gatlas, that system may contain personal data about your customers, prospective customers, and site visitors. For that data, you are the data controller and Gatlas acts as your data processor, processing the data only on your instructions to provide the analytics you have requested. Our processing of that data is governed by our Data Processing Agreement.

2. Information We Collect

We collect the following types of information:

  • Account information: Email address and name provided during registration.
  • Connected service data: When you connect third-party services (such as Google Analytics, Google Ads, Google Sheets, Shopify, Stripe, QuickBooks, or e-conomic), we access and process data from those services on your behalf and sync it into a data warehouse. The specific data depends on the streams and permissions you configure. This data may include personal data about your customers (see Section 6).
  • OAuth credentials: Access tokens and refresh tokens obtained through OAuth authorization flows with third-party services. These are stored encrypted and used solely to maintain your authorized connections.
  • Usage data: Basic usage information such as sync history, query logs, and connection status.

3. How We Use Your Information

  • To synchronize data from your connected services into your data warehouse.
  • To execute SQL queries, generate views, and produce the analytics and reporting you request.
  • To perform reverse syncs (exporting data to services like Google Sheets) as configured by you.
  • To maintain and refresh authorized connections.
  • To provide customer support and improve our platform.

We do not sell personal data, use it for advertising or marketing, or use it to train machine-learning models.

4. Google API Services

Gatlas's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we access Google user data only for the purposes described in this policy:

  • Google Analytics: Read-only access to analytics data for syncing to your data warehouse.
  • Google Ads: Read-only access to campaign, ad group, keyword, and search term performance data.
  • Google Sheets: Read and write access to spreadsheets you specify, used for data import and reverse sync exports.

We do not use Google user data for advertising, and we do not transfer Google user data to third parties except as necessary to provide and improve our services, as required by law, or with your explicit consent.

5. Intuit QuickBooks

When you connect your QuickBooks Online account, we access your financial data through Intuit's official API. This includes:

  • Company information: Basic company profile and settings.
  • Financial transactions: Invoices, bills, payments, customers, vendors, accounts, and other accounting data you choose to sync.

We use this data solely to synchronize it to your data warehouse. We do not modify your QuickBooks data. You can disconnect QuickBooks at any time from your Gatlas dashboard or by revoking access in your QuickBooks settings under Apps > My Apps.

6. Shopify and Protected Customer Data

When you connect a Shopify store, we access store data through Shopify's official GraphQL Admin API on a read-only basis. We never create, modify, fulfill, or cancel orders, and we never process payments. The data we sync includes orders, customers, products, inventory, and (where you enable it) Shopify Payments payout and dispute data.

This includes protected customer data — personal data about your store's customers. The protected customer fields we process are:

  • Name — customer first and last name, for customer-level reporting and lifetime-value analysis.
  • Email — for customer identification and de-duplication in reports.
  • Address — order and customer shipping/billing addresses, for geographic and regional revenue analysis.

We do not collect customer phone numbers. We use protected customer data solely to provide the analytics you request (such as revenue, cash-flow, customer lifetime-value, and cohort analysis). We never sell it, use it for advertising or marketing, or use it to train machine-learning models.

We honor Shopify's mandatory privacy webhooks. When Shopify sends a customer data-request, a customer redaction request, or a shop-redaction request (for example, when you uninstall the app), we verify the request, record it, and delete or provide the relevant customer data from your data warehouse accordingly.

7. Data Storage and Security

  • Synced data is stored in a Gatlas-managed data warehouse (Supabase PostgreSQL), logically isolated per customer and protected by row-level security. Where you configure your own destination warehouse, data is written there instead.
  • All data is encrypted in transit (HTTPS/TLS) and at rest. Database backups are encrypted.
  • OAuth credentials and access tokens are encrypted at rest using Supabase Vault and are never stored in application tables.
  • Access to production systems is restricted to authorized personnel on a least-privilege basis, and access to personal data is logged.
  • We process the minimum personal data needed to provide the service and maintain a security incident-response process.

8. Sub-processors and Data Sharing

We do not sell your personal information. We share data only in the following circumstances:

  • With your consent: When you explicitly authorize a connection or reverse sync.
  • Sub-processors: We use the following service providers to operate our platform: Supabase (database, authentication, and encrypted secrets storage), Vercel (web hosting), Railway (background data-sync processing), and Anthropic (the optional AI assistant / query feature — when you use it, the data you query may be processed by Anthropic's API, which does not train on the data and supports zero data retention). Our current list of sub-processors is maintained in our Data Processing Agreement.
  • Legal requirements: When required by law, regulation, or legal process.

9. Data Retention and Deletion

We retain account data and connection credentials for as long as your account is active. When you delete a connection, the associated credentials are permanently removed and the synced data for that connection is deleted. When you delete your account, all associated data is deleted within 30 days.

For Shopify stores, uninstalling the app triggers a shop-redaction request from Shopify, after which we delete the store's synced data from your data warehouse. A customer redaction request deletes that customer's personal data. You may request access to, or deletion of, data at any time by contacting us.

10. Your Rights

Depending on your jurisdiction, you (and the individuals whose data you process) may have the right to:

  • Access the personal data we hold.
  • Request correction of inaccurate data.
  • Request deletion of data.
  • Revoke third-party access at any time by disconnecting services in your Gatlas dashboard or revoking access from the third-party service directly.
  • Export data.

Where Gatlas processes personal data about your customers on your behalf, we will assist you in responding to their data-subject requests as set out in our Data Processing Agreement.

11. International Data Transfers

Our sub-processors may process data in the European Union and the United States. Where personal data is transferred outside your jurisdiction, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date.

13. Contact

If you have questions about this Privacy Policy or your data, please contact us at privacy@gatlas.ai.