Who this policy covers.
Atlas People ApS ("Atlas People", "we", "us", or "our") operates AtlasOS, including the Atlas People MCP Server (the "MCP Service"). This privacy policy explains how we collect, use, and protect your information when you use the MCP Service to connect AI assistants such as Claude to your Atlas People account.
By using the MCP Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the MCP Service.
The MCP ServiceWhat the MCP Service does.
The Atlas People MCP Server allows AI assistants to access Atlas People data on your behalf using MCP. Most MCP tools are read-only and return the same organisation, people, team, report, and context data that you can access in the Atlas People portal.
A limited set of administrative MCP tools can create organisations, teams, people, or upload reports, but these tools are only registered for authenticated super_admin users. All MCP access remains subject to your Atlas People account permissions and access grants.
AI-assisted analysis. Human-authored conclusions.
The EU AI Act (Regulation (EU) 2024/1689) establishes a risk-based framework for AI systems operating in the European Union. Annex III of the Act identifies AI systems used in employment and recruitment contexts as high-risk, subject to heightened transparency, documentation, and human-oversight obligations.
Atlas People is built on a clear principle: AI assists analysis, but humans author every recommendation. No AI output is communicated to clients without senior consultant review, contextualisation, and sign-off. This is not a policy exception. It is the core of how Atlas delivers its service.
How we classify ourselves
Leadership assessment falls within Annex III of the EU AI Act, the high-risk category for AI used in employment. We build to that standard rather than around it. The AI models leadership data against strategic context and surfaces scored analysis; a credentialled consultant then interprets, contextualises, and authors the final Collaboration Playbook and Team Map. The client receives a human-authored deliverable, not an AI verdict.
What this means for you
Your organisation does not receive automated HR decisions from Atlas People. All recommendations are advisory. You retain full control over the decisions you make from Atlas's analysis. We do not make, trigger, or automate any employment decision on your behalf.
Our documentation commitment
Atlas People maintains internal documentation of its AI-assisted processes, model limitations, and human review steps in accordance with Article 13 (transparency) and Article 14 (human oversight) of the EU AI Act. This documentation is available to enterprise clients and regulators upon request.
What we process when you use MCP.
When you use the MCP Service, we collect and process the following information.
Authentication data
When you connect via OAuth, we create an API key linked to your Atlas People account. API keys are SHA-256 hashed before storage. We never store the raw key. We also store a record of the OAuth authorisation (timestamp, client ID).
Request logs
Each MCP request generates a structured log event containing: timestamp, your user ID, the tool called, your current plan tier, response status, and truncated tool input and response excerpts. These logs are used for monitoring, debugging, billing, and abuse prevention.
Error reports
We use Sentry for error monitoring. When an error occurs, Sentry may capture request metadata: URL, headers excluding authorisation tokens, and stack traces.
What we never see.
We do not store your prompts or conversations with your AI assistant. The MCP Service only sees individual tool calls, not the surrounding conversation.
We do not sell or share your data with third parties for marketing or advertising purposes.
How We Use Your DataPurpose, not more.
We use collected information only for the following purposes:
Authenticating your identity and enforcing access permissions
Processing MCP tool requests and returning your data to your AI assistant
Monitoring service health, performance, and uptime
Detecting and preventing abuse, unauthorised access, or rate limit violations
Debugging errors and improving service reliability
Who sees your data.
Your data accessed through the MCP Service is sent to the AI assistant you have connected (e.g. Claude by Anthropic). Once data reaches the AI assistant, it is subject to that provider's privacy policy and data handling practices.
We use the following processors to operate the MCP Service. We do not share your data with any other third parties except as required by law.
Data RetentionHow long we keep it.
How we protect it.
We protect your data using the following measures:
Encryption in transit
All connections use TLS encryption.
Hashed API keys
API keys are SHA-256 hashed before storage. Raw keys are never persisted.
OAuth with PKCE
Authentication uses PKCE (S256) to prevent authorisation code interception.
Rate limiting
Authentication endpoints are rate-limited to prevent brute-force attacks.
Scoped access
The MCP Service enforces the same account-level access controls as the Atlas People portal.
Process isolation
The MCP Service runs on Cloudflare Workers with process-level isolation.
Under GDPR, you have the right to:
Access the personal data we hold about you
Request correction of inaccurate personal data
Request deletion of your personal data
Withdraw consent for data processing at any time
Request data portability
Object to processing of your personal data
Lodge a complaint with your local data protection authority
To disconnect the MCP Service, revoke your API key in Account Settings › API Keys in the Atlas People portal. This immediately terminates all MCP sessions using that key.
Changes to This PolicyWe will tell you when things change.
We may update this privacy policy from time to time. We will notify you of any material changes by updating the "Last updated" date at the top of this page. Continued use of the MCP Service after changes constitutes acceptance of the updated policy.
ContactGet in touch.
If you have questions about this privacy policy or our data practices, contact us: