Updated:
Jan 10, 2026
Introduction
Atlato Pty Ltd is a global technology company offering enterprise‑grade software platforms, web and mobile applications, Internet of Things (IoT) solutions, digital twin services, data lakes and AI‑powered agentic systems under various brands, including Atlato, Atlato ONE, Atlato Go, Atlato Crop, 4EverPulse, FoodieRun, ConvoLane and LauraLogic. This Privacy Policy explains how Atlato collects, uses, stores, discloses, transfers and protects personal information processed through its services. Atlato is committed to protecting personal information and complying with applicable privacy laws, including the Australian Privacy Act 1988 and its Australian Privacy Principles (APPs), the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the U.S. Health Insurance Portability and Accountability Act (HIPAA) when applicable, the Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (CCPA), Canadian and other national privacy laws, as well as emerging guidance on artificial intelligence and data protection. Atlato also aligns with ethical AI principles such as privacy‑by‑design and fairness.
This Policy describes Atlato’s privacy practices for personal information collected from customers, end users and other individuals when interacting with Atlato’s websites, platforms, IoT devices, applications and AI services. Atlato acts as a controller when it determines why and how personal information is processed, and as a processor when it processes data on behalf of enterprise customers. Customers remain responsible for ensuring that their use of Atlato services complies with applicable laws and for obtaining any required consents from individuals.
Definitions
Services – Atlato’s websites, platforms, APIs, dashboards, web and mobile applications, IoT devices, sensors, gateways and edge deployments, AI agentic systems (Atlato ONE), AI voice and calling agents (LauraLogic), telematics and agricultural applications (Atlato Go and Atlato Crop), digital twin services, data lake services, call‑orchestration analytics and any other products or services provided by Atlato.
Personal Information / Personal Data – information relating to an identified or identifiable individual. This includes name, contact details, device identifiers, call recordings, biometric and health information, precise location data and any other data that relates to an individual.
Customer Data – data submitted by or on behalf of Atlato’s enterprise customers, which may include operational telemetry data from assets and sensors, digital‑twin datasets, call metadata, call recordings, transcripts and other information processed through Atlato’s Services. Atlato processes Customer Data strictly in accordance with customer contracts and instructions.
Sensitive Information – data about racial or ethnic origin, political opinions, religious beliefs, trade‑union membership, genetic and biometric data, health information, sexual orientation or criminal records. Under Australian and EU law, Atlato will only process sensitive information with consent, where required or authorised by law, or where necessary for service delivery.
Protected Health Information (PHI) – health‑related information regulated by HIPAA in the United States. When Atlato acts as a HIPAA Business Associate, it will sign a Business Associate Agreement, use PHI only as permitted by HIPAA, apply the minimum‑necessary principle and support breach‑notification obligations.
Information We Collect
1. Information You Provide Directly
Atlato collects personal information when individuals:
Create accounts or use the Services – identity and contact details (name, email address, phone number, company, job title, business address); account credentials and authentication information; profile information.
Communicate with Atlato – information from support requests, emails, phone calls, chat transcripts and other communications.
Participate in sales processes – enquiry forms, contractual details, onboarding documents and payment information.
Provide consents and preferences – marketing preferences, cookie choices, and consent records.
2. Information Collected Automatically
When individuals access Atlato’s Services, Atlato may automatically collect:
Device and usage data – IP address, device identifiers, browser type, operating system, usage logs, timestamps, feature interactions and error reports.
Cookies and similar technologies – Atlato uses cookies, web beacons and similar tools to personalise experiences, remember preferences, analyse traffic and support security. Individuals can manage cookie preferences through Atlato’s cookie banner or their browser settings.
Location data – Atlato derives approximate location from IP addresses and collects precise location only where explicitly enabled or required by the customer.
3. Customer Data Processed Through the Services
Enterprise customers may configure Atlato’s Services to collect and process:
Operational telemetry and IoT data – data from assets, fleets, sensors and workflows, including telematics data from Atlato Go and agricultural data from Atlato Crop.
Digital twin and data‑lake datasets – models, simulations and analytics produced or provided by customers.
Call centre data – caller ID, call metadata, call recordings and transcripts from AI calling agents and voice assistants, when enabled.
Industry‑specific data – appointment, enquiry or service‑related data in healthcare, utilities, mining, telecommunications, government, financial services, leisure and other sectors.
Customers determine what data they collect; Atlato processes Customer Data strictly according to customer instructions and applicable law.
Purposes of Processing
Atlato uses personal information for the following purposes, in accordance with applicable privacy laws:
Providing and operating the Services – to deploy, configure, maintain and support Atlato platforms, IoT solutions, AI agentic systems and applications. This includes authenticating users, managing accounts and access controls, onboarding IoT devices and integrating third‑party systems.
Communications and support – to respond to enquiries, provide technical support, send service‑related notifications (e.g., incidents, billing, updates) and conduct customer‑success activities.
Improving performance and security – to monitor system usage, perform analytics, conduct audits, improve reliability and develop new features. Atlato uses aggregated or de‑identified data for analytics and reporting.
AI model operation and improvement – to generate responses, perform voice synthesis, route calls and provide agentic workflows through Atlato ONE and LauraLogic. When developing or fine‑tuning AI models, Atlato applies a privacy‑by‑design approach, ensures that training data complies with data protection principles and minimises the use of personal data. Atlato does not use customer content to train its foundation models without consent.
Legal compliance and risk management – to comply with contractual and legal obligations, such as export controls, sanctions, anti‑money‑laundering requirements, law enforcement requests, financial‑services regulations and obligations under healthcare‑specific laws (e.g., HIPAA).
Marketing and events – to send marketing communications where permitted by law, invite individuals to events or webinars, personalise content and administer promotions. Individuals can opt out of marketing at any time.
Safety, security and fraud prevention – to protect rights, property and safety of Atlato, customers and users; prevent fraud; detect misuse of the Services and enforce agreements.
Business transactions – to facilitate mergers, acquisitions, restructurings or asset transfers, subject to appropriate safeguards.
Atlato relies on various legal bases under the GDPR and other laws, including: (i) performance of a contract, (ii) legitimate interests in operating the Services and ensuring security, (iii) compliance with legal obligations, and (iv) consent where required (e.g., marketing communications, processing of sensitive data or children’s data).
How We Share Personal Information
Atlato does not sell personal information. Atlato only shares personal information to the extent necessary to provide, operate, secure and improve the Services, or as otherwise authorised or required by law.
Customer‑enabled third‑party integrations – Customers may enable integrations with telephony providers, cloud marketplaces, CRM systems, analytics tools, IoT connectivity services or other third‑party applications. Atlato will share personal information only as needed to support the requested functionality.
Service providers and sub‑processors – Atlato engages trusted vendors for hosting, security, communications, billing, analytics and support. These vendors may access personal information solely to perform services on Atlato’s behalf and are bound by contractual confidentiality, security and data‑protection obligations.
Affiliates and internal sharing – Personal information may be shared within Atlato and its affiliated entities on a need‑to‑know basis for purposes consistent with this Policy.
Business transfers – In the event of a merger, acquisition, restructuring or sale of assets, personal information may be transferred, subject to continued application of this Policy and compliance with applicable law.
Legal requirements and protection of rights – Atlato may disclose personal information to comply with legal obligations, enforce agreements, respond to lawful requests, prevent fraud, investigate security incidents or protect the rights, property or safety of Atlato, customers or others.
With consent or customer instructions – Atlato may share information where customers or individuals request or consent to such sharing.
Aggregated and de‑identified information – Atlato may use and share aggregated or de‑identified data for analytics and reporting in a manner that does not reasonably identify individuals.
Before engaging any new sub‑processor, Atlato will ensure that a written data‑processing agreement is in place and will provide notice to customers in accordance with contractual commitments.
Security and Safeguards
Atlato takes security seriously. Atlato maintains appropriate technical and organisational measures to protect personal information against unauthorised access, disclosure, alteration or destruction, including:
Encryption of data in transit and at rest and secure communication protocols.
Access controls – role‑based access, least‑privilege policies and multi‑factor authentication.
Network and application security – firewalls, intrusion detection, vulnerability management and secure development practices.
Physical security of facilities and data centres.
Compliance programs – alignment with standards such as ISO 27001, SOC 2, PCI DSS and relevant industry‑specific regulations (e.g., HIPAA Security Rule requirements for ePHI, which require risk analysis, access controls and de‑identification techniques).
Incident response and breach notification – procedures to detect, investigate and respond to security incidents, and, where required, notify individuals and regulators.
No system is 100 % secure, but Atlato works continuously to reduce risk and regularly tests its systems, trains personnel on security and monitors for vulnerabilities.
International Transfers
Atlato operates globally. Personal information may be stored and processed in Australia, the United States, the European Economic Area (EEA) and other countries where Atlato or its service providers maintain facilities. When transferring personal information outside its country of origin, Atlato relies on appropriate safeguards, such as:
Standard Contractual Clauses (SCCs) issued by the European Commission or the UK Information Commissioner’s Office when transferring data from the EEA or UK to non‑adequate jurisdictions.
Data processing agreements and confidentiality obligations with sub‑processors.
Alternative transfer mechanisms permitted under applicable laws (e.g., adequacy decisions, certification schemes).
If personal information is transferred outside Australia, Atlato takes reasonable steps to ensure that the recipient will handle it in a manner consistent with the Australian Privacy Principles.
Retention of Personal Information
Atlato retains personal information for as long as necessary to fulfil the purposes described in this Policy, to comply with legal obligations (including tax and accounting requirements) and to resolve disputes. Retention periods vary depending on the nature of the data and the context in which it is processed. Atlato periodically reviews retention periods and securely deletes or anonymises data when it is no longer needed, in accordance with applicable law.
Your Rights and Choices
Individuals have various rights over their personal information, depending on their jurisdiction:
Access and rectification – You can request confirmation of whether Atlato holds personal information about you and obtain copies of that information. You may request correction of inaccurate or incomplete data.
Deletion and restriction – You may request deletion of personal information that is no longer necessary for the purposes for which it was collected or processed, processed based on withdrawn consent or processed in violation of law. Atlato may retain certain information as required by law or for legitimate business purposes.
Data portability – Where applicable (e.g., under the GDPR), you can request a copy of your data in a structured, commonly used and machine‑readable format and ask Atlato to transfer it to another controller.
Objection and opt‑out – You may object to processing based on legitimate interests and opt out of marketing communications. To stop receiving promotional emails, follow the unsubscribe instructions or adjust your communication preferences.
Cookie management – Manage cookie preferences via Atlato’s cookie banner or browser settings.
Automated decision‑making and profiling – Atlato does not make solely automated decisions that have legal or similarly significant effects without human review. If Atlato deploys AI models to assist with decision‑making in high‑impact domains (e.g., healthcare triage, employment), individuals have the right to request human intervention and contest the decision.
Atlato will respond to rights requests in accordance with applicable law. Requests may be subject to identity verification. Individuals can submit requests using the contact details below.
Children’s Privacy
Atlato’s Services are generally designed for enterprise and professional users. Atlato does not knowingly collect personal information from children under 13 (or under 16 in some jurisdictions) without verifiable parental consent. If Atlato becomes aware that it has collected personal information from a child without appropriate consent, it will delete that information. If your business uses Atlato services to process children’s data (e.g., educational applications), you remain responsible for complying with applicable child‑privacy laws, such as COPPA in the U.S. and relevant provisions of the Australian Privacy Act and the UK GDPR.
HIPAA and Healthcare‑Specific Obligations
When Atlato provides services to covered entities or business associates in the U.S. healthcare sector, Atlato acts as a Business Associate under HIPAA. Atlato will:
Sign a Business Associate Agreement with the customer and use or disclose PHI only as permitted by the BAA and HIPAA.
Apply the minimum‑necessary principle – AI systems processing PHI must access only the information essential for their functions, and Atlato will implement technical controls limiting data access based on roles.
Implement safeguards required under the HIPAA Security Rule, including risk analysis, unique user identification, audit controls, integrity controls, transmission security and policies for workforce training.
Support breach notification obligations under the HIPAA Breach Notification Rule.
De‑identify data where possible – Atlato may use Safe Harbor or expert‑determination methods to remove identifiers, thereby enabling AI innovation while maintaining privacy.
Healthcare customers remain responsible for obtaining necessary patient consents and ensuring their use of Atlato services complies with HIPAA and other healthcare laws.
AI‑Specific Responsibilities
Atlato develops and deploys AI agentic systems (Atlato ONE), AI voice and calling agents (LauraLogic) and other generative‑AI features. Consistent with emerging regulatory guidance, including the Australian Office of the Australian Information Commissioner (OAIC) guidance on AI deployment, the European Data Protection Supervisor’s guidance on generative AI, and the UK Information Commissioner’s Office guidance on AI and data protection, Atlato commits to the following principles:
Privacy by design and by default – Atlato integrates privacy considerations throughout the AI system lifecycle, from problem formulation and data collection to training, deployment, monitoring and decommissioning. Atlato conducts privacy impact assessments (PIAs) for high‑risk AI projects and implements measures to mitigate risks to individuals.
Transparency and notice – Atlato provides clear notices to customers and end users about AI features, including the types of data used, purposes of processing, and any automated decision‑making involved. Customers must ensure that their end‑user notices accurately describe how they use Atlato’s AI services.
Data minimisation and purpose limitation – Atlato collects and processes only the personal data reasonably necessary for AI functions. Atlato discourages customers from inputting sensitive personal information or PHI into generative AI models unless strictly required and lawful.
Accuracy and fairness – Atlato uses high‑quality training data, evaluates models for accuracy and bias and implements measures to mitigate unfair discrimination. Customers deploying AI models must not rely solely on AI outputs for high‑impact decisions and should embed human oversight. Atlato’s models do not knowingly produce content that infringes privacy rights or reveal personal information.
Security and accountability – Atlato documents AI system designs, maintains inventories of AI assets, monitors models for drift and vulnerabilities and ensures that sub‑processors adhere to security obligations. Atlato will maintain records of processing activities and, when acting as a controller, cooperate with regulators.
Due diligence on third‑party AI – When Atlato uses third‑party AI tools or models, it conducts due diligence to ensure compliance with data protection requirements and enters into appropriate data‑processing agreements.
Individuals’ rights – Individuals may request explanations of significant AI‑assisted decisions and exercise rights to challenge or seek human review. Atlato will support customers in handling such requests and in complying with obligations under Article 22 of the GDPR and corresponding provisions in other jurisdictions.
Data for Minors and Individuals under Australian Law
The Australian Privacy Act recognises that some personal information is more sensitive (e.g., health information, political opinions). Atlato will only collect sensitive information as permitted under the APPs or with explicit consent. For minors, Atlato will seek parental or guardian consent where required and will not use personal information of children for marketing or AI training. Atlato abides by Australia’s Notifiable Data Breaches scheme, the My Health Records Act 2012 for healthcare data and other sector‑specific regulations such as telecommunications privacy obligations.
Additional Jurisdiction‑Specific Information
Australia
Atlato complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), which require open and transparent management of personal information, limitations on collection, use and disclosure, data quality and security, and rights of access and correction.
Atlato follows guidance from the OAIC on privacy and AI, including conducting due diligence on AI products, updating privacy policies to reflect AI use, avoiding entering sensitive information into publicly available generative AI tools and performing privacy impact assessments for AI systems.
Atlato complies with Australia’s data localisation rules for certain sectors (e.g., healthcare data) and with obligations under the Notifiable Data Breaches scheme to notify individuals and the OAIC of eligible data breaches.
European Economic Area and United Kingdom
Atlato processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679, the UK GDPR and the Data Protection Act 2018. Atlato provides individuals with rights to access, rectify, erase, restrict and object to processing, and to data portability.
Atlato implements core data protection principles such as transparency, lawfulness, fairness, data minimisation, purpose limitation and accountability.
When processing data for generative AI systems, Atlato determines roles and responsibilities (controller vs. processor vs. joint controller), documents processing activities and enters into appropriate joint‑controller arrangements.
United States
Atlato complies with sector‑specific laws such as HIPAA for healthcare, the Gramm‑Leach‑Bliley Act (GLBA) for financial services, the Children’s Online Privacy Protection Act (COPPA) for children’s data and state privacy laws (e.g., CCPA/CPRA).
Atlato follows guidance from the U.S. Department of Health and Human Services (HHS) on AI and HIPAA, including minimum necessary standards and de‑identification requirements.
Canada
Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial privacy laws, Canadian residents have rights to access, correct and delete their personal information. Atlato will respond to requests in accordance with Canadian law.
Other Jurisdictions
Atlato complies with other applicable national privacy laws (e.g., India’s Digital Personal Data Protection Act 2023; China’s Personal Information Protection Law; Japan’s Act on the Protection of Personal Information) when providing services in those countries.
Contact Us
If you have questions or concerns about Atlato’s privacy practices or this Policy, or if you wish to exercise your rights, please contact:
Atlato Data Protection Office
Email: privacy@atlato.com
Address: Atlato Pty Ltd, 2/622,Ferntree Gully Road, Wheelers Hill,VIC 3150, Australia.
Individuals may also have the right to lodge a complaint with a supervisory authority in their jurisdiction (e.g., the OAIC in Australia, the Data Protection Commission in the EU, the ICO in the UK or the U.S. Department of Health and Human Services for HIPAA matters).
Changes to this Privacy Policy
Atlato may update this Policy from time to time to reflect changes in law, technology or business practices. The “Updated” date at the top of this Policy indicates the date of the latest revision. If Atlato makes material changes that reduce protections, it will notify affected individuals and provide an opportunity to review the changes before they take effect. Continued use of the Services after any update constitutes acceptance of the revised Policy.