Privacy Policy

This Policy applies to information we collect when you visit our website, contact our sales or support team, or otherwise interact with us as a prospective or existing customer. It does not apply to Customer Data that we process on behalf of our customers through the Athon platform. Processing of Customer Data is governed by the applicable Master Services Agreement and Data Processing Addendum between Athon and the customer.

Website and marketing interactions. Athon is the “controller” (under GDPR/UK GDPR) or “business” (under CCPA/CPRA) of personal information collected through our website, marketing events, and sales process.

Platform operations. When our customers use the Athon platform to process their own data, Athon is a “processor” (GDPR) or “service provider” (CCPA) acting on our customer’s documented instructions. For industry-specific roles (e.g., HIPAA Business Associate), see the applicable addendum.

We collect the following categories of information:

• Contact information you provide — name, business email, company, job title, phone — when you request a demo, subscribe to updates, or contact us.
• Usage and device data about your visit to our website — pages viewed, referring URL, IP address, approximate location, browser and device type, session timestamps.
• Communications you send us by email or through our Services, including support tickets and meeting notes.
• Customer Data. When a customer connects the Athon platform to their systems, Customer Data flows into the customer’s environment. Athon does not collect, store, or mirror Customer Data on our own infrastructure in customer-hosted deployments. See Section 8.

We do not knowingly collect sensitive categories of personal information for website visitors other than what you voluntarily submit.

We use website and business-contact information to:

• Respond to inquiries and schedule demos or data assessments.
• Provide and improve our Services, including diagnosing and fixing technical issues.
• Send operational communications and, with your consent, marketing updates.
• Comply with legal obligations, enforce our terms, and prevent fraud or abuse.

We process Customer Data only on the documented instructions of the customer and for the purposes defined in the Master Services Agreement.

We share information only as described below:

• Service providers and subprocessors that support our operations (infrastructure, analytics, customer support, email delivery, billing), bound by written contracts with confidentiality and data-protection terms at least as protective as this Policy. Our current subprocessor list is available on request and we provide at least 30 days’ notice of material changes to customers.
• Customer-directed third parties. When a customer configures Athon to route outputs to a third-party AI provider or destination, we transmit Customer Data to that provider under the customer’s instructions.
• Legal and safety. We may disclose information when required by valid legal process or to protect the rights, property, or safety of Athon, our customers, or the public.
• Corporate transactions. In the event of a merger, acquisition, or asset sale, information may transfer to the successor entity, which will be bound by terms no less protective than this Policy.

We do not sell personal information. We do not share personal information with third parties for their independent marketing purposes.

How AI systems handle your data matters. Our commitments:

• We do not use Customer Data to train, fine-tune, or improve any generalized or foundation AI models, whether our own or those of third parties.
• When customer-configured workflows route data to third-party model providers (e.g., Anthropic, OpenAI, Google), those providers are contractually bound to (i) not retain inputs or outputs beyond the processing window, (ii) not use Customer Data for model training, and (iii) operate under a zero-retention configuration where available.
• Athon is AI-agnostic. Customers choose which model providers operate within their tenant; we do not impose a default model or require use of any specific provider.
• Any internal model improvement work uses only de-identified data or aggregate service telemetry, and only where permitted by the customer agreement.

Athon’s security and privacy program is aligned to SOC 2 Type II readiness, GDPR, and CCPA/CPRA, as well as industry-specific frameworks where applicable. Customers operating in regulated industries may require additional addenda to this Policy:

• Healthcare (HIPAA and 42 CFR Part 2). See our healthcare privacy addendum for PHI-specific terms, Business Associate Agreements, and 42 CFR Part 2 treatment of substance use disorder records.

Athon is cloud-agnostic. Customers deploy on Google Cloud, AWS, Azure, or on-premise infrastructure, and choose the region in which their Customer Data resides. In customer-hosted deployments, Customer Data never leaves the customer’s cloud boundary. Athon’s control plane does not store, copy, or mirror Customer Data on Athon-operated infrastructure.

For managed deployments, we honor customer-specified data-residency requirements and document the processing region in the order form or Data Processing Addendum.

We maintain a security program aligned to industry frameworks, including SOC 2 Type II readiness and NIST CSF practices. Controls include encryption at rest and in transit (TLS 1.2+, AES-256), role-based access controls with least-privilege and MFA, tenant isolation, continuous vulnerability scanning, logging and audit trails, and documented incident response and breach notification procedures. No system is perfectly secure, but we work hard to protect information entrusted to us and will promptly notify affected customers in the event of a confirmed security incident involving their data, in accordance with the customer agreement and applicable law.

We retain website and business-contact information for as long as necessary to fulfill the purposes described in this Policy or as required by law — typically no longer than 24 months after your last interaction, unless a contractual relationship continues or a legal hold applies.

Customer Data is retained and deleted according to the customer’s configuration and the Master Services Agreement. Following contract termination, Customer Data is returned or deleted within 30 days, with a 30-day backup purge window after that. Customers may request earlier deletion at any time.

If personal information is transferred outside your country of residence, we rely on lawful transfer mechanisms — including Standard Contractual Clauses, the EU–US Data Privacy Framework where applicable, and supplementary safeguards. Customers with data-residency requirements may deploy Athon in a region that avoids international transfers entirely.

Depending on your location, you may have rights to access, correct, delete, port, or restrict the processing of your personal information; to object to certain processing; and to withdraw consent. To exercise these rights for information Athon controls, contact privacy@athonai.com. For information processed on behalf of an Athon customer, please contact the customer directly; we will support the customer’s response to your request.

US residents (California, Virginia, Colorado, Connecticut, Utah, Texas, and others): you may have specific rights under state privacy laws, including the right to know, delete, correct, opt out of certain sharing, and non-discrimination. Athon does not sell personal information and does not engage in cross-context behavioral advertising with Customer Data.

EU/UK/Switzerland residents: you may lodge a complaint with your local supervisory authority. Our representative in the EU, where required, is available on request.

Our Services are designed for businesses and are not directed to children under 16. We do not knowingly collect personal information from children through our website.

We may update this Policy from time to time. If we make material changes, we will notify customers by email or in-product notice and update the “Last updated” date above. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

Questions or requests related to this Policy: