Atlas ITINBack home

Legal

Privacy Policy

Privacy Policy

This Privacy Policy explains how Atlas Compliance Inc ("Atlas," "we," "our," or "us") collects, uses, discloses, retains, and protects personal information when you visit atlas-itin.com or use our ITIN application facilitation service. Atlas Compliance Inc is a private service facilitation company. We are not a Certifying Acceptance Agent (CAA), not a government agency, and not affiliated with, endorsed by, or associated with the Internal Revenue Service (IRS). ITIN applications submitted through our platform are processed, certified, and submitted to the IRS by IRS-authorized Certifying Acceptance Agent partners.

Last updated: 2026-05-23

1. Snapshot

  • Who we are: Atlas Compliance Inc, a Florida corporation, 2125 Biscayne Boulevard, Ste 204 #24685, Miami, Florida 33137, USA (mail only, no walk-ins).
  • What we collect: identifiers, sensitive identity documents (passport and government-ID images), tax-related information (W-7 data), immigration / visa status, payment information processed by Stripe, internet and device data.
  • Why we collect it: to facilitate your ITIN application with our IRS-authorized CAA partner, deliver your ITIN, prevent fraud, communicate with you, and meet legal obligations.
  • Who we share it with: our IRS-authorized CAA partner, Stripe, FedEx and USPS, Google Analytics, Meta Pixel, Klaviyo, Airtable, AWS, and government agencies where required by law.
  • Your rights: under California, EU/UK and other privacy laws you may request access, correction, deletion, portability, restriction, and opt-out of sale/share, and limit the use of sensitive personal information. Contact us at privacy@atlas-itin.com.
  • Retention: identity documents retained 3 years from order completion; tax-related documents 7 years; transactional records 7 years.
  • Security: we self-treat as a covered financial institution under the FTC Safeguards Rule, 16 CFR Part 314. Data encrypted in transit (TLS 1.2+) and at rest (AES-256).

2. Service-Nature Notice

Atlas Compliance Inc is a service facilitation company. We do not certify or submit ITIN applications to the IRS in our own capacity. An IRS-authorized Certifying Acceptance Agent (CAA) partner performs certification and IRS submission. The IRS makes the final decision on every ITIN application. Approximate IRS processing time is 6 to 12 weeks and is outside our control.

3. Identity and Contact of the Controller

  • Legal entity: Atlas Compliance Inc, a corporation organized under the laws of the State of Florida, USA.
  • Postal address: 2125 Biscayne Boulevard, Ste 204 #24685, Miami, Florida 33137, USA (mail only, no walk-ins).
  • Privacy contact: privacy@atlas-itin.com
  • General contact: hello@atlas-itin.com
  • EU/UK representative: not currently appointed; EU and UK individuals may contact privacy@atlas-itin.com.

4. Categories of Personal Information We Collect

  1. Identifiers: full legal name, email address, phone number, mailing address, IP address, device identifiers, order number.
  2. Government-issued identifier numbers: passport number, country of issuance, national-ID number, visa number.
  3. Sensitive personal information (California Civil Code §1798.140(ae)): passport photographs and scans, government-ID photographs and scans, immigration / visa status, date of birth, country of birth and citizenship, account log-in information if used.
  4. Tax information: Form W-7 data, prior U.S. tax returns where applicable, taxpayer-identification information you provide for the application.
  5. Commercial information: transaction history, products and services purchased, payment confirmation data.
  6. Internet or network activity: cookies, pixel data, pages viewed, referrers, browser, operating system, analytics events.
  7. Geolocation (general): approximate location derived from IP address.
  8. Communications data: content of emails, SMS, and WhatsApp messages you exchange with us; support-ticket history.

We do not knowingly collect Social Security Numbers; if you provide an SSN in error, please contact privacy@atlas-itin.com to have it deleted.

5. Purposes of Processing

CategoryPurpose
Identifiers, commercial informationCreate and manage your order; deliver your ITIN; provide customer support; fraud prevention.
Sensitive personal information; tax informationSubmit your application package to our IRS-authorized CAA partner for certification and IRS submission.
Internet activity, cookiesOperate the site; analytics; marketing (with consent where required); security.
Communications dataRespond to inquiries; provide service updates; comply with legal-hold requirements.
Geolocation (general)Fraud prevention; regional cookie-consent presentation; compliance with regional requirements.

6. Legal Bases for Processing (EU/UK Visitors)

Where the EU General Data Protection Regulation (Regulation (EU) 2016/679) or the UK GDPR applies to our processing, we rely on these legal bases:

  1. Performance of a contract (Art. 6(1)(b)) — to facilitate the ITIN application you ordered.
  2. Compliance with legal obligation (Art. 6(1)(c)) — to meet record-keeping, tax, and law-enforcement obligations.
  3. Legitimate interests (Art. 6(1)(f)) — to prevent fraud, secure our service, and improve our offering, balanced against your rights.
  4. Consent (Art. 6(1)(a)) — for non-essential cookies, marketing email, SMS, and WhatsApp communications, and for processing of special-category data.
  5. Explicit consent for special-category data (Art. 9(2)(a)) — for passport, government-ID, and immigration-status data that may reveal sensitive characteristics.

7. How We Share Personal Information

We disclose personal information only to the following categories of recipients, and only for the purposes described:

  1. IRS-authorized Certifying Acceptance Agent (CAA) partner — to review, certify, and submit your ITIN application to the IRS. We do not name our CAA partner publicly; the partner is bound by written confidentiality and data-handling obligations.
  2. Stripe, Inc. — payment processing. Stripe is a PCI-DSS Level 1 service provider; we do not store full card numbers on our systems.
  3. FedEx and USPS Priority Mail — physical shipment of documents where applicable.
  4. Google Analytics (Google LLC) — website analytics.
  5. Meta Pixel (Meta Platforms, Inc.) — marketing analytics; suppressed on pages where sensitive personal information is collected.
  6. Klaviyo, Inc. — transactional and marketing email, SMS messaging.
  7. Meta WhatsApp Business API (Meta Platforms, Inc.) — transactional and marketing WhatsApp messaging.
  8. Airtable, Inc. — CRM and shared back-office database with our CAA partner for order tracking.
  9. Amazon Web Services, Inc. — cloud storage in the us-east-1 region (Server-Side Encrypted, SSE-S3).
  10. Government agencies and law enforcement — only when required by law (subpoena, court order, lawful request) or to protect rights, safety, or property.
  11. Professional advisors and corporate transactions — auditors, lawyers, accountants, and successors in interest in a merger, acquisition, or asset sale, under appropriate confidentiality terms.

We do not share immigration-status or visa-status information with U.S. Citizenship and Immigration Services (USCIS), U.S. Immigration and Customs Enforcement (ICE), or any law-enforcement agency except when required by valid legal process.

8. We Do Not Sell Personal Information

Atlas does not sell personal information for money. We do disclose certain online identifiers to advertising and analytics partners (Meta Pixel, Google Analytics), which may be treated as "sharing" or "selling" under the California Consumer Privacy Act (CCPA) as amended by the CPRA. You may opt out of such sharing at any time, including via a Global Privacy Control signal.

9. Cookies and Tracking

Our use of cookies, pixels, and similar technologies is described in our Cookie Policy. We honor Global Privacy Control (GPC) opt-out signals where required by law.

10. Retention

CategoryRetention period
Client identity documents (passport, government-ID images)3 years from order completion (aligned with CAA IRS Publication 4520 record-keeping requirements).
Tax-related documents (W-7 data, prior returns)7 years from order completion (aligned with IRC §6501 assessment statute of limitations).
Transactional and order records7 years.
Marketing contact dataUntil you opt out, plus a short archival period to honor your opt-out.
Support tickets3 years from last contact.
CookiesPer Cookie Policy schedule.

After the applicable period, we securely delete or anonymize the data unless a longer period is required by law (for example, IRS retention requirements, legal-hold orders, or pending disputes).

11. International Data Transfers

Atlas processes personal information in the United States. If you are located in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction outside the United States, your personal information will be transferred to the United States. We rely on appropriate safeguards under GDPR Art. 46, including the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum. A copy of the SCCs we use is available upon request at privacy@atlas-itin.com.

12. Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the right to:

  1. Know the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of recipients.
  2. Delete personal information we hold about you, subject to legal exceptions (such as IRS record-keeping or active fraud investigations).
  3. Correct inaccurate personal information.
  4. Opt out of sale or sharing of personal information.
  5. Limit the use and disclosure of sensitive personal information to what is necessary to perform the service you requested (CCPA §1798.121).
  6. Data portability — receive your personal information in a portable, machine-readable format.
  7. Non-discrimination — we will not discriminate against you for exercising these rights.
  8. Appeal a denial of a privacy request by replying to our response with the words "request appeal."

To exercise a right, email privacy@atlas-itin.com. We will verify your identity (typically by matching information you provide against information we hold). We respond within 45 days, with one 45-day extension available. You may authorize an agent to act on your behalf with written, verifiable authorization.

California Shine the Light (Cal. Civ. Code §1798.83): California residents may request information about our disclosures of personal information to third parties for those third parties' direct-marketing purposes. We do not currently share personal information in a manner that triggers this disclosure, but you may submit a request at privacy@atlas-itin.com.

Financial incentives (CCPA §1798.125): we do not offer financial incentives in exchange for personal information.

13. Your EU and UK Privacy Rights (GDPR / UK GDPR)

If the GDPR or UK GDPR applies to our processing of your personal information, you have these rights:

  1. Access — request a copy of the personal data we process about you.
  2. Rectification — correct inaccurate or incomplete data.
  3. Erasure — request deletion ("right to be forgotten"), subject to legal exceptions.
  4. Restriction — restrict processing in certain circumstances.
  5. Portability — receive data in a structured, commonly used, machine-readable format.
  6. Objection — object to processing based on legitimate interests or for direct marketing.
  7. Withdraw consent — where processing is based on consent, you may withdraw consent at any time without affecting prior lawful processing.
  8. Lodge a complaint with your supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office at ico.org.uk.

To exercise these rights, email privacy@atlas-itin.com.

14. Other U.S. State Rights

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, Kentucky, Maryland, Minnesota, Nebraska, Rhode Island, or another state with a comprehensive privacy law, you have rights substantially similar to the California rights above (access, correction, deletion, portability, opt-out of targeted advertising and sale, appeal). To exercise these rights, email privacy@atlas-itin.com and state your jurisdiction.

15. Automated Decision-Making

We do not make solely automated decisions that produce legal or similarly significant effects about you. All uploaded identity documents are manually reviewed by Atlas staff for completeness. No OCR, face-matching, or machine-learning quality check is performed today. If we adopt such tools in the future, we will update this Policy and provide any rights required under GDPR Art. 22 and applicable U.S. state law.

16. Security of Personal Information

Atlas self-treats as a covered financial institution under the FTC Safeguards Rule, 16 CFR Part 314, given the sensitivity of the data we handle. We maintain:

  1. A Written Information Security Program (WISP) overseen by a designated Qualified Individual.
  2. Encryption in transit (TLS 1.2 or higher) and at rest (AES-256).
  3. Role-based access controls and multi-factor authentication on systems that hold customer information.
  4. Annual penetration testing and bi-annual vulnerability assessments.
  5. Vendor oversight, periodic risk assessments, and an annual report to the governing body.
  6. Employee training and confidentiality obligations.

For details on document handling, see our Document Handling and Data Security Statement.

17. Breach Notification

If we determine that a security event has compromised your personal information, we will notify you as expeditiously as practicable and no later than 30 days after determination, consistent with the Florida Information Protection Act, Fla. Stat. §501.171. For security events involving the unencrypted personal information of 500 or more consumers, we will notify the U.S. Federal Trade Commission within 30 days as required by 16 CFR §314.5. Where additional state laws require notification, we will comply with those laws as well.

18. Children's Privacy

Our service is offered only to individuals who are 18 years of age or older. We do not knowingly collect personal information from children under 13, consistent with the Children's Online Privacy Protection Act, 16 CFR Part 312. See our Age and Eligibility Policy. Parents and legal guardians who are 18 or older may submit dependent ITIN applications for their dependents and are the customers of record.

19. Tax-Return Information Confidentiality

We handle the information you submit on Form W-7 and any prior tax-return information consistent with the confidentiality expectations of 26 U.S.C. §6103 and related provisions. The IRS-authorized CAA partner that processes your application is independently bound by IRS confidentiality rules. We do not use tax-return information for marketing, profiling, or any purpose unrelated to the ITIN application unless you give separate written consent.

20. Marketing Communications (Email, SMS, WhatsApp)

If you have opted in, we may send marketing communications by email, SMS, or WhatsApp. You may opt out at any time:

  • Email: click the unsubscribe link in any marketing email, or reply UNSUBSCRIBE.
  • SMS: reply STOP to any marketing text. Reply HELP for help.
  • WhatsApp: reply STOP to any marketing WhatsApp message.

Standard message and data rates may apply to SMS and WhatsApp messages. We may send up to approximately ten messages per month per channel for transactional and marketing purposes combined. Transactional messages relating to your active order may continue after a marketing opt-out. We do not condition the provision of our service on your consent to marketing.

Atlas Compliance Inc, 2125 Biscayne Boulevard, Ste 204 #24685, Miami, Florida 33137, USA — the postal address for CAN-SPAM Act compliance.

21. Cross-References

For details on how we handle cookies, see our Cookie Policy. For our contract terms, see our Terms of Service. For refunds and cancellations, see our Refund and Cancellation Policy. For service-nature disclosures, see our Disclaimer.

22. Changes to this Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes that affect your rights, we will provide reasonable notice (for example, an email or a banner on the site) and, where required by law, obtain your consent.

23. Contact

For privacy questions, requests, or complaints:

  • Email: privacy@atlas-itin.com
  • Postal mail: Atlas Compliance Inc, Attn: Privacy, 2125 Biscayne Boulevard, Ste 204 #24685, Miami, Florida 33137, USA (mail only, no walk-ins).

Atlas Compliance Inc, 2125 Biscayne Boulevard, Ste 204 #24685, Miami, Florida 33137, USA.

Other legal pages