Privacy Policy — Project Desk by Atlier
Effective date: June 24, 2026 Last updated: June 24, 2026
This Privacy Policy explains what data Project Desk collects, why we collect it, who it is shared with, and the choices you have. It is written to be honest about what the service actually does — you can export your data and delete your account yourself, any time, from Settings (see "Your choices and deletion").
1. Who we are
Project Desk is a hosted, AI-first project and work-management "desk." You connect to it from an AI client (such as Claude Desktop or Codex Desktop) through a remote MCP connector, or directly over our HTTP API, and the AI reads and writes your work items (projects, issues, and returns) on your behalf.
- Product: Project Desk (the Cloud surface), branded Project Desk by Atlier.
- Platform / brand: Atlier.
- Operator (data controller): Wilds, Inc., 10 Williams Road, Lexington, MA 02420, USA.
- Operated by: Justin Wilds (sole operator).
- Service address:
https://atlier.ai(the Azure hosthttps://atlier-app-erbzewe2epexfqdu.eastus-01.azurewebsites.netalso resolves to the same service).
Contact
For privacy questions, data-access requests, or deletion requests, contact:
Email: wildsdesign@gmail.com
2. What data we collect, and why
We collect three categories of data. We collect only what the service needs to sign you in, to store the work you create, and to keep the AI connector working.
a) Account and profile data (from GitHub or Google)
When you sign in, you authenticate directly with GitHub or Google using OAuth. We do not run a password system and we never see your GitHub or Google password. From your sign-in we receive and store:
- Your verified email address — used as your unique identity. One person maps to one account by email, so signing in with GitHub and Google that share the same verified email links to the same desk.
- Your display name — shown in the interface. (For GitHub, if no name is set, your GitHub username is used.)
- Your provider account identifier — the numeric/string id GitHub or Google assigns to you, stored so we can reliably match you to your account on future sign-ins.
We also generate an internal account id for you, which is the key that scopes all of your desk content to you.
*What we do not store from your profile: we do not* store your profile photo / avatar. We request only the minimal scopes needed to read your verified email and name (read:user user:email for GitHub; openid email profile for Google), and we read only your id, email, email-verification status, and name. The short-lived access token that GitHub or Google issues during sign-in is used once, in-request, to fetch that profile and is never saved.
Why: to identify you, to keep one account per person, and to display your name. This is necessary to provide the service you asked for.
b) The desk content you create
This is the substance of the service — the work items you (or the AI acting on your instructions) create and edit:
- Projects — name, "shape" (free-text description of the project), "next move," proof/status fields, and a metadata bag (for example a linked repository or URL).
- Issues — title, status, type, labels, and a free-text body.
- Returns (hand-offs back to you) — free-text content, status, posture, linked issue, sources, and context.
The title, body, shape, next-move, and context fields are free-form. They contain whatever you type or whatever the AI writes at your direction. This is your personal and work content.
Why: to store and display your work, and to let the AI connector read and update it on your behalf. This is the core function of the service.
c) Sign-in, session, and connector artifacts
To keep you signed in and to operate the AI connector securely, we store and use:
- A web session cookie (
atlier_session) — an HMAC-signed token that contains only your account id. It isHttpOnly,Secure,SameSite=Lax, and lasts up to 30 days. We do not keep a server-side session store. - A short-lived CSRF cookie (
atlier_oauth_state) — used only during sign-in to protect the OAuth round-trip (about 10 minutes). - Registered connector clients — when an AI client registers to use the MCP connector, we store its client id, redirect URLs, client name, and registration time so the connector keeps working across restarts.
- Short-lived authorization records — pending authorization transactions (about 5 minutes) and one-time authorization codes (about 60 seconds, single-use). These are automatically swept after they expire.
Connector access and refresh tokens are not stored. They are stateless, cryptographically signed (HMAC) tokens that carry your account id and an expiry (access tokens last about 1 hour; refresh tokens about 30 days). Because they are stateless, we cannot individually revoke a token before it expires. If you believe a token has been exposed, contact us — see "Security limitations you should know."
Why: to authenticate you, keep you signed in, and let approved AI clients connect securely.
d) Operational logs
Our hosting platform (Azure App Service) keeps standard request and console logs (for example timestamps, request paths, and error diagnostics) for reliability and troubleshooting. We do not run analytics, advertising, or tracking software, and we do not maintain a separate behavioral profile of you.
3. Legal basis and purpose
Where data-protection law (such as the EU/UK GDPR) applies, we rely on the following bases:
- Performance of a contract — to create your account, store your work, and operate the connector you chose to use.
- Legitimate interests — to keep the service secure, reliable, and free of abuse (for example, rate-limiting sign-in endpoints and keeping operational logs), balanced against your rights.
- Consent — where you choose to connect a third-party AI client to your desk.
We do not use your data for advertising, and we do not sell it. See "What we do not do."
4. Subprocessors and third parties
We share data only with the service providers needed to run Project Desk. Each receives only what its function requires.
| Subprocessor | Role | What it receives |
|---|---|---|
| Microsoft Azure | Hosting (App Service) and database (Azure Postgres), region East US (United States) | All stored data lives here: your account/profile data, your desk content, and the connector/authorization records described above. |
| GitHub | Authentication (sign-in) only | The OAuth exchange needed to verify you. We send the authorization code/token to GitHub's endpoints and receive back your verified email, GitHub account id, and name. No desk content is sent to GitHub. |
| Authentication (sign-in) only | The OAuth exchange needed to verify you. We send the authorization code/token to Google's endpoints and receive back your verified email, Google account id, and name. No desk content is sent to Google. | |
| Anthropic (and any AI client you connect) | The AI client you use Project Desk from | When you use Project Desk through Claude Desktop, Codex Desktop, or a similar client, your prompts and the tool calls that read or write your desk pass through that AI client's product. This is inherent to using an AI connector. The data handling on that side is governed by that provider's privacy policy, not this one. |
We do not currently use any analytics, advertising, payment, email, or tracking subprocessor.
5. Storage, security, and isolation
- Where it is stored. Your data is stored in a single Azure Postgres database hosted on Azure App Service in the East US region (United States).
- In transit. Connections use TLS encryption. Connections to the database require TLS (
sslmode=require). Note: in production the database TLS connection encrypts traffic but does not strictly validate the database server's certificate chain — so we describe this as "encrypted in transit," not as fully validated certificate-pinned TLS. - Per-account isolation. Every desk row is bound to the owning account, and every authenticated read or write is scoped to the signed-in account. A signed-in account can see only its own desk.
- Sign-in security. The MCP connector uses OAuth 2.1 with PKCE (S256). Session and connector tokens are HMAC-signed. Sign-in endpoints are rate-limited.
Security limitations you should know
We want to be straight with you about what is and is not in place today:
- No individual token revocation. Connector access and refresh tokens are stateless and valid until they expire (access ~1 hour, refresh ~30 days). We cannot revoke a single leaked token on demand before expiry. If you suspect a token is compromised, contact us; as an emergency measure we can rotate the server signing key, which immediately invalidates all outstanding tokens at once.
- No certifications. Project Desk does not hold and does not claim SOC 2, ISO 27001, HIPAA, or formal "GDPR-certified" status. We describe our actual measures (above) rather than claiming a certification we do not have. Do not store regulated data (for example protected health information) in your desk.
- No security measure is perfect; we cannot guarantee absolute security.
6. Data retention
- Account and desk content are retained for as long as your account exists, so your work is there when you return.
- Short-lived authorization records (pending authorization transactions and one-time codes) expire within minutes and are automatically swept.
- Session cookies expire after up to 30 days; connector tokens expire on their own schedule (access ~1 hour, refresh ~30 days).
- Operational logs are retained for approximately 90 days, then rotated out by the hosting platform.
- When you delete your account (Settings → Danger zone), your account record and desk content are removed immediately; any active subscription is canceled first so you are never billed again.
- Anonymized operational records that identify no person (the aggregate founding-member counter, webhook-deduplication ids, and the append-only desk version log, which contains no names, emails, or content) may be retained for service integrity.
7. Your choices and deletion
You have control over your data:
- Access and export. Download everything we hold for your account from Settings → Your data — a human-readable Markdown export and a complete machine-readable JSON export, any time, no request needed.
- Correction. You can edit your projects, issues, and returns directly in the product, or ask us to correct account details.
- Deletion. Delete your account yourself from Settings → Danger zone — it cancels any active subscription first, then permanently removes your account and all desk content, immediately. You can also email us instead and we will delete it within 30 days of verifying your request.
- Email choices. Optional product-update email is off by default — turn it on or off in Settings → Email updates. Transactional and legal notices (terms changes, receipts, security) are always sent while you hold an account.
- Sign out. You can sign out at any time, which clears your session cookie.
Depending on where you live, you may have additional rights (for example under the GDPR or under U.S. state privacy laws such as the CCPA/CPRA) — including the right to access, correct, delete, or port your data, and to object to certain processing. To exercise any of these, contact us. We will not discriminate against you for exercising your rights.
We will verify your identity (for example, by confirming control of the email tied to your account) before acting on an access or deletion request.
8. What we do not do
- We do not sell your personal data.
- We do not use your data for advertising, and we do not run third-party ad or tracking software.
- We (Atlier / Wilds, Inc.) do not use your desk content to train AI models.
- Note: AI clients you connect to (for example Claude) handle your prompts and tool calls under their own privacy terms. If their model-training behavior matters to you, review that provider's policy and settings.
9. International data transfers
Project Desk is hosted in the United States (Azure, East US). If you access the service from outside the United States, your data will be transferred to and stored in the United States, which may have different data-protection laws than your country. By using the service, you understand that your data is processed in the United States.
10. Children
Project Desk is not directed to children and is not intended for anyone under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy as the service evolves (for example, when self-serve deletion ships, or when a new subprocessor is added). When we make a material change, we will update the "Last updated" date above and, where appropriate, provide a more prominent notice. Your continued use of Project Desk after a change means you accept the updated policy.
This policy describes Project Desk as currently operated. It deliberately avoids claiming certifications or capabilities the service does not have. Where a decision is still open, it is marked for the operator to finalize before publication.