Legal

Privacy Policy

Effective date: March 1, 2026  |  Last updated: March 1, 2026

Legal entity: BBMedia Co., Ltd. ("BetterBiz", "we", "us", "our")

Table of Contents
  1. 1. Information We Collect
  2. 2. How We Use Information
  3. 3. Data Processing and AI
  4. 4. Data Security
  5. 5. Data Sharing and Third-Party Processors
  6. 6. Customer Data Ownership
  7. 7. Data Retention and Deletion
  8. 8. International Data Transfers
  9. 9. Thai PDPA Compliance
  10. 10. Cookies and Tracking
  11. 11. Children's Privacy
  12. 12. Changes to This Policy
  13. 13. Contact Information

BetterBiz (operated by BBMedia Co., Ltd.) builds ATLAS, a Governance, Risk, and Compliance (GRC) platform for regulated businesses in Southeast Asia. We understand that the data you entrust to us is sensitive, and we take our responsibility to protect it seriously.

This Privacy Policy explains what information we collect, how we use it, and the choices you have. It applies to our website at betterbusiness.cc, the ATLAS platform and all its modules (Accord, Comply, Sentinel, Datum, Flux, and PhishGuard), and any related services we provide.

1. Information We Collect

Account and Contact Data

When you sign up for ATLAS or request a demo, we collect:

  • Name, email address, phone number, and job title
  • Company name, industry, and billing address
  • Login credentials (passwords are hashed and never stored in plaintext)
  • Role and permission settings within the platform

Customer Compliance Data

ATLAS is designed to manage your organization's compliance program. Depending on which modules you use, the data you upload or create may include:

  • Policies and documents — compliance policies, procedures, standards, and supporting documentation
  • Evidence records — screenshots, logs, configuration exports, and other audit evidence
  • Asset inventories — IT assets, network diagrams, system configurations
  • Vendor registries — third-party vendor information, risk assessments, contracts
  • Personnel data — employee names, roles, training records, access certifications
  • Risk and incident records — risk register entries, incident reports, remediation plans
  • Control mappings and assessment results — framework requirement mappings, gap analysis data
  • Phishing simulation data — campaign results, click rates, training completion (PhishGuard)

Usage and Analytics Data

We automatically collect certain information when you use ATLAS:

  • Pages visited, features used, and actions taken within the platform
  • Browser type, operating system, device type, and screen resolution
  • IP address and approximate geographic location
  • Session duration and frequency of use
  • Error logs and performance data

AI Interaction Data

When you use AI-assisted features in ATLAS (such as policy drafting or Ask ATLAS document Q&A), we collect:

  • Prompts and queries you submit to AI features
  • Documents or text selections you choose to process with AI
  • AI-generated outputs and your edits to those outputs
  • Feedback you provide on AI responses (thumbs up/down, corrections)

2. How We Use Information

We use the information we collect for the following purposes:

Platform Operation

  • Providing, maintaining, and improving the ATLAS platform and its modules
  • Authenticating users and enforcing role-based access controls
  • Processing compliance workflows, approvals, and notifications
  • Generating reports, dashboards, and compliance summaries

AI-Assisted Features

  • Powering policy drafting assistance and document generation
  • Enabling RAG-powered (Retrieval-Augmented Generation) document Q&A
  • Providing intelligent control mapping suggestions
  • Improving AI accuracy and relevance over time

Support and Communication

  • Responding to support requests and troubleshooting issues
  • Sending platform notifications, security alerts, and service updates
  • Communicating about new features, framework updates, and regulatory changes

Platform Improvement

  • Analyzing usage patterns to improve features and user experience
  • Identifying and fixing bugs, performance issues, and security vulnerabilities
  • Developing new features and modules based on aggregate usage data

We do not use your compliance data to train general-purpose AI models. We do not use your data to serve advertisements. We do not sell your data to third parties.

3. Data Processing and AI

ATLAS includes AI-assisted features that process your documents and data. We believe in being transparent about how this works.

How AI Features Process Your Data

When you use AI-assisted policy drafting or Ask ATLAS (our document Q&A feature), the following occurs:

  • Document indexing: Documents you upload are processed and indexed within your tenant's isolated environment for retrieval-augmented generation (RAG)
  • Query processing: When you ask a question or request AI assistance, relevant document excerpts are retrieved from your index and sent alongside your query to generate a response
  • Response generation: AI-generated responses are returned to you within the platform. You retain full editorial control over any generated content before it is saved or published

Third-Party AI Providers

We use Anthropic (Claude) as our AI inference provider. When your data is sent to Anthropic for processing:

  • Only the minimum necessary context (document excerpts, your query) is transmitted
  • Data is encrypted in transit using TLS 1.2+
  • Anthropic does not use your data to train their models (per our enterprise agreement)
  • No customer data is retained by Anthropic after processing is complete

AI Data Retention

  • AI interaction logs (queries and responses) are retained for 90 days to support debugging and quality improvement
  • Document embeddings and indexes are stored for as long as the source documents exist in your account
  • You can delete source documents at any time, which triggers removal of associated embeddings

Opting Out of AI Features

AI-assisted features are optional. You can use ATLAS for compliance management without engaging any AI functionality. Contact your account administrator or our support team to adjust AI feature availability for your organization.

4. Data Security

As a company that builds security and compliance tools, we hold ourselves to a high standard. Our security measures include:

Encryption

  • In transit: All data is encrypted using TLS 1.2 or higher. We enforce HTTPS for all connections
  • At rest: Customer data is encrypted at rest using AES-256 encryption
  • Database: Database connections use encrypted channels with certificate verification

Access Controls

  • Role-based access control (RBAC) enforced at the application and database levels
  • Multi-tenant architecture with strict data isolation between customer accounts
  • Internal access to customer data is restricted to authorized personnel and requires justification
  • Administrative access requires multi-factor authentication

Audit Logging

  • All user actions within the platform are logged with timestamps and user identity
  • Administrative and data access events are logged separately for security review
  • Audit logs are immutable and retained according to your subscription tier's retention policy
  • Customers can export audit logs for their own compliance and audit purposes

Infrastructure Security

  • Application and database servers are hosted in secure, SOC 2-compliant data centers
  • Regular vulnerability scanning and penetration testing
  • Automated security patching and update management
  • Network segmentation and firewall controls

Incident Response

We maintain a documented incident response plan. In the event of a security incident that affects your data, we will notify you within 72 hours, consistent with Thai PDPA requirements and industry best practices.

5. Data Sharing and Third-Party Processors

We do not sell, rent, or trade your personal information or compliance data. We share data only in the following circumstances:

Service Providers (Sub-processors)

We use a limited set of third-party service providers to operate ATLAS:

  • Cloud infrastructure: For hosting the platform, databases, and file storage
  • AI inference: Anthropic (Claude) for AI-assisted features, as described in Section 3
  • Email delivery: For transactional emails, notifications, and platform alerts
  • Analytics: For aggregated, anonymized usage analytics to improve the platform
  • Payment processing: For subscription billing (we do not store credit card numbers)

All sub-processors are bound by data processing agreements that require them to protect your data to standards consistent with this policy.

Legal Requirements

We may disclose data if required by law, regulation, legal process, or governmental request. We will notify you of such requests unless prohibited by law.

Business Transfers

In the event of a merger, acquisition, or sale of assets, customer data may be transferred. We will provide notice and, where applicable, the opportunity to delete your data before any transfer.

With Your Consent

We may share data with third parties when you have given explicit consent, such as integrations you choose to enable.

6. Customer Data Ownership

Your compliance data belongs to you. This is a core principle of how we operate.

  • Ownership: You retain all rights, title, and interest in the compliance data you upload to or create within ATLAS. We claim no ownership over your content
  • License: You grant us a limited license to process your data solely for the purpose of providing and improving the ATLAS service
  • Export: You can export your data at any time in standard formats (PDF, CSV, JSON) through the platform's built-in export functionality
  • Portability: We will assist with data migration upon reasonable request if you choose to move to another platform
  • No lock-in: We design our data models and exports to minimize vendor lock-in. Your policies, evidence, and records remain usable outside of ATLAS

7. Data Retention and Deletion

During Active Subscription

Your data is retained for as long as your subscription is active. You can delete individual records, documents, or data sets at any time through the platform.

After Subscription Ends

  • Grace period: After subscription cancellation or expiration, we retain your data for 90 days in a read-only state, allowing you to export your data or reactivate your account
  • Deletion: After the 90-day grace period, your data is permanently deleted from our production systems within 30 days
  • Backups: Data may persist in encrypted backups for up to an additional 90 days, after which backups containing your data are rotated out

Immediate Deletion

You may request immediate deletion of your data at any time by contacting us at [email protected]. We will process deletion requests within 30 days, subject to any legal retention obligations.

Data We Retain Longer

Certain data may be retained beyond the standard period:

  • Billing and transaction records (as required by Thai tax and commercial law)
  • Audit logs related to security incidents (retained for 1 year minimum)
  • Anonymized, aggregated usage statistics (retained indefinitely, not traceable to individuals)

8. International Data Transfers

ATLAS serves regulated businesses across Southeast Asia. Given the nature of our service:

  • Primary data location: Customer data is stored in data centers located in the Asia-Pacific region
  • Cross-border processing: Some data may be processed in other jurisdictions when using third-party services (such as AI inference). We ensure appropriate safeguards are in place for any cross-border data transfer
  • ASEAN considerations: We comply with applicable data transfer requirements in Thailand, Singapore, and other ASEAN jurisdictions where our customers operate
  • On-premises option: For customers with strict data residency requirements, we offer on-premises deployment where all data remains within your own infrastructure

We ensure that any international transfer of personal data is subject to appropriate safeguards, including data processing agreements with adequate data protection provisions.

9. Thai PDPA Compliance

BBMedia Co., Ltd. is subject to the Thailand Personal Data Protection Act B.E. 2562 (2019) ("PDPA"). Under the PDPA, you have the following rights regarding your personal data:

  • Right to be informed: You have the right to be informed about the collection, use, and disclosure of your personal data
  • Right of access: You have the right to request access to and obtain a copy of your personal data
  • Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format
  • Right to object: You have the right to object to the collection, use, or disclosure of your personal data
  • Right to deletion: You have the right to request deletion or de-identification of your personal data
  • Right to restrict processing: You have the right to request restriction of the use of your personal data
  • Right to rectification: You have the right to request correction of inaccurate or incomplete personal data
  • Right to withdraw consent: Where processing is based on consent, you have the right to withdraw consent at any time

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

Legal basis for processing: We process personal data on the following legal bases under the PDPA: performance of a contract (providing the ATLAS service), legitimate interest (platform improvement and security), legal obligation (regulatory compliance), and consent (where explicitly obtained for specific processing activities).

10. Cookies and Tracking

Cookies We Use

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled without breaking platform functionality
  • Functional cookies: Remember your preferences such as language (English/Thai), timezone, and display settings
  • Analytics cookies: Help us understand how the platform is used so we can improve it. These collect anonymized usage data

What We Do Not Use

  • We do not use advertising or retargeting cookies
  • We do not use third-party tracking pixels for advertising purposes
  • We do not sell cookie data or tracking information to third parties

Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may affect your ability to use the ATLAS platform. We respect Do Not Track (DNT) browser signals for analytics cookies.

11. Children's Privacy

ATLAS is a business-to-business platform designed for use by organizations and their authorized personnel. We do not knowingly collect personal information from children under the age of 18 (or the applicable age of majority in the relevant jurisdiction).

If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete such data promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

  • Notification: We will notify active ATLAS users of material changes via email and/or an in-platform notification at least 30 days before the changes take effect
  • Minor changes: Non-material changes (such as formatting or clarifications) may be made without advance notice
  • Version history: The "Last updated" date at the top of this page indicates when the policy was most recently revised

Your continued use of ATLAS after changes take effect constitutes acceptance of the updated policy. If you do not agree with the changes, you may terminate your subscription and request deletion of your data.

13. Contact Information

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how we handle your data, please contact us:

We aim to respond to all privacy-related inquiries within 30 days.