Privacy Policy

Last updated: March 20, 2026

Lamb and Flag TopCo Corp ("Atlantic M&A," "we," "us," or "our"), a Texas C company, operates the Atlantic M&A platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service.

We are committed to protecting your privacy in compliance with applicable laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the UK Data Protection Act 2018, and other applicable data protection legislation worldwide.

1. Information We Collect

1.1 Information You Provide

• Account Information: Name, email address, company name, and password when you register.
• Billing Information: Payment details are collected and processed by Paddle.com Market Limited ("Paddle"), our Merchant of Record. We do not store credit card numbers or bank details.
• Customer Data: Project data, meeting transcripts, workstream information, and other content you submit to the Service.
• Communications: Information you provide when contacting support or providing feedback.

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, timestamps, and interaction patterns.
• Device Information: Browser type, operating system, device type, and screen resolution.
• Log Data: IP address, access times, and referring URLs.
• Cookies: Session cookies for authentication and preferences. See Section 8 for details.

1.3 Information from Third Parties

• Authentication Providers: If you sign in via SSO, we receive your name and email from your identity provider.
• Microsoft Teams: If you connect MS Teams, we receive meeting transcripts and metadata that you have authorized.

2. How We Use Your Information

We use your information for the following purposes:

• Service Delivery: To provide, maintain, and improve the Service.
• AI Processing: To analyze meeting transcripts and generate suggested project updates using Anthropic's Claude via AWS Bedrock. Your data is processed within your AWS region and is not used to train AI models.
• Billing: To manage subscriptions and process payments through Paddle.
• Communication: To send service-related notices, updates, and security alerts.
• Security: To detect, prevent, and address technical issues, fraud, and unauthorized access.
• Analytics: To understand usage patterns and improve the Service.
• Legal Compliance: To comply with applicable laws and respond to lawful requests.

3. Legal Bases for Processing (GDPR)

If you are in the European Economic Area (EEA), UK, or Switzerland, we process your personal data on the following legal bases:

• Contract Performance: Processing necessary to provide the Service under our Terms of Service.
• Legitimate Interests: Processing for analytics, security, and Service improvement, where our interests are not overridden by your rights.
• Consent: Where you have given explicit consent, such as for marketing communications or optional cookies.
• Legal Obligation: Processing necessary to comply with applicable laws.

4. Data Sharing and Disclosure

We do not sell your personal information. We share data only in the following circumstances:

• Service Providers: We use trusted third-party providers to operate the Service:
  • Amazon Web Services (AWS) — cloud hosting and infrastructure
  • AWS Cognito — authentication services
  • Anthropic (via AWS Bedrock) — AI processing (data remains in your AWS region)
  • Paddle.com Market Limited — payment processing (Merchant of Record)
  • Neon — database hosting
• Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the successor entity.
• With Your Consent: We may share information with third parties when you explicitly consent.

5. International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our service providers operate. For transfers from the EEA, UK, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• The EU-U.S. Data Privacy Framework, where applicable;
• Adequate security measures and contractual protections with our sub-processors.

You may request a copy of the safeguards used by contacting us.

6. Data Retention

We retain your personal information for as long as your Account is active or as needed to provide the Service. After Account termination, we retain Customer Data for 30 days to allow export, then securely delete it. We may retain certain information longer to comply with legal obligations, resolve disputes, or enforce our agreements. Billing records are retained as required by tax and financial regulations.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of your personal data.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of your data ("right to be forgotten").
• Portability: Request your data in a structured, machine-readable format.
• Restriction: Request that we restrict processing of your data.
• Objection: Object to processing based on legitimate interests.
• Withdraw Consent: Withdraw consent at any time where processing is based on consent.
• Non-Discrimination (CCPA): We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, contact us at privacy@atlanticma.com. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

8. Cookies

We use the following types of cookies:

• Essential Cookies: Required for authentication and core functionality. These cannot be disabled.
• Preference Cookies: Store your language and theme settings.

We do not use advertising or tracking cookies. You can manage cookies through your browser settings. Disabling essential cookies may prevent you from using the Service.

9. Data Security

We implement industry-standard security measures including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256);
• Row-level security in PostgreSQL for tenant data isolation;
• Multi-factor authentication (TOTP and passkeys);
• Credentials stored in AWS Secrets Manager;
• Regular security assessments and monitoring;
• SOC 2 Type II certification in progress.

10. Children's Privacy

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before the changes take effect. The "Last updated" date will be revised accordingly.

12. Data Protection Officer

For privacy-related inquiries or to exercise your rights, contact:

Lamb and Flag TopCo Corp — Privacy Team
Email: privacy@atlanticma.com
Houston, Texas, United States

If you are in the EEA or UK and are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.