Security of personal data.
ATP is committed to protecting the security of your personal data.
We use a variety of security technologies and procedures to help protect your personal data from unauthorized access, use, or disclosure.
For example, we store the personal data you provide on computer systems that have limited access and are in controlled facilities.
All data being submitted to and received from ATP Online (such as credit card data, passwords, and client data) is transmitted securely using encryption.
Customer responsibility in securing personal data.
Although we have taken numerous steps to ensure the privacy and security of personal data, your use of ATP Online must also be in accordance with prevailing security practices.
These practices include, but are not necessarily limited to (i) securely configuring your accounts using strong and unique passwords and not sharing your authentication information, (ii) avoiding the upload of unnecessary personal data into ATP Online, (iii) exercising oversight to ensure your Practitioners are using ATP Online appropriately, (iv) training and educating your Practitioners on the importance of privacy and security; and (v) limiting information sharing by allowing Practitioners to access only the information that they need.
Where we store and process personal data.
Personal data collected by ATP Online is stored and processed in the United States where ATP or its service providers maintain facilities.
ATP maintains multiple data centers that are chosen in order to operate efficiently, to improve performance, and to create redundancies in order to protect the data in the event of an outage or other problem.
We take steps to ensure that the data we collect under this privacy statement is processed according to the provisions of this statement and the requirements of applicable law wherever the data is located.
Our Retention of personal data.
ATP retains personal data for as long as necessary to provide the products and fulfill the transactions you have requested, or for other essential purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Because these needs can vary for different data types in the context of different products, actual retention periods can vary significantly. The criteria used to determine the retention periods include:
De-identified and aggregate Data.
How long does the personal data need to be retained in order to provide our products and operate our business?
This includes such things as maintaining and improving the performance of those products, keeping our systems secure, and maintaining appropriate business and financial records.
This is the general rule that establishes the baseline for most data retention periods.
Do customers provide, create, or maintain the data with the expectation we will retain it indefinitely until they request for the data be destroyed or removed?
In such cases, we maintain the data until we receive a request to delete it.
Is the personal data of a sensitive type?
If so, can we 1) reduce the retention time where feasible or 2) de-identify the data for the remainder of the retention period?
Is ATP subject to a legal, contractual, or similar obligation to retain the data?
Examples can include compliance with industry regulations such as HIPAA, government orders to preserve data relevant to an investigation, or data that must be retained for the purposes of litigation.
Has consent been given for a longer retention period?
If so, we will retain data in accordance with the consent we receive.
This includes, for example, data collected for product research and development.
We may use properly de-identified or aggregate data to improve existing products, develop new products, communicate product effectiveness and outcomes, and for other related purposes.
Our methods for de-identification are informed by guidance from the National Institute of Standards and Technology (NIST), the U.S. Department of Education's Privacy Technical Assistance Center, and the Department of Health and Human Services.
Unless required to do so by law, we will not attempt to re-identify data that has been de-identified and, where feasible and appropriate, we will not transfer de-identified data to a third party unless they also agree not to attempt re-identification.
In the event of a security incident affecting our systems that involves personal data, we will take prompt steps to mitigate the breach, evaluate and respond to the incident, and notify the appropriate parties as required by applicable law.
Changes to this privacy statement.
We will update this privacy statement when necessary to reflect customer feedback and changes in our products.
When we post changes to this statement, we will revise the "last updated" date at the top of the statement.
If there are material changes to the statement or in how ATP will use your personal data, we will notify you either by prominently posting a notice of such changes before they take effect or by directly sending you a notification.
We encourage you to periodically review this privacy statement to learn how ATP is protecting your information.
How to contact us.
If you have a technical or support question, please visit the ATP Technical Support
If you have a privacy concern, complaint, or a question please contact the ATP Privacy and Security Officer
. We will respond to questions or concerns within 30 days.