Last updated: May 2026
Ataru LLC ("Ataru", "we", "us", or "our") operates the Ataru Cesium application and the ataru.io website (collectively, the "Service"). This Privacy Policy explains how we collect, use, and safeguard your information when you use the Service.
When you create an account, we collect your name and email address. If you sign in with Google, we receive your name, email, and profile photo from Google.
The Service stores business data you provide, including time entries, client and project details, invoices, expenses, tax configurations, and estimated tax payments. This data is yours. We store it solely to provide the Service to you.
When you submit the contact form, we collect your name, email address, and message content. We also record your IP address for spam prevention.
We may collect basic usage metrics (pages visited, features used) to improve the Service. We do not use third-party analytics trackers.
We do not sell, rent, or share your personal information with third parties for marketing purposes.
Your data is stored in Google Cloud Firestore and served via Google Cloud Run. We use Firebase Authentication for account management with support for multi-factor authentication. All data is transmitted over HTTPS.
We take reasonable measures to protect your data but cannot guarantee absolute security. No method of electronic storage is 100% secure.
We use the following third-party services to operate:
Each service has its own privacy policy governing how they process data.
Your business data is retained for as long as your account is active and your subscription is current.
When your subscription ends (whether by cancellation, payment failure, or expiry), we retain your data for 90 days from the end-of-access date. During this period:
You may request immediate permanent deletion at any time via the account settings page or by contacting us. This is irreversible.
Cesium is a tool, not a system-of-record for your tax compliance. You are responsible for retaining your own business records as required by your jurisdiction. Use the export feature to keep your own copies for as long as your jurisdiction requires.
We retain logs of transactional emails sent (sender, recipient, type, timestamp) for the lifetime of your account plus a reasonable period thereafter for audit purposes.
We retain Stripe webhook event identifiers in a stripe_events collection for idempotency. This collection contains no personal data, only Stripe event IDs and types.
You may request access to, correction of, or deletion of your personal data by contacting us. You may delete your account at any time through the application settings.
If you are in the European Economic Area (EEA) or United Kingdom, you have additional rights under GDPR including:
The data export feature satisfies the right to data portability. The "delete my account permanently" feature satisfies the right to erasure.
If you are in California, you have rights under CCPA including the right to know, delete, and opt out of sale (we do not sell your data).
We use a session cookie (__session) for authentication and a timezone cookie (tz) for date display. We do not use advertising or tracking cookies.
The Service is not intended for use by anyone under the age of 18. We do not knowingly collect information from children.
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "last updated" date. Your continued use of the Service after changes constitutes acceptance of the revised policy.
For questions about this Privacy Policy, please use the contact form.