Legal

Privacy Policy

Last updated: 29 May 2026

1. Controller

AmpliForge GmbH
Mergenthalerallee 73-75, 65760 Eschborn, Deutschland
E-Mail: privacy@ampliforge.com

2. Scope

This policy applies to all personal data processed by AmpliForge GmbH when you visit www.ampliforge.com or use the AmpliForge platform at app.ampliforge.com.

Where you upload content assets (webinars, podcasts, documents) to the AmpliForge platform, AmpliForge acts as a data processor on your behalf. This processing is governed by our Data Processing Agreement (DPA), publicly available at ampliforge.com/dpa.

3. Data We Collect

3.1 Data You Provide

  • Account registration data (name, business email, company name)
  • Billing information processed via Stripe Payments Europe, Limited, Dublin, Ireland (EU)
  • Content assets you upload (audio, video, documents, URLs)
  • Brand voice inputs (LinkedIn posts, website URLs, guidelines)
  • Support and contact communications
  • Waitlist submissions (name, email) via Typeform

3.2 Data Collected Automatically

  • Log data (IP address, browser type, pages visited, timestamps)
  • Session replay data for UX debugging (OpenReplay, EU-hosted) — app only, consent required

3.3 Data from Third Parties

  • LinkedIn analytics data imported with your explicit authorisation
  • Google Calendar and Gmail data accessed via OAuth with your explicit authorisation (used solely to provide scheduling and calendar features you have activated)
  • YouTube channel data accessed via OAuth with your explicit authorisation — captions and subtitles of videos on your own channel, which we only read (never edit or delete), for content repurposing features you have activated

3.4 Google User Data

  • Google Calendar: read/write access to create and manage content scheduling events
  • Gmail: read access limited to message metadata for scheduling context (if activated by you)
  • YouTube (youtube.readonly and youtube.force-ssl)
    - youtube.readonly lists the videos and metadata on your own channel
    - youtube.force-ssl is used strictly read-only to read the captions of your own videos (captions.list and captions.download) — the only scope Google provides for caption access.
    We never edit, delete, upload, or modify any YouTube content. Captions are used solely to generate your own content for features you have activated.
  • Google and YouTube user data is used exclusively to provide the features you explicitly activated — never for advertising, AI model training, or sale to third parties
  • Processed only on EU infrastructure; not transferred to data brokers or information resellers
  • Revocable at any time via your account settings; AmpliForge ceases accessing your Google data immediately upon revocation

AmpliForge uses YouTube API Services. By connecting your channel you agree to the YouTube Terms of Service; Google's handling of your data is governed by the Google Privacy Policy. You can revoke AmpliForge's access at any time at Google account permissions.

AmpliForge's use of Google user data is limited to providing or improving user-facing features you have activated. Caption transcripts of your own videos are stored as your private content asset within your EU-hosted workspace, under your control and deletable at any time; they are never sold, shared, or redistributed. AmpliForge's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google data is never used for targeted advertising, personalised advertisements, AI model training, or any purpose prohibited under that policy.

4. Legal Basis for Processing (GDPR Art. 6)

  • Art. 6(1)(b) GDPR — Performance of a contract: Account creation, platform access, content processing, billing.
  • Art. 6(1)(c) GDPR — Legal obligation: Retention of billing records (§ 147 AO / § 257 HGB).
  • Art. 6(1)(f) GDPR — Legitimate interests: Security monitoring, fraud prevention, application logging, service improvement.
  • Art. 6(1)(a) GDPR — Consent: Session replay / UX analytics (opt-in); non-essential cookies if introduced in future.
  • Art. 6(1)(b) GDPR — Performance of a contract: Account creation, platform access, content processing, billing.
  • Art. 6(1)(c) GDPR — Legal obligation: Retention of billing records (§ 147 AO / § 257 HGB).
  • Art. 6(1)(f) GDPR — Legitimate interests: Security monitoring, fraud prevention, application logging, service improvement.
  • Art. 6(1)(a) GDPR — Consent: Session replay / UX analytics (opt-in); non-essential cookies if introduced in future.
Processing activityLegal basis
Providing and operating the ServiceArt. 6(1)(b) – contract performance
Billing and invoicingArt. 6(1)(b) + Art. 6(1)(c) – legal obligation
Product analytics and improvementArt. 6(1)(f) – legitimate interest
AI-generated content disclosure (EU AI Act Art. 50)Art. 6(1)(c) – legal obligation
Marketing communicationsArt. 6(1)(a) – consent
Waitlist collectionArt. 6(1)(a) – consent

5. Sub-Processors and Recipients

We share personal data only with sub-processors bound by adequate data protection agreements:

  • Database & Authentication provider (EU)
  • Frontend Hosting & CDN provider (USA — Standard Contractual Clauses)
  • Media Storage provider (EU)
  • Worker & AI Processing provider (EU)
  • Transcription provider (EU)
  • LLM Routing & Inference provider (USA — Standard Contractual Clauses, DPA pending)
  • Image Generation provider (EU)
  • Transactional Email provider (EU)
  • Payment Processing provider (EU)
  • Session Replay & UX Analytics provider (EU)
  • Database & Authentication provider (EU)
  • Frontend Hosting & CDN provider (USA — Standard Contractual Clauses)
  • Media Storage provider (EU)
  • Worker & AI Processing provider (EU)
  • Transcription provider (EU)
  • LLM Routing & Inference provider (USA — Standard Contractual Clauses, DPA pending)
  • Image Generation provider (EU)
  • Transactional Email provider (EU)
  • Payment Processing provider (EU)
  • Session Replay & UX Analytics provider (EU)
ProcessorPurposeLocation
Supabase (Postgres)Application databaseEU (Frankfurt)
Hetzner Object StorageMedia file storageEU (Falkenstein)
Scaleway (compute)Worker / processing serverEU (Amsterdam)
VercelFrontend hostingEU edge (SCCs in place)
Gladia (EU)Audio/video transcriptionEU
Requesty (EU router)LLM API gatewayEU
Black Forest Labs (BFL)AI image generationGermany
ResendTransactional emailUS (SCCs in place)
HubSpotCRM / marketing formsEU (Ireland / Frankfurt)
OpenReplaySession replay / analytics (app only)EU
TypeformWaitlist and contact form submissionsUS (SCCs in place)
WebflowWebsite hosting and CMS (www.ampliforge.com)US (SCCs in place)
Anthropic (Claude API)AI content generation (schema / migrations only — no user content)US (SCCs in place)

All non-EU processors operate under Standard Contractual Clauses (SCCs) per GDPR Art. 46(2)(c). Your content assets are never processed on non-EU infrastructure. Personal data transfers to US service providers are governed by Standard Contractual Clauses.

6. Retention Periods

  • Account data: duration of the contract + 3 years
  • Billing records: 10 years (§ 147 AO / § 257 HGB)
  • Application logs: 14 days
  • AI generation inputs/outputs: zero persistence beyond the API call
  • Uploaded media files: until you delete the asset or close your account
  • Session replay data: 30 days
  • Waitlist data: until you request deletion or the waitlist closes

7. AI-Generated Content Disclosure (EU AI Act Art. 50)

AmpliForge uses AI systems to generate text, images, and other content. In accordance with EU AI Act Article 50, all AI-generated content is clearly labelled within the platform. Users may control disclosure settings in their workspace settings. The AI systems used include large language models routed via Requesty (EU) and image generation models provided by Black Forest Labs.

8. Cookies

We currently use only strictly necessary cookies required for authentication and session management on www.ampliforge.com. No analytics, tracking, or functional cookies are active on this website. No cookie consent banner is therefore required at this time. This section will be updated before any additional cookies are introduced.

9. Your Rights (GDPR Art. 15–22)

As a data subject you have the right to:

  • Access your personal data (Art. 15)
  • Rectification of inaccurate data (Art. 16)
  • Erasure (right to be forgotten) (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability in a machine-readable format (Art. 20)
  • Objection to processing based on legitimate interest (Art. 21)
  • Withdrawal of consent at any time without affecting prior processing

Submit a Data Subject Access Request (DSAR) to privacy@ampliforge.com. We respond within 7 days. Supervisory authority: HBDI – Hessischer Beauftragter für Datenschutz und Informationsfreiheit, Wiesbaden.

10. Security

AmpliForge implements technical and organisational measures including TLS encryption in transit, AES-256 encryption at rest, Row-Level Security (RLS) on all database tables, Vault-encrypted OAuth tokens, regular backups with off-site replication, and role-based access controls. Report suspected security incidents to privacy@ampliforge.com.

11. Children

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from minors. If you believe we have inadvertently done so, please contact us and we will delete the data promptly.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notification at least 14 days before they take effect.

13. Contact

AmpliForge GmbH
Mergenthalerallee 73-75, 65760 Eschborn, Deutschland
privacy@ampliforge.com

×
Join Waitlist →
🇩🇪 EU-native stack
© 2026 AmpliForge GmbH