Legal
Privacy Policy
Last updated: 8 May 2026
1. Controller
AmpliForge GmbH
Eschborn, Hessen, Germany
E-Mail: privacy@ampliforge.com
2. Scope
This policy applies to all personal data processed by AmpliForge GmbH when you visit www.ampliforge.com or use the AmpliForge platform at app.ampliforge.com.
Where you upload content assets (webinars, podcasts, documents) to the AmpliForge platform, AmpliForge acts as a data processor on your behalf. This processing is governed by our Data Processing Agreement (DPA), publicly available at ampliforge.com/dpa.
3. Data We Collect
3.1 Data You Provide
- Account registration data (name, business email, company name)
- Billing information processed via our payment provider
- Content assets you upload (audio, video, documents, URLs)
- Brand voice inputs (LinkedIn posts, website URLs, guidelines)
- Support and contact communications
- Waitlist submissions (name, email) via Typeform
3.2 Data Collected Automatically
- Log data (IP address, browser type, pages visited, timestamps)
- Session replay data for UX debugging (OpenReplay, EU-hosted) — app only, consent required
3.3 Data from Third Parties
- LinkedIn analytics data imported with your explicit authorisation
4. Legal Basis for Processing (GDPR Art. 6)
| Processing activity | Legal basis |
|---|---|
| Providing and operating the Service | Art. 6(1)(b) – contract performance |
| Billing and invoicing | Art. 6(1)(b) + Art. 6(1)(c) – legal obligation |
| Product analytics and improvement | Art. 6(1)(f) – legitimate interest |
| AI-generated content disclosure (EU AI Act Art. 50) | Art. 6(1)(c) – legal obligation |
| Marketing communications | Art. 6(1)(a) – consent |
| Waitlist collection | Art. 6(1)(a) – consent |
5. Sub-Processors and Recipients
We share personal data only with sub-processors bound by adequate data protection agreements:
| Processor | Purpose | Location |
|---|---|---|
| Supabase (Postgres) | Application database | EU (Frankfurt) |
| Hetzner Object Storage | Media file storage | EU (Falkenstein) |
| Scaleway (compute) | Worker / processing server | EU (Amsterdam) |
| Vercel | Frontend hosting | EU edge (SCCs in place) |
| Gladia (EU) | Audio/video transcription | EU |
| Requesty (EU router) | LLM API gateway | EU |
| Black Forest Labs (BFL) | AI image generation | Germany |
| Resend | Transactional email | US (SCCs in place) |
| HubSpot | CRM / marketing forms | EU (Ireland / Frankfurt) |
| OpenReplay | Session replay / analytics (app only) | EU |
| Typeform | Waitlist and contact form submissions | US (SCCs in place) |
| Webflow | Website hosting and CMS (www.ampliforge.com) | US (SCCs in place) |
| Anthropic (Claude API) | AI content generation (schema / migrations only — no user content) | US (SCCs in place) |
All non-EU processors operate under Standard Contractual Clauses (SCCs) per GDPR Art. 46(2)(c). Your content assets are never processed on non-EU infrastructure. Personal data transfers to US service providers are governed by Standard Contractual Clauses.
6. Retention Periods
- Account data: duration of the contract + 3 years
- Billing records: 10 years (§ 147 AO / § 257 HGB)
- Application logs: 14 days
- AI generation inputs/outputs: zero persistence beyond the API call
- Uploaded media files: until you delete the asset or close your account
- Session replay data: 30 days
- Waitlist data: until you request deletion or the waitlist closes
7. AI-Generated Content Disclosure (EU AI Act Art. 50)
AmpliForge uses AI systems to generate text, images, and other content. In accordance with EU AI Act Article 50, all AI-generated content is clearly labelled within the platform. Users may control disclosure settings in their workspace settings. The AI systems used include large language models routed via Requesty (EU) and image generation models provided by Black Forest Labs.
8. Cookies
We currently use only strictly necessary cookies required for authentication and session management on www.ampliforge.com. No analytics, tracking, or functional cookies are active on this website. No cookie consent banner is therefore required at this time. This section will be updated before any additional cookies are introduced.
9. Your Rights (GDPR Art. 15–22)
As a data subject you have the right to:
- Access your personal data (Art. 15)
- Rectification of inaccurate data (Art. 16)
- Erasure (right to be forgotten) (Art. 17)
- Restriction of processing (Art. 18)
- Data portability in a machine-readable format (Art. 20)
- Objection to processing based on legitimate interest (Art. 21)
- Withdrawal of consent at any time without affecting prior processing
Submit a Data Subject Access Request (DSAR) to privacy@ampliforge.com. We respond within 7 days. Supervisory authority: HBDI – Hessischer Beauftragter für Datenschutz und Informationsfreiheit, Wiesbaden.
10. Security
AmpliForge implements technical and organisational measures including TLS encryption in transit, AES-256 encryption at rest, Row-Level Security (RLS) on all database tables, Vault-encrypted OAuth tokens, regular backups with off-site replication, and role-based access controls. Report suspected security incidents to privacy@ampliforge.com.
11. Children
The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from minors. If you believe we have inadvertently done so, please contact us and we will delete the data promptly.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or an in-app notification at least 14 days before they take effect.
13. Contact
AmpliForge GmbH
Eschborn, Hessen, Germany
privacy@ampliforge.com