Studio Privacy Policy
Version 1.1 — 13 May 2026
Introduction
Amplify provides a B2B analytics and data platform for festival, venue, and live event organisers ("Amplify Studio" or the "Platform"). This privacy policy explains how Amplify ("we", "us") processes personal data in connection with:
- The Amplify Studio web application (the "Platform")
- Related support, sales, and onboarding services (together with the Platform, the "Services")
We comply with the EU General Data Protection Regulation (GDPR) and applicable Dutch law (the "Relevant Legislation").
This policy covers personal data of:
- Platform Users — employees, contractors and authorised representatives of our business clients who access Studio
Our Role Under GDPR
- For Platform Users and Prospects: Amplify is the controller.
Personal Data We Collect
Platform Users (Studio access)
When your organisation provisions a Studio account for you, or when you sign in, we collect:
- Identity data: name, business email address, job title, employer/client organisation
- Authentication data: we authenticate users via magic link (one-time email link) or SSO (Google Workspace / Microsoft). We do not store passwords. For SSO we receive a federated identity token from your identity provider.
- Usage data: pages visited within Studio, features used, queries run, dashboards viewed, time stamps, session duration. This is used to operate, secure, and improve the Platform.
- Device and technical data: IP address, browser type and version, operating system, device type, language settings, referrer URL.
- Communications: content of support tickets, chat conversations with our team, and emails you send us.
- Audit logs: actions you take inside Studio (e.g. data exports, configuration changes) are logged for security and compliance.
Legal Basis for Processing
| Purpose | Legal basis |
|---|---|
| Providing Platform access under our contract with your employer | Contract performance (Art. 6(1)(b)) — necessary for the contract to which your organisation is a party |
| Authenticating users, securing the Platform, audit logging | Legitimate interest (Art. 6(1)(f)) — operating a secure service |
| Usage analytics to improve Studio | Legitimate interest, balanced against your rights |
| Marketing communications and prospect outreach | Legitimate interest for B2B contacts; consent where required |
| Support and account management | Contract performance / legitimate interest |
| Compliance with legal obligations (e.g. tax, accounting) | Legal obligation (Art. 6(1)(c)) |
| Non-essential cookies and tracking | Consent (Art. 6(1)(a)) |
How We Use Your Information
- Provide, operate and secure the Platform
- Authenticate you and manage your account
- Provide customer support and respond to inquiries
- Send service-related communications (e.g. security alerts, product updates, billing)
- Analyse Platform usage to improve features, performance, and reliability
- Conduct sales and marketing activities for our B2B audience
- Detect, prevent and respond to fraud, abuse, and security incidents
- Comply with legal, regulatory, and contractual obligations
We do not use Platform User data, or any end-customer data inside client workspaces, to train machine learning models for third parties or for purposes outside the agreed scope.
How Long We Retain Data
| Data category | Retention |
|---|---|
| Platform User account data | For the duration of your access, plus up to 12 months after deactivation, unless a longer period is required by law |
| Audit logs | Up to 24 months (longer if required by law or for security investigations) |
| Support communications | 24 months after ticket resolution |
| Cookies | See Cookie section |
You can request earlier deletion at any time via privacy@amplify.one, subject to overriding legal or contractual obligations.
How We Share Your Information
Sub-processors and service providers
We use a limited set of vendors to operate the Services. We have a Data Processing Agreement with each. Our current sub-processors include:
- AWS (Ireland) — Platform hosting, storage, networking
- Google Cloud (EU) — BigQuery data warehouse, analytics infrastructure
- Authentication provider — magic link delivery, SSO federation
- Email delivery — transactional and marketing email
- Product analytics — in-app usage analytics
- Support tooling — for ticketing and customer communication
A current list of sub-processors is available on request at privacy@amplify.one.
Within your client organisation
Your colleagues with appropriate roles in your Studio workspace may see your name, email, last login, and audit log entries.
Legal disclosures
We may share information when reasonably necessary to: comply with law, legal process, or government requests; enforce our terms; protect the rights, property or safety of Amplify, users or others; or detect and resolve fraud or security issues.
Business transfers
If Amplify is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred. We will notify affected users.
International Data Transfers
Our primary infrastructure is in the EU (AWS Ireland, Google Cloud EU regions). Where any sub-processor processes data outside the EEA, we rely on EU Standard Contractual Clauses and additional safeguards as required.
Cookies
The Platform uses cookies. We distinguish:
- Strictly necessary cookies — required for the Platform to function (e.g. authentication session). No consent needed.
- Analytics cookies — to understand usage. Used with consent.
You can manage preferences via our cookie banner or your browser settings.
How We Protect Your Information
- Transport security: All traffic to the Platform is served over HTTPS/TLS.
- Authentication: Magic link or SSO only. No passwords stored. Session tokens are short-lived and rotated.
- Hosting: Infrastructure runs in AWS and Google Cloud EU data centres with industry-standard physical and environmental controls.
- Network security: Application and database servers are not directly internet-accessible. WAF and DDoS protection at the edge.
- Encryption: Data encrypted in transit and at rest.
- Access control: Employee access is role-based, logged, and reviewed regularly. All staff sign NDAs and receive security training. Production access requires MFA.
- Software security: Code changes require peer review with security checks. We track and remediate disclosed vulnerabilities (CVE monitoring).
- Logging and monitoring: Application, infrastructure, and access logs are aggregated, monitored for anomalies, and tamper-protected.
- Incident response: We maintain a documented incident response process and will notify affected clients of any qualifying personal data breach without undue delay, in line with GDPR Art. 33.
- Audits: We conduct internal security reviews on a regular basis.
Your Rights
Under the GDPR you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Erase your data ("right to be forgotten"), subject to legal exceptions
- Restrict or object to processing
- Data portability
- Withdraw consent at any time (where processing is based on consent)
- Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority
For end-customer data processed inside Studio, please direct requests to the relevant client (the controller). We will support our clients in responding under the DPA.
To exercise your rights regarding data for which Amplify is controller, contact privacy@amplify.one. We respond within 30 days.
Changes to This Policy
We may update this policy. Material changes will be communicated via the Platform and/or by email to account administrators. The "Version" and date at the top reflect the current version.
Contact
Data Protection Officer privacy@amplify.one
Amplify
Overhoeksplein 31
1031KS Amsterdam
The Netherlands