Amplitude customers own the data they send to the Amplitude platform for processing. Amplitude collects and analyses data about the use of its own platform by its customers, but that data does not include the data sent to the platform by its customers for analysis on their behalf.
Personally Identifiable Information/Personal Data
The Amplitude platform does not require personally identifiable information or personal data to perform product analytics. Amplitude customers have the flexibility to control what data is collected, processed, and stored in Amplitude. This page provides instructions on limiting tracking and storage of specific fields in our SDKs.
Amplitude can help your organization ensure that personal data is not stored on the Amplitude platform and reduce your compliance processes and burden. For example, by removing IP Addresses and location data from stored events. For existing customers, reach out to firstname.lastname@example.org to set this up.
Amplitude’s privacy team has reviewed our architecture, data flows, vendor capabilities and agreements to ensure that our platform is GDPR compliant. Amplitude’s analytics platform does not directly interact with our customers’ end users, nor does the platform automatically collect personal data. However, our customers might collect and send personal data to Amplitude for processing (e.g., IP address) and, as a result, Amplitude has implemented procedures and upgrades for our customers to remain privacy regulation compliant.
Specifically, we provide our customers with APIs to automatically serve their end-user Access and Deletion requests as detailed below.
- Amplitude’s Data Processing Agreements (DPAs) rely on the EU Standard Contractual Clauses (SCCs) as the transfer mechanism for Personal Data from the United Kingdom, EU and EEA to our US-West based AWS environment. On July 16, 2020 the Court of Justice of the European Union (CJEU) determined that the EU SCCs will continue to be a valid transfer mechanism for Personal Data from the EU to the United States.
- Amplitude has signed Data Processing Agreements with our key vendors.
- Amplitude’s SDKs give customers flexibility to control what data they choose to collect, and send to our platform for processing and storage. Our customers, not Amplitude, control the type of data that is collected, stored and processed in the platform. This is a full summary of the data keys Amplitude recognizes. Unless otherwise noted, all fields are optional and no personal data is required to use our core functionality.
- Amplitude has built advanced features that will allow customers to remove specific individual’s information from the platform or instruct the platform not to store end-user IP Addresses.
Our privacy team continually monitors developments for global privacy regulations and works with product and development teams to create solutions that address the growing concerns around processing personal data. As your vendor under the California Consumer Privacy Act (CCPA), Amplitude is defined as a Service Provider, which bears similarity to the Processor definition under the GDPR.
Based on our analysis of the final version of the CCPA and published regulations, the tools currently available through the platform to support end-user rights, as well as the working mechanisms of the platform itself are sufficient to address the CCPA directives. Such tools include our User Privacy API to facilitate individual user deletion requests with a 30-day deletion timeline (exceeding the CCPA’s 45-day requirement), and the DSAR API which can help facilitate access requests. We have also updated our Data Processing Agreement (DPA) in order to meet contractual requirements of the CCPA.
The Amplitude platform receives data collected by our customers from their application or website end-users, and allows them to understand usage metrics of their products. However, Amplitude employees do not access customer end-user data unless instructed by our customer, and customer data is never sold to third parties.
User Privacy API
In order to ensure that our customers can appropriately respond to and comply with end- user data deletion requests as required by global privacy laws such as the GDPR and the CCPA, we have built a simple an easy-to-use API endpoint that allows you to programmatically submit requests to delete all data for set of known Amplitude IDs and/or User IDs. For more details, see our developer documentation: User Privacy API
DSAR API (Data Subject Access Request)
The GDPR, the CCPA, and other global privacy laws require our customers to provide all data about an end user upon their request. Data Subject Access Requests (DSARs) under the GDPR, Requests to Know under the CCPA, as examples, can be completed using the DSAR API, which makes it easy to retrieve all data about a single user. More details can be found here.
We may update this section as the global regulations emerge or are updated and if any additional information is required.
For more information, contact sales here.