Data Ownership

Amplitude customers own the data they send to the Amplitude platform for processing. Amplitude collects and analyses data about the use of its own platform by its customers, but that data does not include the data sent to the platform by its customers for analysis on their behalf.

Personally Identifiable Information/Personal Data

provides instructions on limiting tracking and storage of specific fields in our SDKs.

to set this up.

GDPR

Amplitude’s privacy team has reviewed our architecture, data flows, vendor capabilities and agreements to ensure that our platform is GDPR compliant. Amplitude’s analytics platform does not directly interact with our customers’ end users, nor does the platform automatically collect personal data. However, our customers might collect and send personal data to Amplitude for processing (e.g., IP address) and, as a result, Amplitude has implemented procedures and upgrades for our customers to remain privacy regulation compliant.

Specifically, we provide our customers with APIs to automatically serve their end-user Access and Deletion requests as detailed below.

  1. Amplitude’s Data Processing Agreements (DPAs) rely on the EU Standard Contractual Clauses (SCCs) as the transfer mechanism for Personal Data from the United Kingdom, EU and EEA to our US-West based AWS environment. On July 16, 2020 the Court of Justice of the European Union (CJEU) determined that the EU SCCs will continue to be a valid transfer mechanism for Personal Data from the EU to the United States.

  2. Amplitude has signed Data Processing Agreements with our key vendors.

  3. is a full summary of the data keys Amplitude recognizes. Unless otherwise noted, all fields are optional and no personal data is required to use our core functionality.

  4. Amplitude has built advanced features that will allow customers to remove specific individual’s information from the platform or instruct the platform not to store end-user IP Addresses.

CCPA

Our privacy team continually monitors developments for global privacy regulations and works with product and development teams to create solutions that address the growing concerns around processing personal data. As your vendor under the California Consumer Privacy Act (CCPA), Amplitude is defined as a Service Provider, which bears similarity to the Processor definition under the GDPR.

which can help facilitate access requests. We have also updated our Data Processing Agreement (DPA) in order to meet contractual requirements of the CCPA.

The Amplitude platform receives data collected by our customers from their application or website end-users, and allows them to understand usage metrics of their products. However, Amplitude employees do not access customer end-user data unless instructed by our customer, and customer data is never sold to third parties.

User Privacy API

DSAR API (Data Subject Access Request)

.

We may update this section as the global regulations emerge or are updated and if any additional information is required.