Table of contents
Introduction
Amelytic (“we”) is the controller of personal data processed through the Amelytic platform. This policy explains what we collect, why, how long we keep it, and the rights you have under GDPR, the UK GDPR, India’s Digital Personal Data Protection Act 2023, and the California Consumer Privacy Act.
What we collect
- Account data
- Name, work email, organisation, role, password hash. Required to create and operate your account.
- Brand data
- Brand name, voice samples, knowledge documents, channel connections, content you create. Stored to deliver the Service.
- Usage data
- Pages viewed, features used, error reports, performance metrics. Used to improve the Service.
- Device data
- IP, user-agent, approximate location (city-level). Used for security and abuse prevention.
- Billing data
- Last 4 digits of card, billing address, invoices. Card numbers never touch our servers — handled by Stripe.
- OAuth tokens
- Access and refresh tokens for the channels you connect (LinkedIn, Meta, X, etc.). Encrypted with per-row data keys before being persisted.
Why we process it
- To provide and maintain the Service (contractual necessity).
- To authenticate you and detect fraud or abuse (legitimate interest, legal obligation).
- To analyse aggregated usage patterns to improve the product (legitimate interest).
- To send transactional emails — sign-in links, security alerts, billing receipts (contractual necessity).
- To send product news only when you opt in (consent).
- To comply with legal obligations such as accounting and lawful requests.
How long we keep it
We retain account and brand data for the lifetime of your account plus 30 days after deletion (the export window). Audit-log records are kept for 7 years for compliance. Aggregated, de-identified analytics may be kept indefinitely.
International transfers
Some of our subprocessors are located outside your home jurisdiction. Where data leaves the EEA, UK, or India, we rely on Standard Contractual Clauses, the EU–US Data Privacy Framework, or equivalent safeguards.
Your rights
You have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your data ("right to be forgotten").
- Restrict or object to certain processing.
- Receive a portable copy of your data.
- Withdraw consent at any time, where we rely on consent.
- Lodge a complaint with your supervisory authority.
To exercise any of these, email privacy@amelytic.com or use the in-app data tools in Settings → Privacy. We will respond within 30 days.
Security
Encrypted in transit (TLS 1.3) and at rest. OAuth tokens are envelope-encrypted before being written to disk using per-row data keys, themselves wrapped by a master KEK rotated quarterly. Tenant data is isolated via Postgres row-level security. See the Security page for our full controls.
Children
The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data to us, contact us and we will delete it.
Changes
We will announce material changes by email and in-app notice at least 30 days before they take effect.