Ampthilly AB, organisationsnummer 559588-0724, with registered office at Bjännberg 121, 905 72 Hörnefors, Sweden (we, us, or our), provides asset management software and related websites (collectively, AMPthilly or the Services) at https://ampthilly.com, https://app.ampthilly.com, and related subdomains.
This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit our marketing site, create an account, use our product, or contact us.
For personal data we process on behalf of business customers inside the product, we act as a processor under the customer’s instructions. That processing is described in our Data Processing Addendum.
The Services are intended for business use and are not directed at consumers or children.
1. Data controller
For the processing described in this policy (marketing website, accounts we operate directly, billing, support, and AI Features), the controller is:
- Ampthilly AB, organisationsnummer 559588-0724
- Bjännberg 121, 905 72 Hörnefors, Sweden
- Email: hello@ampthilly.com
- Web: /contact/
We have not appointed a statutory Data Protection Officer; you can reach us at hello@ampthilly.com.
2. Scope
This policy applies to personal data we process when you:
- Visit https://ampthilly.com and related marketing pages;
- Register for, administer, or use an AMPthilly workspace at https://app.ampthilly.com;
- Communicate with our sales, support, or security teams;
- Subscribe to product or marketing communications.
It does not describe how customers use AMPthilly to store records about their own employees, contractors, or assets - that processing is governed by the customer’s policies and our DPA.
3. Personal data we collect
| Category | Examples |
|---|---|
| Identity and account | Name, work email, role, company name, authentication identifiers, profile settings |
| Product usage | Actions in the app, configuration choices, audit events tied to your user account |
| AI interactions | Questions you submit to the in-product assistant and the responses generated |
| Asset-related metadata | Names, emails, or identifiers you or your organisation enter about assignees, approvers, or contacts linked to assets |
| Technical | IP address, device and browser type, approximate location (city/country) derived from IP at login, timestamps, logs, crash diagnostics |
| Communications | Support tickets, contact-form messages, meeting notes where permitted |
| Billing | Billing contact, address, tax identifiers, transaction references. Payment card details are handled directly by Stripe; we do not store card or payment credentials. |
We do not intentionally collect special categories of data (such as health or biometric data) unless you choose to include them in Content.
4. Sources
We collect personal data directly from you; from your organisation’s administrators when they provision your account; automatically through cookies and similar technologies on https://ampthilly.com (see our Cookie Policy); from authentication and session technologies on https://app.ampthilly.com; and from integrations you or your organisation enable.
5. Purposes and lawful bases (EEA/UK)
| Purpose | Lawful basis (typical) |
|---|---|
| Provide, operate, and secure the Services | Contract; legitimate interests (security, fraud prevention) |
| Provide AI Features (assistant responses) | Contract |
| Authenticate users and administer accounts | Contract |
| Process subscriptions and payments | Contract; legal obligation (tax/accounting) |
| Send service, security, and transactional notices | Contract; legitimate interests |
| Send marketing about AMPthilly where permitted | Consent or legitimate interests (you may opt out) |
| Analyse marketing-site traffic (GA4 on ampthilly.com only) | Consent for non-essential analytics cookies |
| Use customer name/logo in marketing | Legitimate interests (you may opt out) |
| Comply with law and respond to lawful requests | Legal obligation; legitimate interests |
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
6. AI Features
Our in-product assistant uses Google large language models (the Gemini API) to generate responses. When you use the assistant, your question and relevant Content are sent to Google to produce a response, which is returned to you.
- We do not use your Content or AI interactions to train, fine-tune, or improve our own or any third party’s AI models, and Google does not use this data to train its models under the API terms applicable to us.
- Google acts as a subprocessor and is bound by contract to process data only to provide the feature.
- Google is listed in Section 8 and in the DPA.
7. Marketing communications
We may send product news or educational content where you opt in or where permitted by law. You can unsubscribe using the link in each message or by emailing hello@ampthilly.com. Transactional and security messages may continue even if you opt out of marketing.
8. Sharing and subprocessors
We share personal data with service providers (subprocessors) bound by contract to protect it and to process it only on our instructions; professional advisers under confidentiality; authorities where required by law or to protect rights, safety, and security; and successors in a merger, acquisition, or asset sale, subject to this policy or notice.
We do not sell personal data.
Subprocessors
| Provider | Purpose | Location (typical) |
|---|---|---|
| Vercel | Website and application hosting, CDN | EU/US with safeguards |
| Supabase | Database, authentication, storage | EU/EEA |
| Cloudflare | CDN, DDoS protection, edge security | Global (EU SCCs where applicable) |
| Stripe | Subscription billing and payments | EU/US with safeguards |
| Google (Gemini API) | Powering AI Features (assistant) | Global; EU/US with safeguards |
| Google (Google Analytics / GA4) | Analytics on https://ampthilly.com only (consent-based) | US with safeguards |
| Resend | Transactional and product email | EU/US with safeguards |
We maintain an updated subprocessor list and provide notice of material changes as described in the DPA. An up-to-date list is available on request at hello@ampthilly.com.
9. International transfers
We aim to store and process personal data in the European Economic Area; our primary database (Supabase) is hosted in Europe. Where data is transferred outside the EEA/UK (for example to providers such as Vercel, Cloudflare, Stripe, Google, or Resend in the US), we implement appropriate safeguards such as the EU Standard Contractual Clauses (2021/914), the UK IDTA/addendum, or adequacy decisions, as applicable. You may request information about the relevant mechanism at hello@ampthilly.com.
10. Retention
| Data type | Typical retention |
|---|---|
| Account and workspace data | Life of the Account plus up to 90 days after deletion to allow export and backup purge |
| AI interaction logs | Up to 12 months unless needed longer to investigate abuse or security events |
| Billing and tax records | Up to 7 years where required by accounting law |
| Support communications | Up to 3 years after resolution unless a longer period is needed for disputes |
| Security and audit logs | Up to 12 months, unless needed longer for incident investigation |
| Marketing preferences | Until you withdraw consent or object, plus a short suppression record |
Retention may be extended where required by law or to establish, exercise, or defend legal claims.
11. Security
We implement administrative, technical, and organisational measures designed to protect personal data, including access controls, least-privilege access, encryption in transit (TLS) and encryption at rest where supported by our infrastructure, logging, vulnerability management, and vendor review. No method of transmission or storage is completely secure; please use strong passwords and report suspected incidents to hello@ampthilly.com.
12. Your rights
Depending on your location, you may have the right to access, rectify, erase, restrict, or object to processing; to data portability; to withdraw consent where processing is consent-based; and to lodge a complaint with a supervisory authority (for EEA residents, your local authority; in Sweden, Integritetsskyddsmyndigheten (IMY)).
To exercise rights, email hello@ampthilly.com. We may need to verify your identity. For workspace accounts, we may direct requests to your organisation’s administrator where they control the data. We respond within 30 days unless an extension is permitted by law.
13. Automated decision-making
We do not use solely automated decision-making that produces legal or similarly significant effects within the meaning of GDPR Article 22. AI Features generate responses to assist you but do not make decisions about you.
14. Children
The Services are not directed at children under 18 and are intended for business use. We do not knowingly collect personal data from children. Contact us if you believe we have, and we will delete it.
15. Regional notices
EEA/UK/Switzerland. This policy is designed for GDPR and UK GDPR compliance. You have the rights in Section 12 and may contact your supervisory authority.
United States. Where state privacy laws apply (for example California, Virginia, Colorado, Connecticut, and Utah), we provide the rights above, do not sell or “share” personal information for cross-context behavioural advertising, and describe the categories collected and purposes in Sections 3 and 5. Contact us to exercise rights.
16. Third-party links
Our sites may link to third-party websites or integrations governed by their own policies.
17. Changes
We may update this policy by posting a revised version and updating the effective date. Material changes will be communicated as required by law (for example by email or in-product notice).
18. Contact
Privacy questions and requests: hello@ampthilly.com.