← Back to Home

Privacy Policy

Last updated: April 10, 2026

This Privacy Policy explains how HS PLUS DEVELOPMENT LIMITED, trading as Amplify (“Company,” “we,” “us,” “our”), registered at 104-108 Chiswick High Road, London, United Kingdom, W4 1PU, collects, uses, stores, shares, and protects your personal data when you use our AI assistant platform and related services (collectively, the “Service”) available at getamplify.team.

This Policy applies to all users of the Service, including visitors to our website. It is designed to comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK Data Protection Act 2018, and other applicable data protection laws.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Service.

1. Data Controller

HS PLUS DEVELOPMENT LIMITED, trading as Amplify, is the data controller responsible for processing your personal data under this Privacy Policy. For questions, requests, or concerns about data processing:

Contact: [email protected]

Postal address: 104-108 Chiswick High Road, London, United Kingdom, W4 1PU

2. Definitions

  • “Personal Data”— any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
  • “Processing”— any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, and erasure.
  • “AI Assistant”— your personalised AI-powered assistant operating in an isolated environment as part of the Service.
  • “Channel”— a messaging platform (Telegram, Discord, or WhatsApp) connected to your AI Assistant.
  • “Integration”— an optional connection to a third-party service (Google Workspace, Notion) that you authorise.
  • “Deposit” or “Balance”— funds added to your Account to cover usage costs for AI processing, media generation, and other features.

3. Information We Collect

3.1 Account Information

  • Email address (used for authentication and communication)
  • Full name (provided during registration)
  • Role or job title (optionally provided during onboarding)
  • Assistant name, persona, and behaviour preferences
  • Avatar images you upload (your profile and/or assistant avatar)

3.2 Conversation and Memory Data

  • Messages you exchange with your AI Assistant via connected Channels
  • Persistent memory fragments your assistant stores to provide personalised responses (powered by a self-hosted vector memory system)
  • Files, images, and documents you share with your assistant

3.3 Usage and Billing Data

  • AI model usage metrics (request counts, token consumption, usage costs)
  • Subscription plan, billing period, and payment history
  • Deposit records and account Balance
  • Feature and Skill usage patterns

3.4 Technical Data

  • IP address and approximate geographic location
  • Browser type and operating system
  • Pages visited and interactions on our website (collected via privacy-focused, cookie-less analytics; see Section 12)
  • Authentication session identifiers (essential cookies only)

3.5 Integration Data

  • OAuth tokens and refresh tokens for connected services (Google Workspace, Notion)
  • Data retrieved from connected services when your AI Assistant performs tasks on your behalf (e.g., calendar events, emails, documents)

4. Google Workspace Data

If you choose to connect your Google account, your AI Assistant may access certain Google Workspace data on your behalf. This connection is entirely optional and requires your explicit consent through Google's OAuth authorisation flow.

4.1 Scopes and Data We Access

When you authorise the Google integration, you can choose which Google services your assistant may use. In production, we only request Google-verified scopes that are currently approved for Amplify:

  • Gmail(gmail.readonly and, if selected, gmail.compose) — Read messages and optionally create drafts, send email, and reply. We do not request gmail.modify or unrestricted Gmail access.
  • Google Calendar(calendar) — Current production access to view and manage calendars, including shared calendars and invitations
  • Google Contacts(contacts) — View, create, update, and delete contacts on your behalf
  • Google Drive(drive) — Access, organise, and manage files in your Drive
  • Google Docs(documents) — Read and edit your documents
  • Google Sheets(spreadsheets) — Read and edit your spreadsheets

Lower-access read-only variants for Calendar, Contacts, Drive, Docs, and Sheets may appear in the product as unavailable preview options. If an option is selectable, it can be tested in that environment. We do not request future Google scopes in production before approval.

4.2 How We Use Google Data

Your Google Workspace data is used exclusively to power your personal AI Assistant:

  • Your assistant reads and sends emails only when you instruct it to
  • Calendar events are accessed to help manage your schedule upon request
  • Drive, Docs, and Sheets are accessed only to fulfil your specific task instructions
  • Contacts are accessed to find, create, or update contact information when you ask

4.3 What We Do NOT Do with Google Data

  • We do not sell, rent, or lease your Google data to any third party
  • We do not use your Google data for advertising, market research, or user profiling
  • We do not use your Google data to train machine learning or AI models
  • We do not share your Google data with other users or customers
  • We do not retain or cache copies of your Google data beyond what is needed for immediate task execution

4.4 Google Data Storage and Security

  • We store only your Google OAuth refresh token and connected account email address. Access tokens are short-lived and not persisted.
  • Refresh tokens are stored in a secured database with row-level security (RLS) policies ensuring only your Account can access your tokens.
  • Per-client integration credentials are encrypted at rest using JWE (JSON Web Encryption) with PBES2-HS256+A128KW, using a unique per-client encryption key.
  • Your assistant operates in an isolated, sandboxed environment. No other user's assistant can access your Google data.

4.5 Revoking Google Access

You can disconnect your Google account at any time from your dashboard under Integrations. When you disconnect:

  • Your stored refresh token is immediately deleted from our systems
  • Per-client Google credentials are removed
  • A revocation request is sent to Google to invalidate the token
  • You can also revoke access directly from your Google Account permissions page

5. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service— operating your AI Assistant, processing your instructions, and delivering responses through connected Channels
  • Personalisation— enabling your assistant to remember context from past conversations through persistent memory
  • Billing and Account management— processing subscription payments, tracking usage costs, managing your Account
  • Service communications— sending essential notifications about your Account, service status, and important updates
  • Security— detecting and preventing fraud, abuse, and unauthorised access
  • Service improvement— analysing aggregated, anonymised usage patterns to improve reliability and performance
  • Legal compliance— fulfilling legal obligations, responding to lawful data requests, and protecting our rights

We do not use your data for:

  • Targeted advertising or ad personalisation
  • Sale to data brokers or third-party marketers
  • AI model training (neither by us nor by our service providers)
  • User profiling for purposes unrelated to the Service

6. Legal Basis for Processing (GDPR Article 6)

PurposeLegal basis
Operating your AI Assistant and AccountContract performance (Art. 6(1)(b))
Processing payments and billingContract performance (Art. 6(1)(b))
Connecting Google Workspace, Notion, or other IntegrationsConsent (Art. 6(1)(a))
Marketing communications (if any)Consent (Art. 6(1)(a))
Security monitoring and fraud preventionLegitimate interests (Art. 6(1)(f))
Anonymised analytics for service improvementLegitimate interests (Art. 6(1)(f))
Compliance with legal obligations (tax records, lawful requests)Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, we have conducted a balancing assessment and determined that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests (see Section 10).

7. Data Sharing and Third-Party Services

We do not sell your personal data. We share data only with the following categories of service providers, and only to the extent necessary to operate the Service:

7.1 Infrastructure and Hosting

  • Supabase(EU region) — database, authentication, and file storage
  • Contabo (Germany) and DigitalOcean(Netherlands/United Kingdom) — server infrastructure for AI Assistant compute

7.2 Content Delivery and Security

  • Cloudflare— DNS resolution, content delivery, DDoS protection, and access control

7.3 AI and Language Processing

  • OpenRouter— AI language model routing (processes your assistant's conversations to generate responses)
  • OpenAI— audio transcription service (for voice messages only)

Important: Your conversational data is transmitted to AI model providers solely for the purpose of generating responses. Your data is not used by us or our AI model providers to train AI models.

7.4 AI Media and Voice Processing

  • ElevenLabs— text-to-speech synthesis, sound effects generation, and voice processing. When you use voice-related Skills, your text prompts and, where applicable, audio files are sent to ElevenLabs for processing.
  • PiAPI— video generation service (Kling AI). When you use the video generation Skill, your text prompts and reference images are sent to PiAPI for video creation.

7.5 Web Search

  • Tavily— web search API. When your AI Assistant performs web searches on your behalf, your search queries are sent to Tavily, which returns publicly available search results.

7.6 Analytics

  • Plausible— a privacy-focused, cookie-less web analytics service that collects anonymised page view data on our marketing website. Plausible does not use cookies, does not collect personal data, and does not track individual users. Plausible does not receive any of your AI Assistant conversations or account data.

7.7 Payment Processing

  • Stripe, Inc.— subscription billing and payment processing. Stripe is PCI DSS Level 1 certified. We do not store your full credit card details.

7.8 Connected Integrations (User-Initiated)

  • Google Workspace— only when you explicitly connect your Google account (see Section 4)
  • Notion— only when you explicitly connect your Notion workspace
  • Telegram, Discord, WhatsApp— messaging platforms you choose to connect as Channels. Note: WhatsApp is connected via the WhatsApp Web linking protocol (QR code pairing), not the WhatsApp Business API. This means your Amplify server operates as a linked device on your WhatsApp account. Only messages directed to or from your AI Assistant are processed; messages not directed to the assistant are neither read, stored, nor processed by our systems. However, as a linked device, the server has technical access equivalent to other linked WhatsApp Web sessions. You can unlink the device at any time from your WhatsApp app settings (Linked Devices) and from the Amplify dashboard.

Each third-party service operates under its own terms of service and privacy policy. We encourage you to review their policies. Users should be aware that the use of automated services through the WhatsApp Web linking protocol may be subject to WhatsApp's own Terms of Service. We recommend reviewing WhatsApp's policies regarding linked devices and automated interactions.

7.9 Sub-Processor Changes

We will update this Privacy Policy and notify you via email at least 14 days before engaging a new category of sub-processor that will process your personal data. The current list of sub-processors is maintained in Sections 7.1–7.8 above.

7.10 Legal Disclosure

We may disclose your data:

  • When required by law, regulation, or valid legal process (court order, subpoena)
  • To protect the rights, property, or safety of the Company, our users, or the public
  • In connection with a merger, acquisition, or sale of Company assets (with advance notice to affected users)

8. Data Isolation and Security

We implement multiple layers of technical and organisational security measures:

8.1 Per-Client Isolation

  • Each user receives a dedicated, isolated AI Assistant environment with its own containerised runtime, system user, and data directory
  • Vector memory is stored in per-client databases — no user can access another user's memories
  • API keys, tokens, and credentials are stored per-client with row-level security (RLS) policies

8.2 Encryption

  • All data in transit is encrypted using TLS 1.2 or higher
  • Database connections use encrypted channels with certificate verification
  • Integration credentials (Google, Notion) are encrypted at rest using per-client JWE encryption keys
  • API keys are stored in secured database columns with access controls

8.3 Access Controls

  • Row-level security (RLS) ensures database queries return only data belonging to the authenticated user
  • Administrative access to infrastructure is protected by SSH key authentication and network-level access controls
  • AI Assistant sandboxes run with restricted permissions and cannot access the host system or other clients' data
  • Staff access is governed by the principle of least privilege and is logged for audit purposes

8.4 Incident Response

  • We maintain incident response procedures for security events
  • In the event of a personal data breach posing a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, in accordance with GDPR Article 33 and Article 34

9. Data Retention

We retain your data according to the following schedule:

Data typeRetention period
Active account dataDuration of your subscription and active use
Conversation memoryWhile your Account is active. You may request deletion of specific memories at any time through your assistant.
Billing and invoice recordsUp to 7 years after the transaction, as required by applicable tax and accounting laws
After Account deletionPersonal data deleted within 30 days. Assistant environment (files, memory, configuration) fully deprovisioned within 72 hours.
Suspended accountsData retained for 90 days after suspension, then fully deprovisioned
Integration tokens (Google, Notion)Deleted immediately upon disconnection or Account deletion
Deposit recordsDeposit funds do not expire. Transaction records retained with billing records.
Technical logsRetained for operational and security purposes, regularly rotated

When data is no longer needed for any of the purposes described in this Policy or required by law, it is securely deleted or anonymised.

10. Your Rights

Under the GDPR and applicable data protection laws, you have the following rights:

10.1 Right of Access (Art. 15)

You may request a copy of all personal data we hold about you, including Account information, AI Assistant configuration, stored conversation memories, and uploaded files.

10.2 Right to Rectification (Art. 16)

You may correct inaccurate or incomplete personal data. You can update your name and email through the dashboard, or contact us for other corrections.

10.3 Right to Erasure (Art. 17)

You may request deletion of your personal data (“right to be forgotten”). This right applies subject to legal exceptions (e.g., data we must retain for tax compliance). Account deletion can be initiated through the dashboard.

10.4 Right to Restriction of Processing (Art. 18)

You may request that we restrict processing of your data in certain circumstances (e.g., while we verify accuracy of contested data).

10.5 Right to Data Portability (Art. 20)

You may request your data in a structured, commonly used, machine-readable format. Upon receiving a valid portability request, we will compile and deliver a comprehensive archive of your data — typically as a JSON archive containing your account data, assistant configuration, stored memories, and uploaded files — within 30 calendar days.

10.6 Right to Object (Art. 21)

You may object to processing based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

10.7 Right to Withdraw Consent (Art. 7(3))

Where processing is based on your consent (e.g., connected Integrations, marketing), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

10.8 Right Not to Be Subject to Automated Decision-Making (Art. 22)

We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you. Your AI Assistant provides suggestions and assistance, but does not make binding decisions on your behalf.

10.9 How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected]. We will verify your identity and respond within 30 days. If your request is complex or we receive a high volume of requests, we may extend this period by up to 60 additional days, with notice.

There is no charge for exercising your rights, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse to act.

11. Data Subject Access Requests (DSAR)

11.1. You may submit a data subject access request by emailing [email protected] with the subject line “Data Access Request” from the email address associated with your Account.

11.2. Upon receiving a valid request, we will:

  • Verify your identity using the email address on your Account
  • Compile all personal data we hold about you, including:
    • Account and profile information
    • AI Assistant configuration and preferences
    • Stored conversation memories
    • Uploaded files and documents
    • Billing and usage history
    • Integration connection records
  • Deliver the archive to you in a structured, machine-readable format within 30 calendar days

11.3. If we require additional time due to complexity or volume, we will notify you within the initial 30-day period and may extend by up to 60 additional days.

11.4. For data deletion requests (right to erasure), see Section 10.3 and our Terms of Service, Section 17.

12. Cookies, Analytics, and Tracking Technologies

12.1 Cookies We Use

We use a minimal set of cookies:

  • Authentication cookies— secure, HttpOnly session cookies that maintain your login state (strictly necessary)
  • Access control cookies— used for network-level access control on protected areas (strictly necessary)
  • OAuth state cookies— short-lived, secure cookies used during Google and other OAuth flows to prevent cross-site request forgery (strictly necessary)
  • Cookie consent cookie— stores your cookie preferences (necessary/analytics/marketing choices) for one year

12.2 Analytics

We use two analytics services:

  • Plausible— a privacy-focused, cookie-less analytics service that collects anonymised page view data. Plausible does not use cookies, does not track individual users, and does not collect personal data. It is loaded automatically on our website.
  • Google Analytics 4 (GA4)— loaded only with your explicit consent. When you visit our website, a cookie consent banner asks whether you accept analytics cookies. GA4 is activated only if you click “Accept All.” If you choose “Only Necessary,” GA4 is not loaded and no analytics cookies are set.

12.3 What We Do NOT Use

  • Third-party tracking cookies
  • Advertising, retargeting, or remarketing cookies or pixels
  • Facebook Pixel, or similar cross-site tracking technologies

12.4 Managing Your Preferences

You can manage your cookie and analytics preferences:

  • Via the cookie consent banner displayed on your first visit
  • Via your browser settings at any time
  • Logged-in users can adjust analytics preferences in their dashboard settings

13. International Data Transfers

Your data may be processed in the following regions:

  • European Union— primary database (Supabase, EU region)
  • Germany— server infrastructure
  • Netherlands / United Kingdom— additional server infrastructure
  • United States— certain third-party services (Stripe, OpenRouter, Cloudflare)

Where data is transferred outside the European Economic Area (EEA):

  • We rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
  • We rely on adequacy decisions where applicable (e.g., UK under Commission Implementing Decision (EU) 2021/1772)
  • We assess the data protection laws and practices of recipient countries and implement supplementary measures where necessary

You may request information about the specific safeguards in place for international transfers by contacting [email protected].

14. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we learn that we have collected personal data from a child under 16, we will take immediate steps to delete that data. If you believe a child has provided us with personal data, please contact us at [email protected].

15. Data Not Used for AI Training

We want to be unequivocally clear: your data is not used to train AI models.

  • Your conversations, files, memories, and any other data processed through the Service are used solely to provide the Service to you.
  • We do not use your data to train, fine-tune, or improve any AI language model, image model, or other machine learning system.
  • Our third-party AI model providers (accessed via OpenRouter) do not use your data for model training. We select providers and routing configurations that explicitly exclude customer data from training datasets.
  • This guarantee applies to all data categories: conversational data, uploaded files, integration data, and metadata.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.

  • Material changes will be communicated via email or through a prominent notice on the Service at least 14 days before they take effect.
  • The “Last updated” date at the top of this Policy indicates when it was last revised.
  • Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.
  • If you do not agree to the changes, you must discontinue use of the Service before the effective date.

17. Supervisory Authority

If you are located in the European Economic Area or the United Kingdom and believe that we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

For users in the United Kingdom, the relevant supervisory authority is the Information Commissioner's Office (ICO): ico.org.uk

For a list of EU supervisory authorities, see the European Data Protection Board website: edpb.europa.eu

18. Contact Us

For questions about this Privacy Policy, to exercise your data rights, or to report a data protection concern:

Email: [email protected]

Postal address:
104-108 Chiswick High Road
London, United Kingdom, W4 1PU

Business customers requiring a Data Processing Agreement (DPA) may request one at [email protected].

Related Documents