The policy establishes that Amplitude acts as a data controller for personal information collected through its own website and marketing activities, and as a data processor or service provider when processing data submitted by business customers through the Amplitude platform.
This analysis describes what Amplitude's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision determines which legal obligations, data subject rights workflows, and contractual requirements apply depending on the data processing context. Organizations deploying Amplitude's SDK must assess their own controller responsibilities for end-user personal data processed through the platform, and should ensure a Data Processing Agreement with Amplitude is in place to govern the processor relationship.
Restructured explanation to emphasize customer control and responsibility, and clarified that Amplitude acts as controller only for website/marketing data collection.
View full change record →Under this clause, individuals interacting with Amplitude's website or marketing activities may submit privacy rights requests directly to Amplitude as the data controller. End users of third-party applications built on Amplitude's platform must direct data requests to the deploying organization, which acts as the data controller for those processing activities.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We may display advertisements on our Services and those advertisements may be targeted to your interests based on your personal information. We may share your personal information with advertising partners for interest-based advertising purposes. You may opt out of interest-based advertising by visi...
Monitoring
Amplitude has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"When we provide our Services to our Customers, we process personal information on behalf of our Customers as a service provider or data processor. Our Customers control what personal information is submitted to Amplitude through the Services and are responsible for their use of the Services. When we collect personal information about you through our website and marketing activities, we act as a data controller.— Excerpt from Amplitude's Amplitude Privacy Notice
REGULATORY LANDSCAPE: This provision engages GDPR Articles 4, 24, and 28 (controller and processor definitions and obligations) and CCPA/CPRA's service provider framework. Under GDPR, a data processor must operate under a written contract with the controller that specifies the subject matter, nature, and purpose of processing. The relevant enforcement authorities are EU member state data protection authorities and the California Privacy Protection Agency. GOVERNANCE EXPOSURE: High. The dual-role structure creates distinct compliance tracks: controller obligations for marketing data (legal basis, consent, retention) and processor obligations for platform data (DPA, sub-processor management, data subject request routing). Misclassification of role in either direction could create regulatory exposure under GDPR or CCPA. JURISDICTION FLAGS: EU/EEA organizations face heightened exposure under GDPR Article 28, which requires a binding DPA before any processor relationship commences. California-based organizations must ensure the service provider relationship meets CPRA's written contract requirements to preserve service provider status and avoid inadvertent sale classification. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should verify that a current, executed DPA is in place with Amplitude prior to deploying the platform SDK. The DPA should specify permitted processing purposes, sub-processor lists, data subject rights assistance obligations, and breach notification timelines. Standard commercial practice in the B2B analytics sector typically requires such agreements, and their absence may create liability for the deploying organization. COMPLIANCE CONSIDERATIONS: Organizations should audit their data mapping documentation to reflect Amplitude's processor role, update privacy notices to disclose Amplitude as a sub-processor where applicable, and confirm that data subject rights requests received from end users can be routed appropriately. EU organizations should confirm the applicable cross-border transfer mechanism documented in the DPA.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision determines which legal obligations, data subject rights workflows, and contractual requirements apply depending on the data processing context. Organizations deploying Amplitude's SDK must assess their own controller responsibilities for end-user personal data processed through the platform, and should ensure a Data Processing Agreement with Amplitude is in place to govern the processor relationship.
Under this clause, individuals interacting with Amplitude's website or marketing activities may submit privacy rights requests directly to Amplitude as the data controller. End users of third-party applications built on Amplitude's platform must direct data requests to the deploying organization, which acts as the data controller for those processing activities.
ConductAtlas has identified this type of provision across 4 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Amplitude.