Amplitude wears two hats: it controls data about website visitors and business contacts directly, but for data collected inside its customers' apps, it acts only as a processor following the customer's instructions.
This analysis describes what Amplitude's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This distinction determines who is legally responsible for your data and who you should contact with privacy requests, depending on how you encountered Amplitude.
If your data was collected through a third-party app that uses Amplitude, your privacy rights run primarily against that app operator, not Amplitude directly, which may limit your practical recourse against Amplitude for that data.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We may display advertisements on our Services and those advertisements may be targeted to your interests based on your personal information. We may share your personal information with advertising partners for interest-based advertising purposes. You may opt out of interest-based advertising by visi...
Monitoring
Amplitude has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Amplitude acts as a "data controller" with respect to the personal information it collects about visitors to the Amplitude website and about contacts and representatives of our current and potential customers and partners. Amplitude acts as a "data processor" or "service provider" with respect to the personal information that Amplitude processes on behalf of our customers using the Amplitude platform.— Excerpt from Amplitude's Amplitude Privacy Notice
(1) REGULATORY LANDSCAPE: GDPR Articles 4(7) and 4(8) define controller and processor roles with distinct legal obligations; this provision's characterization of Amplitude as a processor for customer deployments directly engages those definitions and corresponding DPA requirements. The FTC Act is relevant to the controller-side processing. (2) GOVERNANCE EXPOSURE: Medium. The dual-role structure is common in B2B SaaS analytics, but it creates compliance complexity for enterprise customers who must ensure their DPAs with Amplitude are current, complete, and reflect actual data flows for both roles. Misclassification of the role in a given context could create regulatory exposure for either party. (3) JURISDICTION FLAGS: EU and UK data subjects are most directly affected given GDPR and UK GDPR requirements for documented DPAs between controllers and processors. California CPRA similarly requires service provider contracts that restrict downstream use. Organizations serving data subjects in multiple jurisdictions should ensure DPA templates address all applicable frameworks. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should confirm that executed DPAs with Amplitude explicitly address Standard Contractual Clauses for international transfers, sub-processor lists, audit rights, and breach notification timelines. The notice's assertion of processor status may not automatically satisfy all contractual requirements without a separately executed agreement. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should map all data flows to confirm whether Amplitude is acting as controller or processor in each context, update data inventories accordingly, and ensure that end-user-facing privacy notices for apps built on Amplitude accurately disclose Amplitude as a sub-processor or third-party recipient.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This distinction determines who is legally responsible for your data and who you should contact with privacy requests, depending on how you encountered Amplitude.
If your data was collected through a third-party app that uses Amplitude, your privacy rights run primarily against that app operator, not Amplitude directly, which may limit your practical recourse against Amplitude for that data.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Amplitude.