Privacy Policy

This policy explains what personal data Ampified collects, why we collect it, how we protect it, and your rights under UK GDPR and the Data Protection Act 2018.

Ampified is a social media automation platform for podcasters, venues and bands, operated by Andrew Dunn trading as Ampified (company registration pending). Data controller: Andrew Dunn (trading as Ampified) Address: Stockport, England, United Kingdom Contact: privacy@ampified.co.uk Website: https://ampified.co.uk Ampified is registering with the UK Information Commissioner's Office (ICO) as a data controller. The registration number will be published here once issued.

We collect only the data we need to provide the service. Account data • Your name and email address — to create and manage your account • Your password (stored as a bcrypt hash — we never see the plain text) • Your account type (podcaster, venue, or band) Content data • Your RSS feed URL, episode titles, descriptions and audio links • Transcripts generated from your episodes via our AI transcription service • Your Voice Profile — the tone, style preferences and example posts you provide • Posts generated and approved through the platform Platform connection data • OAuth access tokens for social media platforms you connect (Facebook, Instagram, Twitter/X, LinkedIn, Threads, Bluesky). These are stored in encrypted form and used only to post on your behalf Newsletter data (if you use this feature) • Your subscribers' email addresses, names (if provided), and consent records • Confirmation and opt-in timestamps and IP addresses (required by UK GDPR to demonstrate lawful consent) Usage and technical data • When you log in and what features you use • AI usage logs (how many generations you've used, for plan limit enforcement) • Server logs including IP addresses (retained for 30 days for security purposes)

We rely on the following lawful bases under UK GDPR Article 6: Contract (Article 6(1)(b)) — we process your account data, content data and platform connection data to provide the service you've signed up for. Without this processing we cannot deliver the service. Legitimate interests (Article 6(1)(f)) — we process usage data to maintain service security, prevent abuse, and improve the platform. We have assessed that our legitimate interests are not overridden by your rights. Consent (Article 6(1)(a)) — for newsletter subscribers, consent is the lawful basis. We record explicit consent at the point of signup. Legal obligation (Article 6(1)(c)) — we retain certain records where required by law.

We use two AI services to generate content: Anthropic Claude — used to generate social media posts, show notes, blog posts and other written content. Your episode titles, descriptions, podcast name and transcript excerpts are sent to Anthropic's API. Anthropic is based in the United States. We have a Data Processing Agreement with Anthropic. Their privacy policy is at anthropic.com/privacy. OpenAI Whisper — used to transcribe your audio episodes into text. Your audio files are sent to OpenAI's API and transcribed. OpenAI is based in the United States. We have a Data Processing Agreement with OpenAI. Their privacy policy is at openai.com/privacy. No personally identifiable information beyond what appears in your content metadata (episode titles, podcast name) is sent to either AI provider. International transfers: Both Anthropic and OpenAI process data in the United States. These transfers are covered by Standard Contractual Clauses (SCCs) as required under UK GDPR.

When you connect a social media account, we store the access token required to post on your behalf. We use these tokens only to publish content you have explicitly approved. We do not read your private messages, followers, contacts, or any data beyond what is required to post. Meta (Facebook/Instagram) tokens expire after 60 days. We will email you before expiry. You can disconnect any platform at any time from Settings. When disconnected, the access token is immediately deleted from our database.

We send emails using Resend (resend.com), a transactional email service. Your email address is processed by Resend solely to deliver emails on our behalf. We have a Data Processing Agreement with Resend. Emails we send: • Account confirmation and password reset • Post approval digests (can be disabled in Settings) • Platform token expiry reminders • Service updates and changes to these terms (required notices) • Your newsletter content to your subscribers (only when you initiate a send) We do not send marketing emails without your explicit consent.

Your data is stored on a dedicated server hosted by IONOS SE in Gloucester, England, United Kingdom. The server is not shared with other customers. Security measures: • Passwords hashed with bcrypt — never stored in plain text • All traffic encrypted with HTTPS (TLS 1.2+) • Session cookies are HTTP-only and encrypted • WordPress credentials encrypted with AES-256 before storage • Database not accessible from the public internet • Server access restricted by SSH key authentication only We retain your data for as long as your account is active. When you delete your account, all your personal data is permanently deleted immediately — including posts, episodes, voice profile, newsletter subscribers, platform connections, and usage logs. Anonymised aggregate statistics may be retained. Server logs are retained for 30 days for security purposes and then permanently deleted.

We do not sell your data. We do not share your data for advertising purposes. We share data only with the following processors, under written Data Processing Agreements: • Anthropic (anthropic.com) — AI content generation. Episode metadata and transcripts only. • OpenAI (openai.com) — Audio transcription. Audio files only. • Resend (resend.com) — Email delivery. Email addresses only. • IONOS SE (ionos.co.uk) — Server hosting. Infrastructure provider only. • The social media platforms you connect — your approved post content, published at your instruction. We do not share your data with any other third party without your explicit consent.

If you use Ampified's newsletter feature, you are the data controller for your subscribers' personal data. Ampified processes that data as your data processor under a data processing relationship. We collect and store for each subscriber: email address, name (if provided), date of subscription, IP address at signup, IP address at email confirmation, and the exact consent statement shown at signup. This is required under UK GDPR to demonstrate a lawful basis for processing. Subscribers can unsubscribe at any time via the link included in every newsletter. Unsubscribed records are marked as unsubscribed and never emailed again. They are retained in an unsubscribed state for compliance evidence and deleted when you delete your account. As a newsletter operator, you are responsible for ensuring your use of subscribers' data complies with UK GDPR. You must not use Ampified to send spam, unsolicited emails, or emails to people who have not given valid consent.

We use one cookie: a session cookie that keeps you logged in. It is HTTP-only (cannot be read by JavaScript), encrypted, and expires when you log out or after 30 days of inactivity. We do not use tracking cookies, analytics cookies, advertising cookies, or any third-party cookies. We do not use Google Analytics or any similar tracking service. Because we use only a strictly necessary session cookie, we are not required to show a cookie consent banner under PECR (Privacy and Electronic Communications Regulations). However, we disclose it here for full transparency.

You have the following rights regarding your personal data: Right of access — you can download a copy of all data we hold about you at any time. Go to Settings → Your Data → Download my data (you'll get a JSON file containing all personal data we hold). Right to rectification — you can update your name and email address in Settings at any time. Right to erasure — you can permanently delete your account and all associated data in Settings → Delete Account. Deletion is immediate and irreversible. Right to data portability — your exported data is in JSON format, which can be imported into other systems. Right to object — you can object to processing based on legitimate interests by contacting us. Right to restriction — you can request we restrict processing of your data while a complaint is investigated. Right to withdraw consent — for newsletter subscriptions, you can unsubscribe at any time. For other processing based on contract or legitimate interests, the lawful basis does not change. To exercise any right, contact us at privacy@ampified.co.uk. We will respond within one calendar month. Right to complain to the ICO: If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

Ampified is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@ampified.co.uk and we will delete it.

We may update this policy from time to time. We will notify you of material changes by email at least 14 days before they take effect. The date at the top of this page shows when it was last updated. Continued use of Ampified after changes take effect constitutes acceptance of the updated policy. If you do not accept the changes, you may delete your account before they take effect.

For any questions about this privacy policy or how we handle your data: Email: privacy@ampified.co.uk Website: https://ampified.co.uk We aim to respond to all privacy enquiries within 5 working days and to fulfil all rights requests within one calendar month.