Labs Support
EN SV
Data Protection

Your Data, Protected by Design

This page explains how AmpliFlow protects your personal data - in plain language, not legal jargon. For binding terms, see the Privacy Policy.

Last updated: 2026-03-27

Privacy Is Not a Checkbox

Data protection is built into how AmpliFlow works - not bolted on afterward.

EU-only hosting by default. Minimal data collection. Transparency about every sub-processor. A Data Processing Agreement with every subscription. These are not policies we wrote to comply - they are decisions we made because protecting your data is fundamental to a management system you can trust.

Your Data's Journey

Follow your data from browser to secure EU storage. Click each step to see the security measures protecting your information at every stage.

Your Data Stays in the EU

Click a location to see details

Azure West Europe Hetzner Finland Azure Sweden Central Hetzner Frankfurt

Netherlands

Azure West Europe

Location
Netherlands
What's stored
Application data and application hosting. All customer data encrypted with AES-256 at rest.
Security
AES-256 encryption, TLS 1.2+ in transit, role-based access control, multi-tenant isolation.

Finland

Hetzner Finland

Location
Finland
What's stored
Website hosting, self-hosted Sentry (error monitoring), and application logs.
Security
Dedicated servers with disk encryption, TLS 1.2+ in transit. No customer data is stored here.

Sweden (Gävle/Sandviken)

Azure Sweden Central

Location
Sweden (Gävle/Sandviken)
What's stored
Uploads and files from AmpliFlow. Document storage with Azure Blob Storage.
Security
AES-256 encryption at rest, TLS 1.2+ in transit. Data stays in Sweden.

Germany (Frankfurt)

Hetzner Frankfurt

Location
Germany (Frankfurt)
What's stored
Analytics database (Rybbit). No customer data is stored here.
Security
Dedicated servers with disk encryption, TLS 1.2+ in transit.
EU countries
Data center

Map data © SimpleMaps.com

How We Protect Your Data

Six pillars of data protection built into every AmpliFlow subscription.

EU-Only Hosting

All customer data is stored on infrastructure within the EU/EEA. No data leaves the EU/EEA. Customers with data residency requirements (specific countries or single-datacenter hosting) are welcome to contact us.

Technical Security

AES-256 encryption at rest, TLS 1.2+ in transit, role-based access control and multi-tenant isolation. Full technical details are on our security page.

Read more about technical security →

Data Subject Rights

Access, correct, delete, restrict, port, and object - all your rights under GDPR. Contact info@ampliflow.com and we respond within one month.

Sub-Processor Transparency

Limited sub-processors: Microsoft Azure, Hetzner, Pendo, Sendgrid. AI is entirely opt-in. The standard options are OpenAI and Anthropic (USA). Customers requiring EU-based AI can choose Mistral AI (France) or a self-hosted model, both with a separate contract.

Breach Notification

24-hour contractual notification commitment. Includes what happened, what data was affected, and what steps are being taken.

Data Portability

Full data export available at subscription end. Your data is yours - before, during, and after your subscription.

Our Sub-Processors

Full transparency about who handles your data and where.

10 sub-processors, 8 EU-hosted, 4 optional (opt-in)

10 sub-processors shown

AmpliFlow App

Infrastructure

Microsoft Azure

Location

EU (Sweden & Netherlands)

Data processed

Application data, databases, files

Application hosting and file storage at data centers within the EU/EEA. No data leaves the EU/EEA.

Infrastructure

Hetzner

Location

EU (Finland & Germany)

Data processed

Application data and logs

Dedicated servers within the EU/EEA. No data leaves the EU/EEA.

Analytics

Pendo

Location

EU

Data processed

Email addresses, user IDs, usage patterns

Tracks how logged-in users navigate and use AmpliFlow so we can improve the product. Tied to user accounts.

Communication

Sendgrid

Location

EU

Data processed

Email addresses, message content

Handles transactional emails like notifications and password resets.

AI

OpenAI

Location

USA

Data processed

Context data relevant to the specific AI task

Only used if you actively choose to enable AI features and accept a separate agreement inside the application. Data is processed outside the EU, and your explicit acceptance is required before the feature activates.

AI

Anthropic

Location

USA

Data processed

Context data relevant to the specific AI task

Only used if you actively choose to enable AI features and accept a separate agreement inside the application. Data is processed outside the EU, and your explicit acceptance is required before the feature activates.

AI

Mistral AI

Location

EU (France)

Data processed

Context data relevant to the specific AI task

French AI company. All data processing stays within the EU. Available for customers who want AI features but require data to remain in the EU. Requires a separate contract in addition to the standard subscription. Contact us to discuss.

AI

Self-hosted LLM

Location

EU (datacenter of choice)

Data processed

Context data relevant to the specific AI task

AmpliFlow can host an open model (e.g. Qwen) on dedicated infrastructure within the EU. Data never leaves the EU and the model runs isolated for your organization. Requires a separate contract and an additional monthly infrastructure cost. Contact us to discuss your options.

Marketing website (ampliflow.se / ampliflow.com)

Analytics

Rybbit

Location

EU (Self-hosted)

Data processed

Anonymous visitor statistics (page views, navigation, campaign parameters), no personal data

Self-hosted instance of Rybbit - open source, running on our own servers. Collects anonymous visitor statistics (page views, navigation, outbound clicks, campaign parameters such as UTM tags, and JavaScript errors) without cookies and without personal data.

Communication

MailerLite

Location

EU (Lithuania)

Data processed

Email addresses of newsletter subscribers

Lithuanian company that handles newsletter delivery to subscribers who have actively opted in.

Data Processing Agreement

When your organization uses AmpliFlow, you are the data controller - you decide what personal data enters the system and why. AmpliFlow (operated by Cognit Consulting AB) is the data processor - we process that data on your behalf, strictly according to your instructions and GDPR requirements.

A Data Processing Agreement (DPA) defines each party's responsibilities: what data is processed, how it is protected, and what happens if something goes wrong. AmpliFlow provides a DPA as part of every subscription agreement - no add-on, no extra cost.

In practice, this means your organization stays in control. We handle your data according to the rules you and GDPR set.

Need a DPA? Contact us and we'll sort it out!

No Third-Country Transfers

All processing of customer data takes place within the EU/EEA. Schrems II is a non-issue because we never transfer data outside the EU as a default.

Microsoft Azure - our infrastructure provider - is certified under the EU-U.S. Data Privacy Framework (DPF). All data centres we use are located within the EU.

Exception: If you explicitly choose to enable AI features, those providers may process data outside the EU. See our Privacy Policy and Terms of Service for details.

Your Data Belongs to You

Full data export is available at the end of your subscription. We export all your data in JSON format (structured data) plus original files (attachments you've uploaded). After confirmed receipt, your data is deleted from our systems and you receive a deletion certificate.

Your data belongs to you - before, during, and after your subscription.

We charge a fee for the export as the process still requires some manual handling. We're actively working to automate this and continuously reduce the cost.

Check Your GDPR Readiness

Answer 7 quick questions to see how your current management system stacks up against core GDPR requirements - and where AmpliFlow can help.

7 questions. About 2 minutes.

Frequently Asked Questions

What personal data does AmpliFlow process?
Names, email addresses, and usage data as described in our Privacy Policy. The specific categories depend on how your organization uses the service.
Where is my data stored?
Within the EU/EEA only. We use multiple infrastructure partners (including Microsoft Azure and Hetzner) with data centers in Sweden, the Netherlands, and Finland. No customer data is transferred outside the EU/EEA. AI features are entirely opt-in and require a separate agreement that users must explicitly accept inside the application before any AI processing occurs.
Can we require data to be stored in a specific country or datacenter?
Yes, that is something we can discuss. We are expanding data residency options, from consolidated EU hosting today toward single-datacenter deployments in any EU/EEA country for customers with those requirements. Get in touch and we will walk you through what is possible for your organization.
How do I exercise my data subject rights?
Email info@ampliflow.com with your request. We respond within one month, as required by GDPR.
What happens to my data when I cancel?
Full data export is available so you can retrieve your information. After export, your data is deleted from our systems. Specifics - including timelines and format - are covered in the Terms of Service.
Is a DPA included?
Yes. AmpliFlow provides a Data Processing Agreement on request. It defines responsibilities, data categories, security measures, and breach notification procedures. Email security@ampliflow.com to request one.
Do you transfer data outside the EU?
No. AI features are entirely opt-in and require a separate agreement that users must explicitly accept inside the application. No AI processing occurs without that explicit acceptance.
Does the website collect data?
This website (ampliflow.se / ampliflow.com) uses Rybbit - a self-hosted, open-source analytics platform running on our own servers. It collects anonymous visitor statistics without cookies and without personal data. We track page views, navigation patterns, outbound link clicks, campaign parameters (such as UTM tags from ads), and JavaScript errors - so we can see which content and campaigns visitors find relevant. No data leaves our servers for analytics purposes.

Questions About Data Protection?

If you have questions about how AmpliFlow handles your data, need a copy of our DPA, or want to exercise your data subject rights - we're here to help.

Email: info@ampliflow.com

Visit our contact page →