Legal

Privacy Policy

Effective date: 13 June 2026 · Last updated: 13 June 2026

1. Who we are

AmDital(“we”, “our”, or “us”) operates the business operating platform available at https://amdital.comand the associated web application (the “Service”). We are the data controller for the personal data described in this policy.

Questions? Contact our Privacy team at privacy@amdital.com.

2. What data we collect

Account and identity data

When you register or invite team members, we collect: full name, email address, job title, profile photo (optional), and authentication credentials managed via Supabase Auth. We use this data to identify you within your workspace, send transactional emails, and provide access controls.

Workspace and business data

All content you create inside AmDital — CRM contacts, projects, tasks, invoices, HR records, documents, goals, and similar — is stored as workspace data. This data belongs to you; we process it only to operate the Service on your behalf.

Usage and telemetry data

We collect product usage events (pages visited, features used, button clicks) via PostHog to understand how the product is used and improve it. Events are pseudonymised and never include the content of your documents or messages.

Activity monitoring data (workspace opt-in)

If your workspace administrator enables the Activity Monitoring feature and you have given explicit consent, we may collect: active application windows, time-on-task measurements, and optional periodic screenshots. This data is never collected without explicit workspace-level consent and individual member awareness. See Section 6 for your opt-out rights.

Payment and billing data

Subscription payments are processed by Stripe. We store only the Stripe customer ID and subscription status — your full card details are never transmitted to or stored on our servers.

Technical and device data

Standard web server logs: IP address, browser type and version, operating system, referring URL, and timestamps. Logs are retained for 90 days and used solely for security monitoring and debugging.

3. How we use your data

Purpose	Lawful basis (GDPR Art. 6)
Provide and operate the Service	Contract performance (Art. 6(1)(b))
Send transactional emails (password reset, invites, billing receipts)	Contract performance (Art. 6(1)(b))
Process payments via Stripe	Contract performance (Art. 6(1)(b))
Product analytics and improvement via PostHog	Legitimate interests (Art. 6(1)(f)) — we minimise data and allow opt-out
Error monitoring via Sentry	Legitimate interests (Art. 6(1)(f))
Activity monitoring (opt-in only)	Consent (Art. 6(1)(a))
Compliance with legal obligations	Legal obligation (Art. 6(1)(c))
Security and fraud prevention	Legitimate interests (Art. 6(1)(f))

4. Data retention

Data type	Retention period
Workspace and business data	Duration of subscription + 30 days after cancellation
Account data	Duration of subscription + 30 days after cancellation
Web server / access logs	90 days
Activity monitoring logs	90 days from capture
Ami (AI assistant) conversation logs	1 year
Audit logs	1 year
Billing records (Stripe)	7 years (UK/EU legal requirement)
Data export files	30 days after export generation

After the retention period, data is automatically deleted via scheduled database jobs. Billing records are exempt from deletion as required by applicable tax law.

5. Third-party processors (sub-processors)

We share personal data only with the following processors, all bound by GDPR-compliant data processing agreements:

Processor	Purpose	Data location
Supabase	Database hosting and authentication	EU (AWS eu-west-1) or your selected region
Stripe	Payment processing	USA (SCCs apply)
Sentry	Error tracking and performance monitoring	USA (SCCs apply)
PostHog	Product analytics	EU (if EU Cloud selected) or USA
Vercel	Application hosting, CDN, serverless functions	Global edge (DPA in place)

Standard Contractual Clauses (SCCs) apply for all transfers outside the EEA/UK. We do not sell personal data to third parties or use it for advertising.

6. Your rights (GDPR)

Under the GDPR and UK GDPR, you have the following rights regarding your personal data. To exercise any of these rights, email us at privacy@amdital.com. We will respond within 30 days.

Right of access — request a copy of your personal data we hold.
Right to rectification — request correction of inaccurate data.
Right to erasure — request deletion of your personal data (subject to legal retention requirements).
Right to data portability — request a machine-readable export of your data. Use the workspace data export feature or email us.
Right to restrict processing — request that we restrict certain uses of your data while a dispute is resolved.
Right to object — object to processing based on legitimate interests (e.g. analytics). To opt out of PostHog analytics, contact us.
Right to withdraw consent — where processing is based on consent (activity monitoring), you may withdraw at any time via Workspace Settings → Privacy without affecting the lawfulness of prior processing.
Right to lodge a complaint — you may lodge a complaint with your national data protection authority (UK: ICO; EU: your national DPA).

7. Cookies

We use strictly necessary session cookies (set by Supabase Auth) and functional cookies for preferences. Analytics events are sent via PostHog's JavaScript library without a persistent tracking cookie by default. We do not use third-party advertising cookies.

8. Security

We implement the following technical and organisational measures to protect your data:

Encryption in transit: TLS 1.3 for all connections.
Encryption at rest: AES-256 via Supabase managed database encryption.
Row-Level Security (RLS) policies on all database tables — no cross-workspace data access.
Role-based access control with least-privilege principle.
All API endpoints authenticated via Supabase JWTs; no anonymous data access.
Continuous error and anomaly monitoring via Sentry.
Regular penetration testing and security audits.

In the event of a personal data breach we will notify affected workspace owners within 72 hours of becoming aware of it.

9. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.

10. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or by a prominent notice within the application at least 14 days before the change takes effect. The effective date at the top of this page will always reflect the latest version.

11. Contact

Data controller: AmDital
Privacy enquiries: privacy@amdital.com