Amplitude and Data Protection – What Belongs in the Privacy Policy

Amplitude data protection is a central topic for website operators using the product analytics platform from Amplitude Inc. (USA). This guide shows what data Amplitude processes, on what legal basis this is done and what belongs in the privacy policy.

A. Purpose and Function of Amplitude

Amplitude is a product analytics platform that offers extensive data collection and analysis features:

• Event Tracking: Recording specific user interactions (clicks, form submissions, downloads, purchases)
• User Journeys: Tracking complete user journeys across multiple touchpoints
• Cohort Analysis: Segmentation and analysis of user groups
• Experimentation: A/B tests and user-based experiments
• Session Replay (optional): Recording of user sessions with interaction data

Integration is done via JavaScript SDK (web), mobile SDKs (iOS/Android) or server APIs. Amplitude enriches recorded events with context (timing, device info, user properties) and makes them available in real time or in batches.

B. Mandatory Disclosures in the Privacy Policy when Using Amplitude

Pursuant to Art. 13 GDPR, websites must provide the following information in their privacy policy:

1. Name and contact of the controller (website operator)
2. Processing purposes (product analytics, user profile creation, product improvement)
3. Legal bases (consent, balancing of interests)
4. Recipients of the data (Amplitude Inc., possibly sub-contractors)
5. Retention period (depending on Amplitude configuration, typically 12-36 months)
6. Data subject rights (access, rectification, erasure, objection)
7. Notice of third-country transfer (USA, DPF status, SCCs)
8. Information on cookie consent management (Section 25 TDDDG)

A pure "text-template-per-tool" approach is unsatisfactory from a data protection perspective. Websites should instead choose a consistent, user-friendly structure that summarises all tracking tools.

C. Provider of Amplitude

Provider: Amplitude Inc., San Francisco, CA, USA
Website: https://amplitude.com
Privacy Policy: https://amplitude.com/privacy
DPA signing: Required, available at https://amplitude.com/dpa

Data Privacy Framework status

Amplitude is self-certified under the EU-US Data Privacy Framework (DPF) and the UK extension to the EU-US DPF. The certification is administered by the U.S. Department of Commerce. This provides a legal basis for data transfers from the EU/UK to the USA.

EU Data Residency

Amplitude offers an optional EU data storage in Frankfurt (AWS EU-Frankfurt). This physically isolated, GDPR-compliant infrastructure enables:

• Data ingestion, storage and analysis within the EU
• ISO 27001 and SOC 2 Type II certification
• Reduction of third-country transfer requirements

D. Data Processing – Sequence in Steps

E. Data Collected by Amplitude

Amplitude collects the following data classes:

Web server log data

• IP address (where applicable, anonymised)
• User agent, browser type and version
• Access timestamp

Click paths & event data

• Individual clicks, form submissions, page views
• Download and conversion events
• Custom events (website-specific instrumented)

Device and browser information

• Device type (desktop, mobile, tablet)
• Operating system
• Screen resolution
• Browser and plugins

Coarse location data

• Country, region (at most coarse geographical resolution)
• No real-time localisation without explicit tracking

Referrer & UTM parameters

• Origin URL
• Marketing parameters (utm_source, utm_campaign etc.)

User profiles (User Properties & Cohorts)

• Custom user attributes (defined by website operator)
• Segment membership (cohorts)
• Automatically generated user ID (Amplitude hash)

Interaction data (with optional Session Replay)

• Recording of mouse movements, clicks, keyboard inputs
• Particularly sensitive data; separate consent recommended

F. Purposes of Use

Amplitude is generally used for the following purposes:

General product improvement

• Understanding user behaviour
• Error detection (error tracking)
• Analyse feature usage

User-individual product improvement

• Carrying out A/B tests
• Personalisation (cohort-based)
• UX optimisation for specific user groups

User profile building

• Creating aggregated user profiles
• Segmentation and cohort analysis
• Predictive models (churn prediction, LTV modelling)

User-individual marketing (with restrictions)

• Audience segmentation for remarketing
• Behavioural targeting
• Conversion optimisation

G. Legal Bases for Amplitude

1. Categorisation: Tracking / Statistics / Product Analytics

Amplitude primarily falls under tracking for statistics and optimisation, not under necessary cookies (ePrivacy Directive) or functionality.

2. Legal bases under the GDPR

Option A: Consent (Art. 6(1)(a) GDPR + Section 25(1) TDDDG)

• Required for non-essential cookies and tracking pixels
• Consent banner before SDK initialisation
• Clear consent that can be revoked at any time
• Granular for multiple tracking tools possible

Option B: Legitimate interest (Art. 6(1)(f) GDPR)

• Legally controversial; only with low intervention intensity
• Balancing of interests and documented risk assessment required
• Opt-out option necessary
• Not suitable for intensive tracking scenarios

3. Third-country transfer (USA)

Data Privacy Framework (DPF)

• Amplitude is DPF-certified
• Provides legal protection for transfers EU → USA
• Should be mentioned in privacy policy

Standard Contractual Clauses (SCCs)

• Alternative to DPF as transfer mechanism
• Amplitude provides DPA with SCCs

EU Data Residency option

• Reduces third-country transfer requirements
• Optionally available for an additional fee
• Breaks down storage into Frankfurt (AWS EU)

H. Special Features and Notes on Amplitude

• Data Processing Addendum (DPA): Amplitude provides a DPA for website operators (https://amplitude.com/dpa). This is a prerequisite for GDPR compliance.
• Sub-processors: Amplitude uses AWS and Google Cloud depending on the region; current list available at https://amplitude.com/subprocessor-list.
• EU Hosting option: Those who must enforce data residency in the EU can upgrade to Amplitude's Frankfurt data centre.
• Data masking & anonymisation: Amplitude offers functions to mask sensitive data fields.
• Opt-out mechanisms: Website operators should provide user opt-out links (Amplitude Community: https://community.amplitude.com/).
• Certifications: Amplitude holds SOC 2 Type 2, ISO 27001 and ISO 27018 certifications.
• Verify DPF status: Current status available at https://www.dataprivacyframework.gov.

I. Frequently Asked Questions (FAQ)

J. Conclusion and CTA

Amplitude is a powerful product analytics platform that, with correct configuration and documentation, can be used in a GDPR-compliant manner. The key lies in:

1. Transparent consent (cookie banner, Section 25 TDDDG)
2. Complete privacy policy (Art. 13 GDPR)
3. Signed DPA with Amplitude
4. Documented justification review (consent or balancing of interests)
5. Verification of sub-processor status (https://amplitude.com/subprocessor-list)
6. Optional: EU Data Residency, to reduce third-country transfer requirements

---

K. Curator

Sources (without liability for currency):

• Amplitude Privacy Notice
• Amplitude Data Processing Addendum
• Amplitude Subprocessor List
• Amplitude Trust & Security
• EU-US Data Privacy Framework