Amass

Privacy policy

Last updated April 1, 2026

This Privacy Policy explains how Amass Technologies ApS, VAT: 43657992 ("Amass", "we", "our", or "us"), a private limited company incorporated under the laws of Denmark with its principal office at Nordre Fasanvej 215, 2000 Frederiksberg, Denmark, collects, uses, stores, and shares personal data in connection with our website, subscription platform, and related business operations.

Amass is committed to protecting personal data and processing it in accordance with applicable data protection law, including the General Data Protection Regulation ("GDPR") (EU) 2016/679.

This Privacy Policy also explains your rights and how to exercise them.

For the avoidance of doubt, this Privacy Policy applies to the Amass website and subscription platform. It does not apply to the Amass API or separate API services, which may be subject to separate contractual, technical, privacy, and data processing terms.

1. Who We Are

Data Controller

Amass Technologies ApS

VAT: 43657992

Nordre Fasanvej 215

2000 Frederiksberg

Denmark

Email: privacy@amass.tech

2. Personal Data We Collect

a) Account and User Data

  • Full name
  • Email address
  • Role (for example, user or administrator)
  • Organization
  • Account credentials and authentication-related data
  • IP address
  • Device, browser, and session identifiers

b) Payment and Billing Data

Payments are handled through Stripe or other payment providers. Amass receives limited billing and payment-related information, such as:

  • Name associated with payment method
  • Last four digits of payment card
  • Card type and expiry date
  • Payment status
  • Transaction and billing metadata

Amass does not directly process or store full payment card details.

c) Usage, Analytics, and Log Data

  • Login events
  • Timestamps
  • Session and activity logs
  • Navigation and feature usage data
  • Audit logs
  • Error logs and monitoring data (for example via Sentry)
  • Product and website analytics data (for example via PostHog and Google Analytics)

Analytics and telemetry may include pseudonymized event-level data, aggregated reporting, and other operational metrics used to monitor platform performance, security, reliability, and user experience.

d) Communication Data

  • Messages, support requests, and related correspondence
  • Responses submitted through forms or surveys
  • Business communications sent through email and related collaboration tools

e) Customer-Submitted Content

Where users of the subscription platform upload or submit documents, files, notes, metadata, prompts, or other content, such content may include personal data provided by or on behalf of the customer.

3. How We Use Personal Data

We use personal data to:

  • provide, operate, maintain, and secure our website and subscription platform;
  • create and manage user accounts and organizations;
  • authenticate users and administer access;
  • process billing and payments;
  • respond to inquiries, requests, and support issues;
  • monitor performance, reliability, security, and usage of the website and subscription platform;
  • improve the functionality, usability, and user experience of the website and subscription platform;
  • comply with legal obligations; and
  • send service-related communications.

For the subscription platform, customer-submitted content is processed only to provide, maintain, secure, support, and improve the subscription services in accordance with the applicable contract and documented customer instructions.

4. Legal Bases for Processing

Depending on the context, we process personal data on one or more of the following legal bases:

  • performance of a contract;
  • compliance with legal obligations;
  • consent, where applicable;
  • our legitimate interests, including maintaining and improving our services, ensuring security, preventing fraud, administering our business, and responding to customer inquiries.

Where we rely on legitimate interests, we assess that processing is necessary and balanced against the rights and freedoms of affected individuals.

5. Controller / Processor Roles

Amass acts as:

  • Data Controller for personal data processed for website operations, account administration, billing, service analytics, security logging, communications, and our own business operations.
  • Data Processor where customers use the Amass subscription platform to process, search, analyse, store, or retrieve customer-submitted content that may contain personal data.

Where Amass acts as a Data Processor, such processing is carried out on behalf of the relevant customer and in accordance with the applicable Data Processing Agreement ("DPA"), where relevant.

6. Use of AI-Powered Services

We use AI-powered functionalities as part of the subscription platform, including services made available through Microsoft Azure and other model providers or open-source models where relevant.

These functionalities may process text inputs, uploaded content, metadata, and related instructions submitted by users for purposes such as retrieval, search, summarisation, analysis, and response generation within the subscription platform.

For the subscription platform, customer-submitted content is not used for model training unless expressly agreed in writing.

Use of third-party model providers is subject to our contractual, security, and data protection controls, including applicable hosting, confidentiality, and data processing arrangements.

7. Sharing of Personal Data and Sub-Processors

We share personal data only where necessary for the operation of our website, subscription platform, and related business operations, including with the following categories of providers:

| Sub-Processor / Provider | Purpose | Region | | ------------------------ | -------------------------------------- | ------------------ | | Microsoft Azure | Hosting and infrastructure | EU | | Sentry | Error monitoring and logging | EU/US | | Google Workspace | Business communications and operations | EU/US | | Google Analytics | Website analytics | EU/US | | PostHog | Product analytics and event tracking | EU-hosted instance | | Stripe | Payment processing | EU/US | | WorkOS | Organization and user management | EU/US | | Typeform | Forms and surveys | EU/US | | Turbopuffer | Vector database for embeddings | EU | | Langfuse | AI monitoring and logging | EU |

These providers are subject to contractual and data protection obligations, including data processing terms and transfer safeguards where applicable.

8. International Data Transfers

Primary customer content for the subscription platform is hosted in the European Union.

Some of our providers may process personal data outside the European Economic Area (EEA). Where that occurs, we rely on appropriate transfer mechanisms under applicable data protection law, including:

  • adequacy decisions adopted by the European Commission; and/or
  • Standard Contractual Clauses ("SCCs") approved by the European Commission, together with any supplementary measures we consider appropriate in the circumstances.

9. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, including:

  • for as long as an account remains active;
  • for the duration of the relevant customer relationship or contract;
  • for as long as necessary to comply with legal, tax, accounting, regulatory, or dispute-resolution obligations; and
  • until consent is withdrawn, where processing is based on consent.

Customer-submitted data in the subscription platform is generally retained for the duration of the applicable contract and deleted within thirty (30) days following termination, unless otherwise agreed in writing or required by applicable law.

10. Your Rights

Subject to applicable law, you may have the right to:

  • access your personal data;
  • rectify inaccurate or incomplete personal data;
  • request erasure of personal data;
  • request restriction of processing;
  • object to processing;
  • request data portability; and
  • lodge a complaint with a competent supervisory authority.

To exercise your rights, please contact us at: privacy@amass.tech

Where Amass acts solely as a Data Processor on behalf of a customer, we may need to refer your request to the relevant customer as the responsible Data Controller.

11. Security

Amass implements appropriate technical and organizational measures designed to protect personal data, including:

  • encryption in transit and at rest;
  • role-based access controls;
  • multi-factor authentication for administrative access;
  • logging and monitoring;
  • regular security reviews; and
  • incident response procedures.

No system can be guaranteed to be completely secure, but we take reasonable measures designed to protect the confidentiality, integrity, and availability of personal data.

12. Cookies and Tracking Technologies

We use cookies and similar technologies on our website and, where relevant, in our services to:

  • authenticate users;
  • remember preferences;
  • monitor usage, performance, and reliability; and
  • improve user experience.

Where required by applicable law, we ask for consent before placing non-essential cookies or similar technologies. You can manage cookie preferences through our cookie banner, browser settings, or other controls made available to you.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through our website, the subscription platform, or by email where appropriate.

The updated version will apply from the date stated at the top of this Privacy Policy.

14. Contact

If you have any questions about this Privacy Policy or our processing of personal data, please contact:

Amass Technologies ApS

Nordre Fasanvej 215

2000 Frederiksberg

Denmark

Email: privacy@amass.tech