Privacy Policy

Amplify IT Outsourcing operates the Amplify ATS platform, an AI-powered Applicant Tracking System (“ATS”) and related services available at amplifyit.io and its subdomains. Amplify acts as a data controller with respect to personal data processed for its own legitimate business purposes, and as a data processor on behalf of Tenant organizations (“Customers”) that use the platform to manage their own candidate and employee data.

Our registered contact address for privacy matters: privacy@amplifyit.io

We collect information in three principal ways:

2.1 Information You Provide Directly

• Account registration: name, work email address, company name, role.
• Billing and subscriptions: payment method details processed through Stripe (we do not store raw card numbers).
• Support and communications: messages you send to our support team or via email.
• Candidate data uploaded by Customers: CVs, cover letters, assessments, interview notes, and any other recruitment materials. Amplify processes this data strictly on behalf of the Customer.

2.2 Information Collected Automatically

• Log data: IP address, browser type, operating system, referring URLs, pages viewed, and timestamps, collected via server logs and Google Analytics.
• Session and authentication tokens: encrypted session identifiers used to maintain authenticated sessions.
• Usage telemetry: feature interactions, page transitions, and error reports used to improve the product.

2.3 Information from Third-Party Integrations

• OAuth integrations (LinkedIn, Google, Slack): when you authorize a connection, we receive only the data scopes you explicitly authorize (see § 6 for LinkedIn-specific disclosures).
• Google Identity Platform: authentication tokens and basic profile information (name, email) used solely for sign-in.

We use the information we collect to:

We do not sell personal data to third parties. We do not use candidate data submitted by Customers to train general-purpose AI models.

For individuals in the European Economic Area (EEA), United Kingdom, Switzerland, or Brazil, we rely on the following legal bases under the GDPR and LGPD:

Where we rely on legitimate interests, you may object to such processing at any time by contacting privacy@amplifyit.io.

We share personal data only in the circumstances described below. All third-party processors are bound by contractual data processing agreements.

We may disclose information if required by law, court order, or government authority, or to protect the rights, property, or safety of Amplify, its Customers, or the public.

In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data may be transferred as part of that transaction. We will notify affected users via email or a prominent notice on our platform.

Amplify ATS integrates with the LinkedIn Marketing API to allow Customers to post jobs directly to LinkedIn and manage organization-level social content. This integration requires OAuth 2.0 authorization from an authorized LinkedIn Page Admin.

Data We Access via LinkedIn OAuth

• Organization identity (company URN, page name) — used to attribute job postings to the correct LinkedIn Company Page.
• Organization social actions (post creation, scheduling) — used solely to publish job listings on your behalf.
• Organization admin status — verified to confirm the authorizing user has the right to act on behalf of the organization.

What We Do Not Access

We do not access individual member profiles, personal connections, messages, endorsements, or any LinkedIn member data beyond the organization-level scopes listed above.

How OAuth Tokens Are Stored

Access tokens obtained via LinkedIn OAuth are encrypted at rest in our Cloud SQL database (AES-256) and are transmitted exclusively over TLS 1.2+. Tokens are scoped to the authorizing Customer's organization and are never shared across tenants.

Revoking Access

You may disconnect the LinkedIn integration at any time from your Amplify ATS Marketplace settings. Revoking access immediately invalidates the stored token and removes all associated LinkedIn credentials from our system. You may also revoke access directly from your LinkedIn account under Settings & Privacy → Data privacy → Permitted services.

We retain personal data for as long as necessary to fulfill the purposes described:

After the applicable retention period, data is securely deleted or irreversibly anonymized. Customers may request earlier deletion at any time by contacting us at privacy@amplifyit.io.

We apply industry-standard technical and organizational security measures to protect your data, including:

• TLS 1.2+ for all data in transit.
• AES-256 encryption for sensitive data at rest in Cloud SQL and Secret Manager.
• Multi-tenant row-level isolation — each Customer's data is logically separated at the database level.
• Role-based access controls (RBAC) with Google Identity Platform; all admin routes require authenticated sessions.
• Automated dependency scanning, SAST pipeline checks, and regular security reviews.
• GCP VPC with private connectivity between application tiers.

No method of transmission or storage is 100% secure. In the event of a data breach affecting your personal data, we will notify affected individuals and applicable supervisory authorities within the timeframes required by applicable law (72 hours under GDPR Article 33).

Amplify's infrastructure is hosted on Google Cloud Platform, with primary regions in the United States (us-central1). Data may be transferred to and processed in countries outside your country of residence.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the EU Standard Contractual Clauses (SCCs) as the lawful transfer mechanism, as incorporated into our Data Processing Agreement (DPA) with Customers. A copy of our DPA is available upon request at privacy@amplifyit.io.

For Brazilian users, transfers outside Brazil are governed by the LGPD (Lei 13.709/2018) and rely on contractual safeguards equivalent to those required by ANPD.

Depending on your jurisdiction, you have the following rights regarding your personal data. To exercise any of these rights, contact privacy@amplifyit.io. We will respond within 30 days (or 72 hours for breach notifications under GDPR).

If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, the relevant EU DPA, or the ANPD in Brazil).

The Amplify ATS platform is intended exclusively for business use by adults 18 years of age or older. We do not knowingly collect personal data from individuals under 18. If we become aware that we have collected data from a minor, we will delete it promptly. If you believe a minor has submitted data through our platform, please contact us immediately at privacy@amplifyit.io.

We use the following categories of cookies and similar technologies:

You may manage cookie preferences through your browser settings or our cookie consent banner. Disabling strictly necessary cookies will impact platform functionality.

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or applicable law. We will notify you of material changes by:

• Posting a prominent notice on the platform at least 30 days before the changes take effect.
• Sending an email notification to the registered email address of account holders.

Your continued use of the platform after the effective date of a revised policy constitutes acceptance of the changes. If you do not agree with a material change, you may terminate your account before it takes effect.

For privacy inquiries, data subject requests, Data Processing Agreement requests, or to report a potential security issue:

We aim to respond to all privacy requests within 5 business days for acknowledgment and within 30 calendar days for resolution (with a possible 60-day extension for complex requests, as permitted by applicable law).