← Back to home

Privacy Policy

Last updated: March 2026

Amendly (amendly.eu) is committed to protecting your personal data. This Privacy Policy explains what data we collect, why, how long we keep it, and your rights under the General Data Protection Regulation (GDPR — Regulation EU 2016/679).

1. Data controller

The data controller is athcode. Contact: [email protected]. You have the right to lodge a complaint with your national data protection authority.

2. Data we collect

We collect: the email address and name you provide during sign-up; optional profile information (company, job title, avatar URL) you choose to add; the content you create or upload (documents, amendments, comments, reactions); technical metadata (IP address, browser type, timestamps) used to secure the service and enforce rate limits; per-organisation activity logs (timestamped action records retained for the duration of the subscription); and, if you consent, aggregate usage analytics via Plausible Analytics (see section 5).

3. Legal basis and purpose

We process your data on the basis of contract performance (to provide the Amendly service), legitimate interests (security, fraud prevention, service improvement), and — for analytics — your explicit consent.

4. Data retention

Account data is anonymised immediately when you request account deletion (right to erasure). Per-organisation activity logs are retained for the duration of the active subscription. Billing records are retained for 10 years as required by French accounting law. Anonymous contributor data (name, email) is deleted automatically when the document it is attached to is deleted (immediate cascade). Waitlist email addresses are retained until the public launch of the platform or until you request deletion.

5. Analytics

If you accept cookies, we load Plausible Analytics to measure aggregate traffic. Plausible does not use cookies, does not fingerprint individual users, and does not share data with third parties. No analytics script is ever loaded if you decline or have not yet made a choice.

6. Third-party processors

We use: Hetzner Online GmbH (infrastructure hosting — Germany); Stripe Inc. (payment processing — United States, covered by EU SCCs); Resend Inc. (transactional email — United States, covered by EU SCCs); Google LLC (OAuth authentication — United States, covered by EU SCCs); Cloudflare Inc. (anti-bot protection via Turnstile — United States, covered by EU SCCs). The full list and applicable safeguards are set out in Annex A of our DPA (amendly.eu/legal/dpa). Each processor is bound by a Data Processing Agreement.

7. Your rights

Under GDPR you have the right to access, rectify, erase, restrict processing of, and port your personal data. You may also object to processing and withdraw consent at any time. To exercise these rights, email [email protected]. We will respond within 30 days.

8. Cookies

We use a single essential session cookie to keep you signed in. No analytics or advertising cookies are set without your consent. You can withdraw consent at any time by clicking 'Decline' in the cookie banner.

9. Data transfers

Your data is hosted in Germany (Hetzner). We do not transfer personal data outside the European Economic Area. If a future processor is located outside the EEA, we will ensure an appropriate safeguard (e.g. Standard Contractual Clauses) is in place.

10. Changes to this policy

We may update this policy to reflect changes in law or our practices. We will notify you by email of material changes. The 'Last updated' date at the top of this page reflects the latest revision.

11. Anonymous contributors (public link)

When an organisation enables public contributions, people submitting an amendment via a contribution link may optionally provide their name and email address. This data is collected on behalf of the client organisation, which acts as data controller. Amendly deletes this data automatically when the document it is attached to is deleted (immediate cascade). Contributors wishing to exercise their rights (access, rectification, early erasure) may email [email protected] specifying their email address and the document concerned.

12. Waitlist

Email addresses collected through the waitlist sign-up form are processed on the basis of explicit consent (opt-in). They are used solely to notify you of the platform launch. You may withdraw consent and request deletion at any time by emailing [email protected]. This data is deleted at the public launch of the platform or on request.

13. Amendly as a data processor

When you use Amendly to process personal data of third parties (members, external contributors, invitees), you are the data controller and Amendly is your data processor under Article 28 GDPR. Our Data Processing Agreement (DPA), accessible at amendly.eu/legal/dpa, sets out the mutual obligations, the list of authorised sub-processors, and the applicable safeguards for transfers outside the EEA.

Contact

Data protection questions? Email [email protected].