GDPR commitment
Ambrose is committed to handling personal data in line with the EU and UK General Data Protection Regulation (GDPR). This page explains our roles, the rights available to individuals, and how to exercise them. See also our Privacy Policy, Compliance, and Sub-processors.
Our role
For personal data our customers put into Ambrose to run their agency, the customer is the data controller and Ambrose acts as a processor, processing that data only on the customer’s documented instructions. For the limited data we collect to run our own business (for example account and billing details), Ambrose is the controller.
Your rights
Subject to the GDPR, individuals may request to:
- Access the personal data we hold about them;
- Correct inaccurate or incomplete data;
- Delete their data (“right to erasure”);
- Restrict or object to certain processing;
- Receive their data in a portable format;
- Withdraw consent where processing is based on consent.
If your data was provided to Ambrose by one of our customers (an agency), we will refer your request to that customer as the controller, and support them in fulfilling it.
Legal bases
We process personal data on the bases of performing our contract with you, our legitimate interests in operating and securing the service, your consent (where applicable, such as optional cookies), and compliance with legal obligations.
Data transfers
Ambrose hosts data in the United States on AWS. Where personal data is transferred from the EU/UK, we rely on appropriate safeguards such as the Standard Contractual Clauses. Protected health information is redacted and pseudonymized by our PHI Rail before any request reaches a destination not covered by a Business Associate Agreement.
Data Processing Agreement
A Data Processing Agreement (DPA), including SCCs and our current sub-processor list, is available to customers on request.
Retention & deletion
We retain personal data only as long as needed to provide the service or as required by law, and delete it in line with our retention and removal policy when an account is closed or a valid deletion request is completed.
How to make a request
Email privacy@hiambrose.com with your request and enough detail for us to verify your identity. We respond within the timeframes required by the GDPR. You also have the right to lodge a complaint with your local supervisory authority.