AMPLIFiCAM GDPR and Data Protection Commitment

GDPR - General Data Protection Regulation

Introduction

AMPLIFiCAM is a service provided by 1908268 ONTARIO INC. (d/b/a AMPLIFi Inc.) and is committed to protecting personal data and supporting the highest standards of privacy and security.

This page explains how AMPLIFiCAM complies with the EU General Data Protection Regulation (GDPR), how personal data is processed within our systems, and the respective responsibilities of AMPLIFiCAM and our customers.

AMPLIFiCAM acts as a Data Processor. Our customers, including sports teams, leagues, event organizers, and venues, act as Data Controllers. Personal data processed through AMPLIFiCAM belongs to our customers. We process that data only on documented instructions from the Data Controller and only for the purposes of delivering our services and meeting our obligations under applicable data protection laws.

Roles and Definitions

For the purposes of this page and as used in our internal policies and Data Processing Agreement:

  • Data Controller means the customer (for example, a team, league, venue, or event organizer) that determines the purposes and means of processing personal data.
  • Data Processor means AMPLIFiCAM and refers to our role in processing personal data on behalf of the Data Controller.
  • Personal Data means any information relating to an identified or identifiable individual. Examples include email address, age, gender, and unique identifiers.
  • Processing means any operation performed on personal data. Examples include collection, recording, storage, retrieval, transmission, or deletion.
  • Data Subject means the individual whose personal data is being processed.
  • Subprocessor means any third party engaged by AMPLIFiCAM to process personal data on behalf of the Data Controller.

These definitions are consistent with GDPR terminology and our internal Data Protection Policy and Data Processing Agreement.

Lawful, Fair, and Transparent Processing

AMPLIFiCAM processes personal data lawfully, fairly, and in a transparent manner.

  • All processing activities are documented in our internal Register of Systems, which is reviewed at least annually.
  • The Data Controller is responsible for determining the appropriate lawful basis for processing personal data (for example, contract, consent, or legitimate interests) and for providing necessary notices to Data Subjects.
  • AMPLIFiCAM processes personal data only on documented instructions from the Data Controller, except where required to do so by applicable law. In such cases, we inform the Data Controller unless prohibited by law.

We do not use personal data for our own independent purposes and we do not sell personal data.

Purpose and Scope of Processing

AMPLIFiCAM processes personal data only to:

  1. Provide the AMPLIFiCAM system and related services in accordance with their design and functionality and the underlying agreement with the Data Controller.
  2. Enable user initiated actions such as receiving photos, branded clips, or notifications.
  3. Support Data Controllers in meeting their obligations under applicable data protection laws, including assistance with data subject requests, audits, and impact assessments where required.

The categories of personal data processed are determined by the Data Controller and may include information such as email address, age, gender, language preferences, and other similar identifiers necessary to provide the AMPLIFiCAM experience.

We do not process personal data for purposes other than those instructed by the Data Controller.

Data Minimization and Accuracy

In line with our Data Protection Policy:

  • We require that personal data processed through AMPLIFiCAM be adequate, relevant, and limited to what is necessary for the purposes defined by the Data Controller.
  • We support the Data Controller in keeping personal data accurate and up to date by enabling correction and update of information and by assisting with data subject requests for rectification.

Data Retention and Data Deletion

AMPLIFiCAM retains personal data only for as long as necessary to fulfill the purposes defined by the Data Controller or as required by applicable law.

  • Retention periods are determined by the Data Controller and documented in our internal Register of Systems and related archiving practices.
  • Upon termination of the underlying services agreement, or upon written instruction of the Data Controller, AMPLIFiCAM will delete, return, or otherwise securely dispose of personal data in accordance with the Data Controller's instructions and applicable data protection laws.
  • When data is deleted, AMPLIFiCAM uses methods designed to make the data irrecoverable, consistent with our Data Protection Policy.

For seasonal or tournament based customers, the Data Controller may instruct AMPLIFiCAM to delete personal data at the end of the season or tournament. AMPLIFiCAM will comply with such instructions and can also delete data earlier on request from the Data Controller.

Confidentiality

AMPLIFiCAM treats all personal data as strictly confidential.

  • Employees, contractors, and authorized subprocessors who may access personal data are subject to confidentiality obligations, including confidentiality agreements or statutory duties of confidentiality.
  • Access to personal data is limited to personnel who need access for legitimate operational purposes and who are authorized under internal policies.
  • No AMPLIFiCAM personnel may access personal data unless required to perform their duties and such access is logged and controlled.

Security Measures

AMPLIFiCAM implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Storing personal data on modern, regularly updated systems.
  • Limiting access to personal data to authorized personnel only, based on role and operational need.
  • Using encrypted channels for data transmission between customers and AMPLIFiCAM, including Transport Layer Security (TLS) for communications.
  • Using dedicated, encrypted links for replication of user data between data centers.
  • Maintaining user access logs that record key activity for security and audit purposes.
  • Using customer passwords that are randomly generated and stored using a one way salted hash. AMPLIFiCAM personnel do not have access to plain text passwords.
  • Maintaining backup and disaster recovery procedures to enable timely restoration of personal data where needed.
  • Operating a security program that includes regular review of vulnerabilities and periodic assessments of the effectiveness of our technical and organizational security measures.

We also leverage the security and compliance posture of Amazon Web Services (AWS), including data center physical security and certifications made available by AWS, as described in our Information Security Policy.

Incident Management and Breach Notification

AMPLIFiCAM maintains written incident management procedures.

If AMPLIFiCAM becomes aware of any actual or suspected unauthorized access, disclosure, or other security incident affecting personal data:

  • We will notify the relevant Data Controller without undue delay, using the contact details specified in our agreement or DPA.
  • We will provide information reasonably available to us to help the Data Controller assess the impact of the incident and meet any applicable reporting obligations to supervisory authorities and Data Subjects.
  • We will cooperate with the Data Controller in investigating and remedying the incident, in accordance with our Data Processing Agreement and applicable Data Protection Laws.

Subprocessors

AMPLIFiCAM may engage a limited number of trusted third parties as subprocessors to support the delivery of our services.

Subprocessors are permitted to process personal data only to provide specific services to AMPLIFiCAM and only in accordance with written agreements that impose data protection obligations that are no less protective than those set out in our Data Processing Agreement.

Current subprocessors include:

  1. Amazon Web Services (AWS)
    Cloud infrastructure and hosting provider used for storage and processing of personal data as part of the AMPLIFiCAM system.
  2. SendGrid
    Email delivery service used to send transactional emails and notifications initiated through the AMPLIFiCAM system, where configured by the Data Controller.
  3. Google Workspace (including Gmail and Google Drive)
    Used for internal business operations and secure handling of files that may contain customer related information, where necessary and appropriate.
  4. Google Maps
    Used to provide location related features in customer facing interfaces, where enabled by the Data Controller.
  5. Runpod
    Infrastructure provider used for GPU based image processing tasks, where configured by the Data Controller for image enhancement or related processing.
  6. Replicate
    Service provider used for certain image processing and machine learning model execution tasks, where configured by the Data Controller.

AMPLIFiCAM remains responsible to the Data Controller for the actions of its subprocessors in accordance with our Data Processing Agreement. If AMPLIFiCAM adds or materially changes subprocessors that process personal data, we will do so in accordance with our contractual and legal obligations, including any required notifications to Data Controllers.

Data Subject Rights

Data Subjects have rights under GDPR and other applicable Data Protection Laws. These rights include:

  • Right of access to personal data.
  • Right to rectification of inaccurate or incomplete personal data.
  • Right to erasure of personal data in appropriate circumstances.
  • Right to restriction of processing in specific situations.
  • Right to data portability, where applicable.
  • Right to object to certain types of processing, including processing based on legitimate interests, where applicable.
  • Right to lodge a complaint with a Data Protection Authority.

AMPLIFiCAM supports Data Controllers in fulfilling these rights:

  • Data Subjects may submit requests directly to the Data Controller that collected their data, or may contact AMPLIFiCAM using the contact information below.
  • When a request is received, AMPLIFiCAM will verify the request as appropriate and will either respond directly where we act as Data Controller, or will coordinate with the relevant Data Controller where we act as Data Processor.
  • AMPLIFiCAM will provide reasonable assistance to Data Controllers to respond to data subject requests within the timelines required by applicable Data Protection Laws. Our internal procedure aims to complete requests within 30 days where possible.

In some cases, legal or contractual requirements may limit our ability to fully comply with a request. Where a request cannot be fulfilled, the Data Controller or AMPLIFiCAM, as appropriate, will explain the reason to the Data Subject.

AMPLIFiCAM does not fulfill Data Subject requests on its own initiative when acting purely as Data Processor, except where instructed or authorized by the relevant Data Controller or required by law.

International Data Transfers

Where personal data originating from the European Economic Area is processed outside the EEA, AMPLIFiCAM will ensure that such transfers comply with applicable Data Protection Laws.

  • AMPLIFiCAM will inform the Data Controller of any planned transfers of personal data to a country without an adequate level of protection as defined by applicable law and will only proceed with such transfers when authorized by the Data Controller and when appropriate safeguards are in place.
  • Where required, AMPLIFiCAM will rely on suitable legal mechanisms and safeguards, such as contractual clauses or other measures recognized under applicable Data Protection Laws, to protect personal data transferred internationally.
  • If any legal mechanism relied upon for data transfers is modified, revoked, or held invalid, AMPLIFiCAM will cooperate in good faith with the Data Controller to implement an alternative lawful mechanism or to discontinue the affected transfers where necessary.

Cooperation, Support, and Audits

AMPLIFiCAM will provide Data Controllers with information necessary to demonstrate compliance with our obligations as a Data Processor under GDPR and other applicable Data Protection Laws.

  • Upon written request and with reasonable notice, AMPLIFiCAM will permit audits or assessments related to data protection and security, subject to confidentiality commitments and practical limitations, as described in our Data Processing Agreement.
  • AMPLIFiCAM will provide reasonable assistance to Data Controllers, where required by law, with:
    • Data Protection Impact Assessments.
    • Prior consultations with supervisory authorities when processing activities present high risks to Data Subjects.

Contact Information

If you have questions about AMPLIFiCAM's GDPR compliance or data protection practices, or if you wish to initiate a Data Subject Request or exercise other privacy rights, please contact:

Email: privacy@amplificam.com
Attention: Data Protection Officer

We are committed to responding promptly and to supporting our customers in meeting their privacy and data protection obligations.

© AMPLIFi. All Rights Reserved.
AMPLIFi Your Fan Experience

© AMPLIFi. All Rights Reserved.

Explore
Home
AMPLIFi In Venue
AMPLIFi In Fan Zone
About Us
Resources
Blog
Legal
Privacy Notice
Terms of Use
GDPR
Contact Us
171 E Liberty St, Unit 274
Toronto, ON M6K 3E7
hello@amplificam.com
Get In Touch