AMP Privacy Notice for Authorised Users

This Privacy Notice explains how Jam 7 Limited, referred to in this notice as Jam 7, we, us or our, collects, uses, shares and protects personal data about individuals who access or use AMP as authorised users.

AMP is Jam 7's Agentic Marketing Platform®. It is a software service used by marketing teams to plan, generate, review and manage marketing work.

AMP is designed for use by authorised business users within business-to-business marketing and commercial workflows.

AMP is designed to support human-led marketing and commercial workflows and is not intended to operate autonomously without user review.

This notice should be read together with any applicable customer agreement, data processing terms, cookie notice, AI processing notice and terms of use for AMP.

Jam 7 acts as controller for the authorised user account, authentication, security, support, service communication and platform usage data described in this notice.

Where AMP processes customer workspace content on behalf of an organisation, Jam 7 acts as processor for that organisation except where Jam 7 determines the purposes and means of processing under applicable law.

Customer workspace content may include prompts, briefs, uploaded files, extracted text, knowledge base material, campaign material, generated outputs and other content placed in an AMP workspace.

If your AMP account is provided by an organisation, that organisation may be the controller of some personal data contained in customer workspace content.

Requests about that content may need to be handled by, or coordinated with, the relevant organisation.

The controller for the personal data described in this notice is Jam 7 Limited, a company registered in England and Wales.

Jam 7 Limited is registered in England and Wales with its registered office at 101 New Cavendish Street, London W1W 6XH, United Kingdom.

Jam 7 Limited is registered with the UK Information Commissioner's Office under registration number C1936444.

Privacy, data rights, security and compliance enquiries should be sent to compliance@jam7.com.

If your request relates to an organisation workspace, please include the organisation name and the email address used for your AMP account. Do not include passwords, API keys or unnecessary sensitive information in your request.

Identity and account data. This may include your name, business email address, organisation, role, Auth0 user identifier, authentication method, organisation membership, access role and profile picture where supplied by your identity provider.

Authentication and security data. This may include login events, session identifiers, IP address, user agent, security alerts, failed login information, password reset events and similar data needed to operate and protect AMP.

Portal usage data. This may include pages and features accessed, navigation events, agent invocations, prompts submitted to AMP agents, outputs generated, error events, performance data, feedback submissions and support communications. Prompts and generated outputs may be accessed where reasonably necessary for service delivery, security, support, abuse prevention, legal compliance or where authorised by the relevant customer organisation. Access is limited to authorised personnel with a legitimate operational, support, security or compliance need.

Cookie and preference data. This may include essential session and preference storage, selected organisation, theme preference and analytics consent choices. Microsoft Clarity analytics is loaded only where analytics consent is granted.

AMP is not intended for the processing of special category data, payment card information, highly sensitive confidential information, children's data or other regulated data unless expressly authorised by Jam 7 in writing and supported by appropriate contractual, technical and organisational safeguards.

Users and customer organisations should minimise the personal data included in prompts, uploads and workspace content where reasonably possible.

We collect personal data directly from you when you sign in, use AMP, submit prompts, upload files, provide feedback or contact Jam 7.

We may receive personal data from your organisation when it invites, provisions or administers your AMP account.

We receive identity information from Auth0, Okta and supported identity providers such as Google or Microsoft where you choose social sign-in.

Where enabled or configured by your organisation or authorised users, AMP may process data from connected services such as Notion, HubSpot or other integrations used as part of the workspace.

We use personal data to provide, operate, maintain and secure AMP. This includes account creation, sign-in, session management, organisation access controls, feature delivery, AI-assisted workflows, support, service communications, security monitoring, audit evidence and platform administration.

We use authentication and security data to protect AMP, prevent misuse, investigate suspicious activity and maintain the confidentiality, integrity and availability of the service.

We use support and communications data to respond to enquiries, resolve issues, provide service notices and manage our relationship with users and customer organisations.

AMP is intended to support marketing and commercial content workflows for business users and is not designed for regulated decision-making or high-risk processing activities.

We rely on performance of a contract where processing is necessary to provide AMP to you or to the organisation that authorises your access.

We rely on legitimate interests where we operate, secure, support, administer, maintain and protect AMP, provided those interests are not overridden by your rights and freedoms.

We rely on legal obligation where processing is required for compliance, accounting, tax, regulatory, security or legal purposes.

We rely on consent where required, including for optional analytics cookies and any marketing communications that require consent.

Where AI processing involves personal data, Jam 7 processes that data in accordance with the lawful bases described in this section, including performance of a contract and legitimate interests in providing and maintaining AMP.

AMP uses essential cookies and browser storage for authentication, security, session continuity and product preferences. These are necessary for the service.

AMP uses Microsoft Clarity analytics and session replay technology only after you choose to accept analytics cookies. If you choose essential cookies only, AMP does not load the Clarity script from the application.

Users may change or withdraw analytics cookie preferences through the cookie preferences settings made available within AMP.

You can find more information in our Cookie Notice. Clearing browser site data resets your cookie choices.

We share personal data with service providers that help us operate AMP. These providers support hosting, identity, database services, vector search, logging, analytics, communications, support, integrations and AI routing.

Where applicable, these providers process personal data under contractual obligations relating to confidentiality, security and data protection.

We may share authorised user identity, role and limited usage information with the organisation that provides or administers your AMP workspace.

We may share personal data with professional advisers, regulators, authorities, investors or acquirers where required by law, for legal claims, under confidentiality obligations or as part of a corporate transaction.

We do not sell personal data. We do not share personal data for cross-context behavioural advertising.

AMP uses service providers including AWS for hosting, Auth0 and Okta for identity, MongoDB for database services, Pinecone for vector search, Microsoft Clarity for analytics where consented, Notion and HubSpot where configured, and AI providers or routing services such as OpenRouter and downstream model providers.

Production application workloads are primarily hosted in the United Kingdom using AWS eu-west-2 infrastructure. Current Pinecone production indexes are hosted in an EU region.

Some service providers or model providers may process data outside the United Kingdom or the European Economic Area.

Where personal data is transferred internationally, Jam 7 relies on safeguards and transfer mechanisms recognised under applicable data protection law, including contractual protections and applicable adequacy regulations where appropriate.

Jam 7 seeks to implement contractual and technical measures intended to reduce unauthorised retention, training and onward use of customer data by service providers where applicable.

Jam 7 continues to review and enhance provider controls, configurations and transfer safeguards as part of its ongoing compliance programme.

AMP uses AI agents and language models to help users generate, analyse, review and improve marketing content.

Inputs sent to AI systems may include prompts, selected workspace context, uploaded or extracted text, knowledge base snippets, generated drafts and user instructions.

AI outputs may be inaccurate, incomplete or unsuitable for publication. AMP is designed as an assisted workflow tool. Users remain responsible for reviewing, editing and approving outputs before use.

Users and customer organisations remain responsible for determining whether AI-generated outputs are suitable for publication, distribution, commercial use or regulatory compliance.

AMP must not be used for medical, legal, financial, employment, credit, insurance or other decisions that have legal or similarly significant effects on individuals.

AMP does not make solely automated decisions about authorised users with legal or similarly significant effect.

Jam 7 seeks to implement contractual and technical measures intended to reduce unauthorised retention, training and onward use of customer data by service providers where applicable.

Jam 7 does not use Customer Content to train externally shared or publicly available general-purpose AI models unless expressly agreed with the relevant customer.

Users and customer organisations should minimise the personal data included in prompts, uploads and workspace content where reasonably possible.

We keep personal data only for as long as reasonably necessary for AMP, customer instructions, security, audit evidence, legal obligations, backups and legitimate business purposes.

Different categories of personal data may be retained for different periods depending on customer configuration, operational, legal, security and contractual requirements.

Operational logs and infrastructure logs are subject to configured retention periods. Some uploaded content, chat records, generated content and workspace data may remain until deleted by the user, by the organisation, under a support request or under a retention policy where one applies.

Deletion requests are handled through Jam 7's data erasure processes. Some data may remain temporarily in backups, logs or audit records, or may be retained where required for legal, tax, accounting, fraud prevention or dispute purposes.

Jam 7 periodically reviews retention practices and may update retention periods or deletion workflows over time.

Jam 7 uses technical and organisational measures appropriate to the nature of the service and the risks presented by the processing activities carried out through AMP.

These measures may include encrypted communications, access controls, authentication protections, logical access and organisational separation controls, deployment controls, logging safeguards and operational monitoring.

Auth0 protections may include brute force protections, suspicious IP protections and multi-factor authentication enforcement for administrative access patterns.

Jam 7 continues to develop and improve its security, auditability, retention and compliance controls over time.

Subject to the limits and exemptions in applicable law, you may have rights to access, correct, delete, restrict, export or object to processing of your personal data.

You may also have the right to withdraw consent where processing is based on consent and the right not to be subject to solely automated decisions with legal or similarly significant effect.

To exercise your rights, contact compliance@jam7.com. We may need to verify your identity.

Where the request concerns customer workspace content, we may need to coordinate with the relevant customer organisation.

In some cases, the relevant customer organisation may be responsible for responding to requests relating to customer workspace content.

We will respond within one calendar month where required by law, unless the request is complex or numerous. In those cases, the response period may be extended as permitted by law.

AMP is intended for authorised business users and is not directed at children.

We do not knowingly collect personal data from children. If you believe a child has provided personal data to AMP, contact compliance@jam7.com so we can investigate and delete it where appropriate.

We may update this notice from time to time. Where changes are material, we will take reasonable steps to notify authorised users, such as by email, in-product notice or publication of an updated notice.

The updated notice will take effect from the "Last updated" date shown at the top of this notice unless otherwise stated.

If you have a concern about how we handle personal data, please contact us first at compliance@jam7.com so we can try to resolve it.

You also have the right to complain to the UK Information Commissioner's Office.

Further information about the Information Commissioner's Office is available at ico.org.uk and its helpline is 0303 123 1113.