Privacy Policy

Depending on the data involved, Amba acts in one of two capacities, and your rights and our obligations differ accordingly:

• Controller. For information about the developers and businesses who create accounts, use the developer console, the API, the CLI, and our websites, Amba decides how and why that information is processed. This Privacy Policy describes those practices.
• Processor / service provider. When a customer builds an application on Amba, that application’s end users’ data flows through the platform. For that data, the customer is the controller and Amba processes it only on the customer’s documented instructions. Our handling of that data is governed by the customer’s agreement and our Data Processing Addendum (DPA), not by this notice. To request a DPA, email legal@amba.dev.

We collect the following categories of information when you use the Service:

• Account and contact information — your name, email address, company name, and the credentials you use to authenticate. Passwords are stored only as salted hashes; we never store them in plain text.
• Project and usage information — the projects, API keys, and resources you create; configuration and metadata; and operational logs and metrics describing how the Service is used.
• Device and connection information — IP address, browser and device type, operating system, language, referring pages, and timestamps, collected automatically when you interact with our websites and APIs.
• Billing information — your billing contact, plan, and transaction history. Card payments are handled by our payment processor; we do not receive or store full payment-card numbers.
• Communications — the contents of support requests, sales inquiries, and other messages you send us, along with our responses.
• Customer end-user data — data that your application’s end users generate and that you route through the platform. We process this only as your processor; see Our two roles above.

As a controller, we use the information described above to:

• provide, operate, maintain, and secure the Service;
• authenticate you and protect accounts against fraud, abuse, and unauthorized access;
• process payments, manage subscriptions, and send billing and transactional notices;
• provide support and respond to your requests;
• monitor, analyze, and improve the Service, including diagnosing problems and developing new features;
• send service and security communications (which you cannot opt out of while you hold an account) and, where permitted, product and marketing communications (which you can opt out of at any time);
• comply with legal obligations and enforce our agreements.

We do not use customer end-user data for our own purposes. We do not use the content of customer end-user data to train machine-learning models.

Our websites and console use cookies and similar technologies. Strictly necessary cookies keep you signed in and protect against fraud; without them the Service will not function. We also use a limited set of analytics technologies to understand how our sites are used so we can improve them.

You can control non-essential cookies through your browser settings and any cookie controls we present. Disabling cookies may affect how parts of the Service work.

If you are in the European Economic Area or the United Kingdom, we process personal data on the following legal bases:

• Performance of a contract — to provide the Service you have requested and administer your account.
• Legitimate interests — to secure, maintain, and improve the Service and to communicate with you about it, where those interests are not overridden by your rights.
• Consent — where we rely on consent (for example, certain marketing or non-essential cookies), which you may withdraw at any time.
• Legal obligation — where processing is necessary to comply with the law.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We share information only in the following circumstances:

• Service providers and sub-processors — third parties that provide infrastructure, payment processing, email delivery, and similar functions on our behalf, under contractual confidentiality and data-protection obligations. The current named list of sub-processors is published on our Trust center.
• Professional advisors — lawyers, auditors, accountants, and insurers, where reasonably necessary.
• Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.
• Legal and safety — to comply with applicable law or valid legal process, and to protect the rights, property, and safety of Amba, our customers, and the public.
• With your direction or consent — including integrations you choose to enable.

We are based in the United States, and information is stored and processed in the United States by default. Regional data residency in the EU and APAC is available for Enterprise customers.

Where we transfer personal data out of the EEA, the UK, or Switzerland, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, and we bind our sub-processors to equivalent commitments.

We retain personal information for as long as your account is active and as needed to provide the Service, and thereafter only as required to comply with our legal obligations, resolve disputes, and enforce our agreements. After account deletion we retain data for a 30-day window before deletion, except where a longer period is required by law. Customer end-user data is retained and deleted according to the customer’s agreement and instructions.

We use technical and organizational measures designed to protect personal information, including encryption in transit and at rest, strict access controls, and physical isolation of each customer’s database. You can read more about our security posture, controls, and incident-response practices on our Trust center. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

Depending on where you live, you may have some or all of the following rights regarding the personal information we hold about you as a controller:

• to access a copy of your personal information;
• to correct inaccurate or incomplete information;
• to delete your personal information;
• to restrict or object to certain processing;
• to receive your information in a portable format;
• to withdraw consent where processing is based on consent;
• to opt out of the “sale” or “sharing” of personal information — we do not sell or share personal information, so there is nothing to opt out of; and
• not to receive discriminatory treatment for exercising your rights.

To exercise any of these rights, email privacy@amba.dev. We will verify your request and respond within the timeframe required by applicable law. You may use an authorized agent where the law permits. If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection authority.

If your request concerns end-user data that a customer processes through Amba, we will refer the request to the relevant customer (the controller of that data) or act on the customer’s instructions.

The Service is a business-to-business developer platform intended for use by businesses and professionals. It is not directed to children, and we do not knowingly collect personal information from children under 13 (or the equivalent minimum age in your jurisdiction) through our own websites or console. If a customer uses Amba to build an application directed to children, that customer is responsible for complying with the Children’s Online Privacy Protection Act (COPPA) and other applicable children’s-privacy laws, including obtaining any required parental consent.

The Service may link to or interoperate with third-party websites and services that we do not control. This Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review their privacy notices before providing them with personal information.

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, provide additional notice (for example, by email or through the Service). Your continued use of the Service after an update takes effect constitutes acceptance of the revised Policy.

If you have questions about this Privacy Policy or our data practices, contact us at privacy@amba.dev (privacy requests) or legal@amba.dev (legal and DPA inquiries). The data controller is:

Layers AI Inc. (operating as Amba)
26500 Agoura Road, Suite 102-810
Calabasas, CA 91302, USA
424-242-4227
support@amba.dev