Amberoc is an AI-native research workspace. You bring a decision you are trying to make. Amberoc runs the secondary research, shows you where the evidence is thin, and fields primary research, surveys and expert interviews, to close the gap, then hands back a narrative rather than a spreadsheet.
This Policy explains what personal information we handle across that workflow, why we handle it, and the choices you have. We have written the legal terms in full and added short plain-language notes in places where the practical takeaway matters most.
Introduction and Scope
1.1 This Privacy Policy (“Policy”) describes how Amberoc Inc., a Delaware corporation (“Amberoc,” “we,” “us,” or “our”), collects, uses, discloses, and protects personal information in connection with our website (amberoc.com), our AI-native research workspace, and related services (collectively, the “Services”).
1.2 This Policy applies to four categories of individuals:
- Website Visitors: Individuals who visit our website without creating an account.
- Customers and End Users: Organizations that subscribe to our Services (“Customers”) and the individuals authorized to use the Services under a Customer’s account, including collaborators within a shared workspace (“End Users”).
- Survey Respondents: Individuals who respond to surveys created and fielded by Customers through the Platform.
- Expert Interviewees: Operators, executives, and subject-matter experts who participate in interviews arranged through the Platform, including through Amberoc’s expert-network partners.
1.3 Important note for respondents and experts. When you respond to a survey or take part in an interview arranged through Amberoc, the organization that commissioned the research (the “Customer”) determines what data is collected, why, and how it is used. Amberoc processes Survey Respondent and Expert Interviewee data on behalf of the Customer. This Policy describes Amberoc’s own data practices; it does not govern how a Customer uses your responses. For information about how a specific Customer handles your data, please refer to that organization’s privacy policy or contact them directly.
1.4 Effective date. This Policy is effective as of the “Last updated” date above.
1.5 Contact. If you have questions about this Policy, contact us at privacy@amberoc.com or at the address in Section 17.
Information We Collect
2.1 Information from Customers and End Users
We collect the following from individuals who create accounts or use the Services:
- Account information: Name, email address, company name, job title or role, phone number, and login credentials.
- Workspace and collaboration data: Workspace and team membership, collaborator identities, comments, in-product messages, activity history, and sharing or permission settings within a shared workspace.
- Research inputs and Customer content: The decision or question you bring to Amberoc, your refinements to the brief, and any documents, notes, files, datasets, or prior research you upload into the workspace as inputs (for example, interview notes or internal materials). We refer to material you provide or generate in the workspace as “Customer Content.”
- Billing and payment information: Billing address, payment method details, and transaction records. Payment card details are handled by our third-party payment processor and are not stored on Amberoc systems.
- Usage data: How you interact with the Services, including features used, studies created, workflow stages run, AI feature usage, session duration, and configuration settings.
- Communications: Information provided through support requests, emails, feedback, and other communications with Amberoc.
- Integration data: If you connect third-party tools (for example, a Google Workspace, calendar, or storage account), we receive data from those integrations as needed to provide the Services and only as you authorize.
2.2 Information from Survey Respondents
When Survey Respondents complete surveys created through the Platform, we process the following on behalf of the Customer:
- Survey responses: Answers, selections, and any free-text input provided in response to survey questions, including branching follow-ups.
- Recruitment data: Where respondents are recruited through third-party panel or recruitment providers, the limited information needed to deliver the survey, enforce quotas, and prevent duplicate submissions. Recruitment is generally administered by the panel provider, which sources and screens respondents.
- Metadata: IP address (which may be used for geolocation and fraud detection), browser type and version, operating system, device type, language preference, and timestamps (including start time, completion time, and time per question).
- Cookies on survey pages: As described in Section 14, we use strictly necessary and functional cookies on survey pages to ensure proper delivery and prevent duplicate submissions.
Plain language
Amberoc processes Survey Respondent data solely to deliver surveys and provide data-quality services to the Customer who commissioned the research. We do not independently use or sell respondent data.
2.3 Information from Expert Interviewees
When experts take part in interviews arranged through the Platform, we process the following on behalf of the Customer:
- Identity and professional information: Name, professional contact details, current and former employers, role or title, areas of expertise, professional background, and screening responses used to confirm relevance. This is typically provided by the expert or sourced through an expert-network partner.
- Scheduling information: Availability, booking and calendar details, and contact information used to arrange the interview.
- Interview content: The substance of the interview, including notes, written responses, and (only where the expert has given consent) audio or video recordings and transcripts.
- Compensation information: Honoraria and payment for experts are generally administered by the expert-network partner. Where Amberoc handles or facilitates payment, we process the limited details necessary to do so.
Plain language
Interview content is processed to deliver research to the commissioning Customer. Interviews are recorded only with the expert’s consent, and experts can decline a recording while still participating.
2.4 Information generated by the Platform
As part of running a study, Amberoc generates the following:
- Secondary-research outputs: Amberoc retrieves and analyzes third-party and publicly available sources to produce desk research, evidence grades, and citations. These outputs may incidentally include personal data that appears in public sources; we process such data to deliver research and do not repurpose it for unrelated uses.
- Synthetic respondents and digital twins: AI-generated respondent profiles and predicted responses, described in Section 11.
- Gap analyses and synthesis: AI-generated assessments of evidence strength and narrative outputs derived from the inputs above.
2.5 Automatically collected information
When you visit our website or use the Services, we automatically collect:
- Log data: IP address, browser type, operating system, referring URL, pages visited, date and time of access, and clickstream data.
- Device information: Device type, unique device identifiers, screen resolution, and operating system version.
- Cookies and similar technologies: As described in Section 14.
2.6 Information from third parties
We may receive information from:
- Expert-network partners: Expert professional information, screening results, scheduling details, and compensation status for interviews fielded through the Platform.
- Panel and recruitment providers: Respondent recruitment, quota, and de-duplication information for surveys.
- Business contact databases: Professional contact information from business data providers for sales and marketing.
- Referral partners: Information provided by partners who refer prospective Customers to Amberoc.
- Public sources: Publicly available information from company websites, professional networking platforms, and regulatory filings.
- Connected integrations: Data shared from tools a Customer connects, only as the Customer authorizes.
How We Use Information
3.1 We use the information we collect for the following purposes:
- Providing and operating the Services: To create and manage accounts and workspaces and to run the research workflow end to end, clarifying the decision brief, conducting secondary research, performing gap analysis, fielding primary research, and generating synthesis and reports.
- Fielding primary research: To design and distribute surveys, and to source, schedule, and synthesize expert interviews through our expert-network partners.
- Data quality and fraud prevention: To protect the integrity of the Platform and Customer research, including automated screening of survey responses (such as response timing, completion patterns, duplicate detection, and IP-based geolocation) to flag potentially fraudulent or low-quality responses for the Customer’s review.
- Synthetic respondents and divergence tracking: To generate synthetic respondents and digital twins and, where real responses are later collected, to compare them against the synthetic predictions to measure divergence and improve study quality (see Section 11).
- Compounding research: Within a Customer’s own organization, to retain and reuse that Customer’s prior studies and research so new studies can build on what the Customer already knows. This reuse is limited to the originating Customer’s organization. We do not make one Customer’s research available to another Customer.
- Payment processing: To process subscription payments, manage billing, and maintain financial records.
- Communications: To send service-related communications (such as account notifications, security alerts, and product updates) and, with your consent where required, marketing communications about Amberoc.
- Improvement and analytics: To understand how the Services are used, identify trends, diagnose technical issues, and improve performance and features.
- Aggregated and anonymized analytics: To generate statistical analyses and benchmarks that cannot identify any individual, Customer, or Customer’s clients.
- Legal compliance: To comply with applicable laws, regulations, legal process, and governmental requests.
3.2 AI-specific data practices
- How data flows through AI features: When a Customer runs a study, the relevant Customer Content, response data, and interview content is processed by our AI systems (and, where applicable, by third-party AI providers under contract with Amberoc) solely to generate the requested output and orchestrate the workflow across stages.
- What is NOT used for model training: Amberoc does not use Customer Content, research inputs, Survey Response Data, or Expert Interview Content to train, fine-tune, or improve general-purpose AI models, unless the Customer has explicitly opted in through a clearly disclosed consent mechanism.
- Per-Customer isolation: Digital twins and compounded knowledge are built and used within the originating Customer’s workspace. They are not shared across Customers and are not used to identify or re-identify any individual respondent.
- Third-party AI processors: Where AI features rely on third-party AI providers, the data transmitted to them is subject to contractual restrictions prohibiting the provider from retaining or using it for their own model training or other purposes. A current list of material third-party AI subprocessors is available upon request.
- Usage metadata: We may use aggregated, de-identified metadata about AI feature usage (such as query types, error rates, and feature engagement) to improve the performance and reliability of the Services.
Legal Bases for Processing (GDPR)
4.1 If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we process your personal data on the following legal bases:
- Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Services to Customers and End Users under our Terms of Use and applicable Order Forms, including account management, service delivery, and payment processing.
- Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests, including Platform security and fraud prevention, product improvement, direct marketing to business contacts (subject to your right to opt out), analytics and aggregated reporting, and enforcing our Terms of Use, where such interests are not overridden by your rights and freedoms.
- Consent (Art. 6(1)(a)): Processing based on your freely given, specific, and informed consent, including marketing communications where required, interview recording, and the use of non-essential cookies.
- Legal obligation (Art. 6(1)(c)): Processing necessary to comply with legal requirements, such as tax and accounting obligations, regulatory reporting, and lawful governmental requests.
4.2 Respondent and expert data. With respect to Survey Respondent and Expert Interviewee personal data, Amberoc acts as a data processor on behalf of the Customer, who is the data controller. The Customer is responsible for establishing the lawful basis for collecting respondent and expert data. Our processing is governed by our Terms of Use and, where applicable, a Data Processing Addendum with the Customer.
Data Sharing and Disclosure
5.1 We may share personal information in the following circumstances:
- Service providers and subprocessors: Trusted providers that help us deliver the Services, including cloud hosting, payment processors, customer support tools, AI service providers, and analytics platforms. These providers are contractually obligated to process personal data only on our instructions and in line with applicable data-protection requirements.
- Expert-network partners: To source, screen, schedule, and compensate experts, we share the information necessary to arrange interviews. These partners maintain their own privacy terms governing their relationship with experts.
- Panel and recruitment providers: To recruit and manage survey respondents and enforce quotas and de-duplication.
- Within our corporate group: With our affiliates and subsidiaries for the purposes described in this Policy, subject to appropriate safeguards.
- With Customers (research data): Survey responses, interview outputs, and research deliverables are provided to the Customer who commissioned them. Amberoc does not independently determine how a Customer uses that data.
- Legal and regulatory requirements: When required by law, regulation, legal process, or governmental request, or where we believe in good faith that disclosure is necessary to protect our rights, the safety of any person, or to investigate potential violations of our Terms of Use.
- Business transfers: In connection with a merger, acquisition, reorganization, asset sale, or similar transaction, subject to applicable data-protection obligations.
- With consent: When you have provided your consent.
5.2 Amberoc does not sell personal information. We do not sell personal information as defined under the California Consumer Privacy Act (CCPA/CPRA) or any other applicable law, and we do not share personal information for cross-context behavioral advertising.
International Data Transfers
6.1 Amberoc is based in the United States. If you are located outside the United States, your personal data may be transferred to, stored in, and processed in the United States or other countries where our service providers operate.
6.2 For transfers from the EEA, UK, or Switzerland to countries not recognized as providing an adequate level of protection, we rely on:
- EU-U.S. Data Privacy Framework (DPF): Including the UK Extension and the Swiss-U.S. DPF, as set forth by the U.S. Department of Commerce.
- Standard Contractual Clauses (SCCs): The European Commission’s SCCs (as supplemented by the UK Addendum, where applicable) with providers and partners who process personal data outside the EEA/UK.
- Adequacy decisions: Where the European Commission or UK Secretary of State has issued an adequacy decision, we may rely on it.
6.3 You may request a copy of the relevant transfer mechanism by contacting privacy@amberoc.com.
Data Retention
7.1 We retain personal information for as long as necessary to fulfill the purposes in this Policy, unless a longer period is required or permitted by law. Specific practices include:
- Account data: Retained for the Customer’s subscription and a reasonable period thereafter (typically 30 days for retrieval, followed by deletion within 90 days unless legal retention applies).
- Customer Content and research inputs: Retained for the subscription term; after termination, available for retrieval for 30 days, then deleted within 90 days unless a legal hold applies.
- Survey Response Data: Retained on behalf of the Customer for the subscription term. On termination, available for retrieval for 30 days, then scheduled for deletion within 90 days.
- Expert interview recordings, transcripts, and notes: Retained for the subscription term. Recordings are deleted within 90 days of termination, or sooner per Customer settings or a verified expert request, unless a legal hold applies.
- Synthetic respondent and digital-twin data: Retained within the originating Customer’s workspace for the subscription term, then deleted or de-identified on termination.
- Billing and payment records: Retained as required by tax and accounting laws (typically 7 years).
- Usage and log data: Retained for up to 24 months for security, analytics, and product improvement, then aggregated or deleted.
- Marketing contact data: Retained until you unsubscribe or request deletion, or until no longer necessary.
7.2 When personal data is no longer required, we delete or anonymize it in accordance with our retention procedures.
Data Security
8.1 Amberoc maintains technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction, including:
- encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);
- role-based access controls and least-privilege principles;
- regular security assessments and vulnerability testing;
- employee security awareness training;
- incident detection, response, and notification procedures; and
- security practices designed to meet SOC 2 Trust Service Criteria.
Plain language
Amberoc maintains security practices designed to meet SOC 2 standards, and we continuously work to strengthen our posture and protect the data entrusted to us.
8.2 No method of transmission or storage is completely secure. While we strive to protect personal information, we cannot guarantee absolute security.
8.3 In the event of a personal data breach likely to result in a risk to individuals’ rights and freedoms, we will notify affected individuals and relevant supervisory authorities in accordance with applicable law.
Your Rights
9.1 Rights under GDPR (EEA / UK / Switzerland)
- Access: Confirmation of whether we process your personal data and a copy of it.
- Rectification: Correction of inaccurate or incomplete data.
- Erasure: Deletion of your data, subject to certain exceptions.
- Restriction: Restriction of processing in certain circumstances.
- Portability: Receipt of your data in a structured, commonly used, machine-readable format and transmission to another controller.
- Objection: Objection to processing based on legitimate interests or for direct marketing.
- Withdraw consent: Where processing is based on consent, withdrawal at any time without affecting prior processing.
- Automated decision-making: The right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
9.2 Rights under CCPA/CPRA (California residents)
- Know: The categories and specific pieces of personal information we collect, the sources, the business purposes, and the categories of third parties with whom we share it.
- Delete: Deletion of your personal information, subject to certain exceptions.
- Correct: Correction of inaccurate personal information.
- Opt out of sale/sharing: As stated in Section 5.2, Amberoc does not sell or share personal information for cross-context behavioral advertising.
- Non-discrimination: We will not discriminate against you for exercising your rights.
9.3 Exercising your rights
To exercise any right above, contact privacy@amberoc.com. We respond to verified requests within the timeframes required by law (generally 30 days for GDPR and 45 days for CCPA/CPRA, with extensions as permitted). To protect your information, we may need to verify your identity before fulfilling a request. For Customers and End Users, we verify through account credentials; for others, we may request additional information to confirm identity.
Respondents and Expert Interviewees
10.1 Amberoc’s role. When you respond to a survey or take part in an interview arranged through the Platform, Amberoc processes your data as a data processor (or “service provider” under CCPA) on behalf of the Customer. The Customer is the data controller (or “business” under CCPA) and determines the purposes and means of processing.
10.2 Data rights requests. To exercise your rights regarding data collected through a survey or interview (access, deletion, correction, or objection), contact the organization that commissioned the research. That organization is responsible for responding.
10.3 Amberoc’s assistance. If you cannot identify or reach the commissioning organization, contact privacy@amberoc.com and we will use commercially reasonable efforts to route your request to the appropriate Customer or expert-network partner. Amberoc assists Customers in fulfilling data subject requests in accordance with our contractual obligations and applicable law.
10.4 Interview recordings. Interviews are recorded only with the expert’s consent. Experts may decline a recording and still participate, and may request deletion of a recording or transcript through Amberoc or the relevant expert-network partner.
10.5 Data-quality processing. Amberoc may analyze survey response metadata (such as response timing, completion patterns, and IP-based geolocation) to detect potentially fraudulent or low-quality responses. This processing is performed on behalf of the Customer to ensure data quality and does not constitute automated decision-making that produces legal effects on respondents. Flagged responses are provided to the Customer for review; Amberoc does not independently discard or act upon respondent data.
Synthetic Respondents and Digital Twins
Amberoc can generate synthetic respondents, also called digital twins, that predict how a defined audience is likely to answer a study before any real data is collected. The following describes how this works and how we handle the underlying data:
- They are model-generated. Synthetic respondents are produced by AI models. They are not real individuals, and a synthetic response is a model prediction, not a statement by any actual person.
- They are scoped to the Customer. Where a Customer enables digital twins calibrated to its own audience, those twins may be informed by that Customer’s own prior research and inputs within its workspace, used in de-identified or aggregated form where feasible. Digital twins are built for, and used within, the originating Customer’s organization. They are not constructed from other Customers’ data and are not used to identify or re-identify any individual respondent.
- We track divergence. When real responses are later collected, we may compare them against the synthetic predictions to measure divergence and improve study quality for that Customer.
- They do not circumvent protections. We do not use synthetic generation to bypass the consent, rights, or protections that apply to real respondents and experts.
Do Not Track and Global Privacy Controls
12.1 Some browsers transmit “Do Not Track” (DNT) signals. There is currently no industry-standard interpretation of DNT signals, and our website does not currently respond to them.
12.2 We honor Global Privacy Control (GPC) signals as an opt-out of the “sale” or “sharing” of personal information where required by applicable law.
Children's Privacy
13.1 The Services are not directed to individuals under the age of 18, and Amberoc does not knowingly collect personal information from children under 18.
13.2 Customers are prohibited from using the Services to collect data from children under 18, as set forth in our Terms of Use. If we become aware that personal information has been collected from a child under 18, we will take steps to delete it promptly.
13.3 If you believe a child under 18 has provided personal information through our Services, contact privacy@amberoc.com.
Cookies and Tracking Technologies
14.1 We use cookies and similar technologies on our website and, in limited circumstances, on survey pages. These fall into the following categories:
- Strictly necessary cookies: Required for the operation of our website and Platform, including session management, authentication, and security. These cannot be disabled.
- Functional cookies: Enable enhanced functionality and personalization, such as remembering preferences and settings.
- Analytics cookies: Help us understand how visitors interact with our website and Services so we can improve them.
- Marketing cookies: Used to track visitors across websites to display relevant advertisements. We use marketing cookies only on our marketing website, not within the Platform or on survey pages.
14.2 On survey pages, we use only strictly necessary and functional cookies to ensure proper delivery, prevent duplicate submissions, and support data-quality functions.
14.3 Where required by law, we obtain your consent before placing non-essential cookies. You can manage your preferences through the cookie consent mechanism on our website.
14.4 For detailed information, please refer to our Cookie Policy.
Changes to This Policy
15.1 We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the revised Policy on our website and update the “Last updated” date.
15.2 If we make material changes, we will provide notice through the Services, by email, or through other appropriate channels at least thirty (30) days before the changes take effect.
15.3 Your continued use of the Services after the effective date of a revised Policy constitutes acceptance of the changes. If you do not agree, you should discontinue use of the Services and contact us to close your account.
Additional Disclosures
16.1 California “Shine the Light”
California Civil Code Section 1798.83 permits California residents to request information about the disclosure of personal information to third parties for their direct marketing purposes. Amberoc does not disclose personal information to third parties for their direct marketing purposes.
16.2 Nevada residents
Nevada residents may opt out of the “sale” of certain personal information. Amberoc does not sell personal information as defined under Nevada law. If you have questions, contact privacy@amberoc.com.
Contact Information
If you have questions, concerns, or requests regarding this Policy, please contact us:
Amberoc Inc.
Email: privacy@amberoc.com